Due PIX per DMZ, Reverse Proxy e Smtp Gateway

[hal]

Salve, ho configurato (o almento sto cercando di farlo) due pix (501 e 506) affinchè creino una dmz dove ospitare un smtp gateway, che faccia anche da reverse proxy (imaps,https) per il server groupware aziendale...
Il problema è che il server della lan non comunica con quello in dmz.
Vi posto le mie configurazioni eliminando le parti superflue...

MAIL-SRV(SRV-OX) 192.168.5.10
|
| LAN 192.168.5.0/24
|
|
inside 192.168.5.100
(------- PIX --------) fw-int
outside 10.254.32.1
|
|
|
(DMZ) 10.254.32.0/24
|
|-------(stmp -gateway) 10.254.32.2 DMZ-SRV-MX1
|
|
inside 10.254.32.254
(--------PIX---------) fw-ext
outside 87.247.235.xx
|
|
|-----subnet pubblica 87.247.235.XX/28
|
|
eth 87.247.235.xx
(ROUTER)
|
|80.93.xxx.xx/30 punto-punto
|
|
------ INTERNET



FW-INTERNO
---------------
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname fw-int
domain-name cippa.com
no fixup protocol smtp 25

names
name 192.168.5.0 LAN
name 10.254.32.0 DMZ
name 10.254.32.2 DMZ-SRV-MX1
name 10.254.32.254 DMZ-FW2
name 192.168.5.10 SRV-OX

object-group service Dmz-2-SRV-OX tcp
description Servizi su SRV-OX accessibili da SRV-MX1
port-object eq www
port-object eq https
port-object eq imap4
port-object eq smtp

access-list inside_access permit ip LAN 255.255.255.0 any
access-list nat0_outside permit ip LAN 255.255.255.0 any
access-list outside_access permit tcp host DMZ-SRV-MX1 host SRV-OX object-group Dmz-2-SRV-OX

ip address outside 10.254.32.1 255.255.255.0
ip address inside 192.168.5.100 255.255.255.0

nat (inside) 0 access-list nat0_outside

static (inside,outside) SRV-OX SRV-OX netmask 255.255.255.255 0 0

access-group outside_access in interface outside
access-group inside_access in interface inside

route outside 0.0.0.0 0.0.0.0 DMZ-FW2 1



FW-ESTERNO
---------------

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname fw-ext
domain-name cippa.it

names
name 192.168.5.0 LAN
name 10.254.32.0 DMZ
name 192.168.5.10 SRV-OX
name 88.36.59.xx PUB-SRV-MX1
name 10.254.32.1 DMZ-FW1
name 10.254.32.2 DMZ-SRV-MX1

object-group service Internet-2-SRV-MX1 tcp
description Servizi accessibili da Internet verso SRV-MX1
port-object eq https
port-object eq 993
port-object eq imap4
port-object eq smtp
port-object eq 32122

access-list inside_access permit ip LAN 255.255.255.0 any
access-list inside_access permit ip DMZ 255.255.255.0 any
access-list outside_access permit tcp any host PUB-SRV-MX1 object-group Internet-2-SRV-MX1

ip address outside 87.247.235.xx 255.255.255.240
ip address inside 10.254.32.254 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nat0_inside
nat (inside) 1 access-list inside_access 0 0

static (inside,outside) PUB-SRV-MX1 DMZ-SRV-MX1 netmask 255.255.255.255 0 0

access-group outside_access in interface outside
access-group inside_access in interface inside

route outside 0.0.0.0 0.0.0.0 88.36.59.xx 1
route inside LAN 255.255.255.0 DMZ-FW1 1


PS:quando cerco di collegarmi al server in dmz, se simultaneamente dalla shell dello stesso digito
netstat -an | grep 192.168.5.10
l'output è
TCP 10.254.32.2:25 192.168.5.10:2541 SYN_RECEIVED

Grazie a tutti,
Ciao.

Hal.

[MaiO]

Ma perche non ti prendi soltanto il 506 e crei le vlan sulla interfaccia inside? (Naturalmente lo switch deve poter gestire le vlan)



Ciao

[hal]

Ma perche non ti prendi soltanto il 506 e crei le vlan sulla interfaccia inside? (Naturalmente lo switch deve poter gestire le vlan)



Ciao

Grazie per il consiglio, sapevo si potesse fare la vlan ma purtroppo sono obbligato a usare tutti e 2 i pix ...
Adesso mi metto sotto e vedo di sistemare il macello...

Ciao,
Hal

[Wizard]

Controlla il nat0 sul FW-ESTERNO