Pix with mail server access on DMZ

network

Pix with mail server access on DMZ [/td]

PIX Version 6.2(2) !--- These commands name and set the security level !--- for their respective interfaces. nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname SanQuentin domain-name noplace.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 ras 1718-1719 fixup protocol h323 h225 1720 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 no names !--- This statement creates an access list, named smtp, which !--- allows SMTP traffic originating from anywhere to reach the !--- server at 209.164.3.5. Note: There is one and only one !--- access list allowed per interface per direction (for example, inbound !--- on the outside interface). Because of this limitation, any additional !--- lines needing to be placed in the access list will need to be !--- specified here. If the server in question is not SMTP, replace !--- the occurrences of smtp with www, dns, pop3, or !--- whatever else may be required. access-list smtp permit tcp any host 209.164.3.5 eq smtp ! pager lines 24 logging on logging timestamp no logging standby logging console debugging logging monitor debugging logging buffered debugging logging trap debugging no logging history logging facility 23 logging queue 512 !--- These commands instruct the PIX to auto-sense the media !--- attached to each interface. interface ethernet0 auto interface ethernet1 auto interface ethernet 2 auto ! mtu outside 1500 mtu inside 1500 mtu dmz 1500 ! !--- These commands set the IP address of the respective interfaces. ip address inside 192.168.1.1 255.255.255.252 ip address outside 209.164.3.1 255.255.255.252 ip address dmz 172.16.128.1 255.255.255.0 ! no failover ! arp timeout 14400 !--- These commands establish port address translation (PAT) for !--- traffic originating on the inside of the PIX and traveling !--- outside (beyond) the PIX. global (outside) 1 209.164.3.129 nat (inside) 1 192.168.1.0 255.255.255.0 ! !--- This static creates a translation between the legal (outside) address !--- of the server (209.164.3.5) and the RFC 1918 (inside) address (172.16.128.103). static (dmz,outside) 209.164.3.5 172.16.128.103 netmask 255.255.255.255 ! !--- This static essentially prevents translation of the 192.168.1.x !--- inside network when sending packets to the DMZ. Literally speaking, !--- it creates a translation from 192.168.1.x to 192.168.1.x. static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 ! !--- This statement applies the access list created above to the !--- interface named "outside". Because it is applied inbound, the !--- PIX will now check all incoming packets against this list, !--- dropping all packets not explicitly permitted. access-group smtp in interface outside ! !--- This command instructs the PIX to hand all other packets not !--- destined for directly-connected networks to the router at !--- 209.164.3.2 (the outside router). route outside 0.0.0.0 0.0.0.0 209.164.3.2 1 ! timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable terminal width 80 Cryptochecksum:d66eb04bc477f21ffbd5baa21ce0f85a : end ! ! !--- Alternate command: !--- conduit permit tcp host 209.164.3.5 eq smtp any !--- This command, in earlier PIX software versions, serves the same purpose !--- as the access-list and access-group commands shown above. !--- This command replaces the access-list and access-group !--- commands presented above.