Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Trouble allowing smtp out from DMZ on pix 525

Status
Not open for further replies.
hitdrum

hitdrum

IS-IT--Management
Jan 25, 2007
10
0
0
US
Hello,

I inherited a pix 525 and I'm trying to allow an smtp smart host in the DMZ to send smtp traffic outbound. I've been cracking at this for while now and suspect the reason to be related to the nat setup but need some help. I have tried adding additional global outside addresses, nat statements and linking them together with a new nat ID with no luck. Ultimately what I want to achieve is to send smtp traffic from the smart host out on a new global outside address and then progress to allow internet access from the dmz out which currently also is not possible. Below is the scrubbed config. Hopefully someone with a more experienced cisco eye can nudge me toward the light! The smart host in the DMZ is addresses 192.168.45.4 /24. SMTP flows from inside to the smart host fine, it just gets trapped in the DMZ.



Thanks for assisting! And Merry Christmas All.

The config as promised

Cisco PIX Firewall Version 6.3(3)

clock timezone CST 0
clock summer-time CST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
no fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 12.ex.ex.2 xxxx
name 207.ex.ex.8 xxxxx2
name 65.ex.ex.8 xxxxx1
name 63.ex.ex.81 xxxxx
name 74.ex.ex.162 xxxxxxx
object-group service WinMedia udp
port-object range 1024 5000
object-group service SQL tcp-udp
port-object range 1433 1434
object-group service d_Mgmt tcp
port-object eq ssh
port-object eq 5432
port-object range 5959 5963
port-object eq 9099
port-object eq 8080
port-object eq 8443


access-list from-outside-in permit tcp any host 209.ex.ex.3 eq www
access-list from-outside-in permit tcp any host 209.ex.ex.3 eq ftp
access-list from-outside-in permit tcp any host 209.ex.ex.3 eq pptp
access-list from-outside-in permit gre any host 209.ex.ex.3
access-list from-outside-in permit tcp any host 209.ex.ex.12 eq smtp
access-list from-outside-in permit udp any host 209.ex.ex.11 eq 1755
access-list from-outside-in permit tcp any host 209.ex.ex.11 eq 1755
access-list from-outside-in permit tcp any host 209.ex.ex.12 eq ssh
access-list from-outside-in permit udp any host 209.ex.ex.11 object-group WinMedia
access-list from-outside-in permit tcp any host 209.ex.ex.4 eq www
access-list from-outside-in permit tcp any host 209.ex.ex.6 eq www
access-list from-outside-in permit tcp any host 209.ex.ex.5 eq www
access-list from-outside-in permit tcp any host 209.ex.ex.11 eq 554
access-list from-outside-in permit udp any host 209.ex.ex.11 eq 5004
access-list from-outside-in permit udp any host 209.ex.ex.11 eq 5005
access-list from-outside-in permit icmp host 209.ex.ex.1 any
access-list from-outside-in permit tcp any host 209.ex.ex.10 eq domain
access-list from-outside-in permit udp any host 209.ex.ex.10 eq domain
access-list from-outside-in permit udp any host 209.ex.ex.11 eq domain
access-list from-outside-in permit tcp any host 209.ex.ex.11 eq domain
access-list from-outside-in permit tcp host ktc host 209.ex.ex.20 eq telnet
access-list from-outside-in permit tcp any host 172.16.1.43 eq https
access-list from-outside-in permit tcp any host 209.ex.ex.5 eq https
access-list from-outside-in permit tcp any host 209.ex.ex.7 eq https
access-list from-outside-in permit tcp any host 209.ex.ex.6 eq 5000
access-list from-outside-in permit tcp any host 209.ex.ex.15 eq www
access-list from-outside-in permit tcp any host 209.ex.ex.15 eq https
access-list from-outside-in permit tcp host 159.ex.ex.90 host 172.16.9.108 eq 15000
access-list from-outside-in permit tcp host 159.ex.ex.50 host 172.16.9.108 eq 15000
access-list from-outside-in permit tcp host 159.ex.ex.60 host 172.16.9.108 eq 15000
access-list from-outside-in permit tcp host 159.ex.ex.80 host 172.16.9.108 eq 15000
access-list from-outside-in permit tcp any host 209.ex.ex.13 eq https
access-list from-outside-in permit tcp any host 209.ex.ex.14 eq www
access-list from-outside-in permit tcp any host 209.ex.ex.14 eq https
access-list from-outside-in permit tcp any host 209.ex.ex.8 eq www
access-list from-outside-in permit tcp any host 209.ex.ex.8 eq https
access-list from-outside-in permit tcp 207.ex.ex.0 255.255.255.0 host 209.ex.ex.8 eq 3389
access-list from-outside-in permit udp any host 209.ex.ex.88 eq 9000
access-list from-outside-in permit tcp host xxxxx1 host 209.ex.ex.8 eq 1433
access-list from-outside-in permit tcp host xxxxx1 host 209.ex.ex.8 eq 3389
access-list from-outside-in permit tcp 63.ex.67.80 255.255.255.240 host 209.ex.ex.8 eq 1433
access-list from-outside-in permit tcp 63.ex.67.80 255.255.255.240 host 209.ex.ex.8 eq 3389
access-list from-outside-in permit tcp 65.ex.140.0 255.255.255.0 host 209.ex.ex.8 eq 1433
access-list from-outside-in permit tcp 65.ex.140.0 255.255.255.0 host 209.ex.ex.8 eq 3389
access-list from-outside-in permit tcp any host 209.ex.ex.88 eq 9000
access-list from-outside-in permit tcp host 74.ex.ex.162 host 209.ex.ex.14 object-group d_Mgmt
access-list from-outside-in permit tcp any host 209.ex.ex.16 eq https
access-list from-dmz-in permit tcp host 192.168.45.4 host 172.16.1.22 eq ftp
access-list from-dmz-in permit tcp host 192.168.45.4 host 172.16.1.21 eq smtp
access-list from-dmz-in permit tcp host 192.168.45.6 host 172.16.1.44 object-group SQL
access-list from-dmz-in permit udp host 192.168.45.6 host 172.16.1.44 object-group SQL
access-list from-dmz-in permit icmp 192.168.45.0 255.255.255.0 any
access-list from-dmz-in permit tcp host 192.168.45.4 any eq www
access-list from-dmz-in permit tcp host 192.168.45.4 any eq ssh
access-list from-dmz-in permit udp host 192.168.45.11 any eq 1755
access-list from-dmz-in permit tcp host 192.168.45.11 any eq 1755
access-list from-dmz-in permit tcp host 192.168.45.4 host 172.16.1.10 eq ldap
access-list from-dmz-in permit tcp host 192.168.45.6 host 172.16.1.10 eq ldap
access-list from-dmz-in permit tcp host 192.168.45.21 host 172.16.1.10 eq ldap
access-list from-dmz-in permit tcp host 192.168.45.21 host 172.16.1.10 eq domain
access-list from-dmz-in permit udp host 192.168.45.21 host 172.16.1.10 eq domain
access-list from-dmz-in permit tcp any host 172.16.1.3 eq pptp
access-list from-dmz-in permit udp host 192.168.45.4 host 172.16.1.10 eq ntp
access-list from-dmz-in permit udp host 192.168.45.4 host 172.16.1.10 eq domain
access-list from-dmz-in permit tcp host 192.168.45.4 host 172.16.1.10 eq domain
access-list from-dmz-in permit tcp host 192.168.45.4 host 172.16.1.9 eq ldap
access-list from-dmz-in permit tcp host 192.168.45.6 host 172.16.1.9 eq ldap
access-list from-dmz-in permit udp host 192.168.45.4 host 172.16.1.9 eq domain
access-list from-dmz-in permit tcp host 192.168.45.4 host 172.16.1.9 eq domain
access-list from-dmz-in permit tcp host 192.168.45.4 host 172.16.1.70 eq smtp
access-list from-dmz-in permit udp host 192.168.45.4 host 172.16.10.28 eq snmp
access-list from-dmz-in permit udp host 192.168.45.4 host 172.16.1.69 eq snmp
access-list from-dmz-in permit udp host 192.168.44.1 host 172.16.1.69 eq snmp
access-list from-dmz-in permit udp host 192.168.44.1 host 172.16.10.28 eq snmp
access-list from-dmz-in permit tcp host 192.168.45.4 host 172.16.1.71 eq smtp

pager lines 24
logging timestamp
logging monitor informational
logging buffered notifications
logging trap notifications
logging facility 6
logging device-id hostname
logging host inside 172.16.1.22
icmp deny any outside
mtu outside 1500
mtu intf3 1500
mtu dmz 1500
mtu inside 1500
ip address outside 209.ex.ex.2 255.255.255.0
no ip address intf3
ip address dmz 192.168.45.1 255.255.255.0
ip address inside 192.168.44.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address intf3
no failover ip address dmz
no failover ip address inside
pdm history enable
arp timeout 14400


global (outside) 1 209.a.a.a
global (outside) 2 209.b.b.b
global (dmz) 1 192.168.45.100
global (dmz) 2 192.168.45.101
nat (inside) 1 192.168.44.0 255.255.255.0 0 0
nat (inside) 1 172.16.0.0 255.255.0.0 0 0
nat (inside) 2 172.17.0.0 255.255.0.0 0 0


static (inside,outside) tcp 209.ex.ex.3 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.3 pptp 172.16.1.3 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.20 telnet 172.16.0.20 telnet netmask 255.255.255.255 0 0
static (inside,dmz) tcp 172.16.1.21 smtp 172.16.1.21 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.5 255.255.255.255 0 0
static (dmz,outside) tcp 209.ex.ex.4 255.255.255.255 0 0
static (dmz,outside) tcp 209.ex.ex.6 255.255.255.255 0 0
static (dmz,outside) udp 209.ex.ex.10 domain 192.168.45.10 domain netmask 255.255.255.255 0 0
static (dmz,outside) tcp 209.ex.ex.10 domain 192.168.45.10 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.5 https 172.16.1.43 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.7 https 172.16.1.13 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.6 5000 172.16.1.103 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 ssh 172.16.1.104 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 5432 172.16.1.104 5432 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 5959 172.16.1.104 5959 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 5960 172.16.1.104 5960 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 5961 172.16.1.104 5961 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 5962 172.16.1.104 5962 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 5963 172.16.1.104 5963 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 9099 172.16.1.104 9099 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 8080 172.16.1.104 8080 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.15 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.15 https 172.16.1.72 https netmask 255.255.255.255 0 0
static (inside,dmz) tcp 172.16.1.70 smtp 172.16.1.70 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.13 https 172.16.1.19 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 https 172.16.1.74 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.8 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.8 https 172.16.0.50 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.8 3389 172.16.0.50 3389 netmask 255.255.255.255 0 0
static (inside,outside) udp 209.ex.ex.88 9000 172.16.1.211 9000 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.8 1433 172.16.0.50 1433 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.14 8443 172.16.1.104 8443 netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.ex.ex.16 https 172.16.0.80 https netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.6 172.16.1.6 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.201 172.16.1.201 netmask 255.255.255.255 0 0
static (dmz,outside) 209.ex.ex.12 192.168.45.4 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.22 172.16.1.22 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.202 172.16.1.202 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.44 172.16.1.44 netmask 255.255.255.255 0 0
static (dmz,outside) 209.ex.ex.11 192.168.45.11 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.10 172.16.1.10 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.9 172.16.1.9 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.99 172.16.1.99 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.203 172.16.1.203 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.10.28 172.16.10.28 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.69 172.16.1.69 netmask 255.255.255.255 0 0


access-group from-outside-in in interface outside
access-group from-dmz-in in interface dmz

route outside 0.0.0.0 0.0.0.0 209.ex.ex.1 1
route inside 172.16.0.0 255.248.0.0 192.168.44.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:00:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps

floodguard enable

console timeout 0
url-block url-mempool 1500
url-block url-size 4
url-block block 64
terminal width 80
Cryptochecksum:84489a11e3df19d25bd94c78853b1bab
 
Sort by date Sort by votes
Figured this one...the implicit deny on the dmz access list was the culprit. Should have known better :), after taking care of that, the additional nat/global command came in to play and all is well.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
42
brownmab53
brownmab53
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
97
hairlessupportmonkey
hairlessupportmonkey
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
49
gbayi_omo
gbayi_omo
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
55
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top