billyakabachi
Technical User
Hello,
I need some help figuring out why I'm unable to access the internet from the DMZ after applying an access list on the dmz interface for an SMTP server to send mail to an Exchange server on the inside interface.
My goal is to setup a smtp server in the DMZ which will receive mail from the outside and have it forward to an Exchange server on the inside. The Exchange server should then be able to send mail to the smtp server in the dmz and the smtp server in the dmz should be able to send it to the outside world.
Everything appears to work fine until I create an access list to allow the DMZ mail server to send mail to the inside Exchange server. Once I apply this access list, I'm unable to browse out to the internet from the DMZ servers. I believe after i created the access-list, the system deletes the implicit any any access list. I tried to create a new any any access list but this allows everything in the DMZ full access to the inside. My config is below. Any help would greatly be appreciated. Thanks.
: Saved
:
PIX Version 7.2(3)
!
hostname FIREWALL
domain-name XXXX.NET
enable password XXXX encrypted
names
name 70.X.X.97 INTERNETROUTER
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 70.X.X.98 255.255.255.240
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.0.1 255.255.252.0
!
interface Ethernet2
speed 100
duplex full
nameif dmz
security-level 50
ip address 192.168.0.1 255.255.255.0
!
passwd XXXX encrypted
ftp mode passive
clock timezone EST -6
dns server-group DefaultDNS
domain-name XXXX.NET
access-list outside_access_in extended permit tcp any host 70.X.X.100 eq smtp
access-list dmz_access_in extended permit tcp any host 10.0.0.31 eq smtp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 70.X.X.100 192.168.0.100 netmask 255.255.255.255
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.252.0
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 INTERNETROUTER 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.0.0.0 255.255.252.0 inside
telnet timeout 60
ssh 10.0.0.0 255.255.252.0 inside
ssh timeout 60
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
ntp server 64.202.112.65
username user password XXXX encrypted privilege 15
prompt hostname context
: end
asdm image flash:/asdm-523.bin
no asdm history enable
I need some help figuring out why I'm unable to access the internet from the DMZ after applying an access list on the dmz interface for an SMTP server to send mail to an Exchange server on the inside interface.
My goal is to setup a smtp server in the DMZ which will receive mail from the outside and have it forward to an Exchange server on the inside. The Exchange server should then be able to send mail to the smtp server in the dmz and the smtp server in the dmz should be able to send it to the outside world.
Everything appears to work fine until I create an access list to allow the DMZ mail server to send mail to the inside Exchange server. Once I apply this access list, I'm unable to browse out to the internet from the DMZ servers. I believe after i created the access-list, the system deletes the implicit any any access list. I tried to create a new any any access list but this allows everything in the DMZ full access to the inside. My config is below. Any help would greatly be appreciated. Thanks.
: Saved
:
PIX Version 7.2(3)
!
hostname FIREWALL
domain-name XXXX.NET
enable password XXXX encrypted
names
name 70.X.X.97 INTERNETROUTER
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 70.X.X.98 255.255.255.240
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.0.1 255.255.252.0
!
interface Ethernet2
speed 100
duplex full
nameif dmz
security-level 50
ip address 192.168.0.1 255.255.255.0
!
passwd XXXX encrypted
ftp mode passive
clock timezone EST -6
dns server-group DefaultDNS
domain-name XXXX.NET
access-list outside_access_in extended permit tcp any host 70.X.X.100 eq smtp
access-list dmz_access_in extended permit tcp any host 10.0.0.31 eq smtp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 70.X.X.100 192.168.0.100 netmask 255.255.255.255
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.252.0
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 INTERNETROUTER 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.0.0.0 255.255.252.0 inside
telnet timeout 60
ssh 10.0.0.0 255.255.252.0 inside
ssh timeout 60
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
ntp server 64.202.112.65
username user password XXXX encrypted privilege 15
prompt hostname context
: end
asdm image flash:/asdm-523.bin
no asdm history enable
