1

I have a Web Server (193.170.4.2) in my DMZ that needs to communicate with the our Exchange Server (10.77.51.87) internally via SMTP. I used access-list acl-dmz permit tcp host 193.170.4.2 host 10.77.51.87 eq smtp, but it did not work.

Is it because of the deny ip line in acl-outbound or the nat ACL? If not, can anyone see what might be causing this? My config is below:

PIX_6.3(5)_515#
access-group acl-inbound in interface outside
access-group acl-outbound in interface inside
access-group acl-dmz in interface dmz1


PIX_6.3(5)_515#
PIX_6.3(5)_515# sh access-list acl-outbound | in deny
access-list acl-outbound line 86 deny ip 10.0.0.0 255.0.0.0 193.170.4.0 255.255.255.0 (hitcnt=1209)
access-list acl-outbound line 90 deny ip any any (hitcnt=1014022)
PIX_6.3(5)_515#
PIX_6.3(5)_515#
PIX_6.3(5)_515# sh access-list acl-dmz
access-list acl-dmz; 2 elements
access-list acl-dmz line 1 permit udp host 193.170.4.2 host 198.6.1.4 eq domain (hitcnt=5625)
access-list acl-dmz line 2 permit ip host 193.170.4.2 any (hitcnt=1089)
PIX_6.3(5)_515#
PIX_6.3(5)_515#
PIX_6.3(5)_515# sh nat
nat (inside) 0 access-list nonat
nat (inside) 1 10.77.51.80 255.255.255.255 0 0
nat (inside) 1 10.77.51.81 255.255.255.255 0 0
nat (inside) 1 10.77.51.87 255.255.255.255 0 0
nat (inside) 2 10.76.0.0 255.255.0.0 0 0
PIX_6.3(5)_515#
PIX_6.3(5)_515# sh run | in static
static (inside,outside) tcp 195.99.136.85 smtp 10.77.51.87 smtp netmask 255.255.255.255 0 0
static (inside,outside) 195.99.136.81 10.77.51.58 netmask 255.255.255.255 0 0
static (inside,outside) 195.99.136.84 10.77.51.38 netmask 255.255.255.255 0 0
static (dmz1,outside) 212.140.175.173 193.170.4.2 netmask 255.255.255.255 0 0
static (dmz1,inside) 212.140.175.173 193.170.4.2 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.76.0.0 10.76.0.0 netmask 255.255.0.0 0 0
PIX_6.3(5)_515#
PIX_6.3(5)_515#
PIX_6.3(5)_515# sh run | in global
global (outside) 1 195.99.136.85
global (outside) 2 interface
PIX_6.3(5)_515#
PIX_6.3(5)_515#
MDMarra
  • 100,734
  • 32
  • 197
  • 329
chinni
  • 11
  • 1
  • 1
    -1, voted to close. Please make this legible, and make it bear some resemblance to a question. Or, if it's really "very urgent," jump on the phone and hire an expert as a consultant to fix it for you. – HopelessN00b Aug 01 '12 at 17:11
  • Please avoid things in your title of question like `"...VERY URGENT!!"`. I've edited it out of this question, but in the future don't do that. If your problem is really that urgent, you should be hiring a consultant to assist you, not posting on a free community. – MDMarra Aug 01 '12 at 17:15
  • @HopelessN00b It really wasn't that bad when you go into edit view. He just didn't wrap the output in code markdown and English clearly isn't his first language, that's all. Maybe next time, edit the question to be better instead of writing why it should be closed :) – MDMarra Aug 01 '12 at 17:18
  • @MDMarra ..Thnks will follow – chinni Aug 01 '12 at 17:18
  • @MDMarra Thanks. I couldn't make head or tails of it before, and thought it was completely unsalvageable before, but it's entirely comprehensible with your edits, so kudos to you. – HopelessN00b Aug 01 '12 at 17:32
  • 1
    Ah, I got ya. A lot of times if you click "edit" on questions like this, you'll see it's actually formatted nicely in the text box, but new users typically don't have a grasp on how to use markdown to make it look nice when presented as a question :) – MDMarra Aug 01 '12 at 17:32

1 Answers1

2

I think the DENY is your problem.

Try:

access-list line 3 acl-dmz permit tcp host 193.170.4.2 host 10.77.51.87 eq smtp
access-list line 88 acl-outbound permit tcp host 10.77.51.87 host 193.170.4.2
Mark
  • 2,248
  • 12
  • 15
  • Does the static (dmz1,inside) 212.140.175.173 193.170.4.2 netmask 255.255.255.255 0 0 ... have any role to play.I want to use the "" static (inside,dmz1) 10.77.0.0 10.77.0.0 netmask 255.255.0.0 0 0 "" ..where my inside network is 10.77 subnet. ...please help me understand this. Thanks in advance. – chinni Aug 01 '12 at 18:12
  • Inside should talk to DMZ without needing that static, IIRC. (I no longer have a PIX). IF you want to test with a bit less disruption you could do a smaller sized static `static (inside,dmz1) 10.77.51.87 10.77.51.87 netmask 255.255.255.255 0 0` – Mark Aug 01 '12 at 18:33