Due PIX per DMZ, Reverse Proxy e Smtp Gateway
Inviato: mar 28 nov , 2006 10:48 pm
Salve, ho configurato (o almento sto cercando di farlo) due pix (501 e 506) affinchè creino una dmz dove ospitare un smtp gateway, che faccia anche da reverse proxy (imaps,https) per il server groupware aziendale...
Il problema è che il server della lan non comunica con quello in dmz.
Vi posto le mie configurazioni eliminando le parti superflue...
MAIL-SRV(SRV-OX) 192.168.5.10
|
| LAN 192.168.5.0/24
|
|
inside 192.168.5.100
(------- PIX --------) fw-int
outside 10.254.32.1
|
|
|
(DMZ) 10.254.32.0/24
|
|-------(stmp -gateway) 10.254.32.2 DMZ-SRV-MX1
|
|
inside 10.254.32.254
(--------PIX---------) fw-ext
outside 87.247.235.xx
|
|
|-----subnet pubblica 87.247.235.XX/28
|
|
eth 87.247.235.xx
(ROUTER)
|
|80.93.xxx.xx/30 punto-punto
|
|
------ INTERNET
FW-INTERNO
---------------
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname fw-int
domain-name cippa.com
no fixup protocol smtp 25
names
name 192.168.5.0 LAN
name 10.254.32.0 DMZ
name 10.254.32.2 DMZ-SRV-MX1
name 10.254.32.254 DMZ-FW2
name 192.168.5.10 SRV-OX
object-group service Dmz-2-SRV-OX tcp
description Servizi su SRV-OX accessibili da SRV-MX1
port-object eq www
port-object eq https
port-object eq imap4
port-object eq smtp
access-list inside_access permit ip LAN 255.255.255.0 any
access-list nat0_outside permit ip LAN 255.255.255.0 any
access-list outside_access permit tcp host DMZ-SRV-MX1 host SRV-OX object-group Dmz-2-SRV-OX
ip address outside 10.254.32.1 255.255.255.0
ip address inside 192.168.5.100 255.255.255.0
nat (inside) 0 access-list nat0_outside
static (inside,outside) SRV-OX SRV-OX netmask 255.255.255.255 0 0
access-group outside_access in interface outside
access-group inside_access in interface inside
route outside 0.0.0.0 0.0.0.0 DMZ-FW2 1
FW-ESTERNO
---------------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname fw-ext
domain-name cippa.it
names
name 192.168.5.0 LAN
name 10.254.32.0 DMZ
name 192.168.5.10 SRV-OX
name 88.36.59.xx PUB-SRV-MX1
name 10.254.32.1 DMZ-FW1
name 10.254.32.2 DMZ-SRV-MX1
object-group service Internet-2-SRV-MX1 tcp
description Servizi accessibili da Internet verso SRV-MX1
port-object eq https
port-object eq 993
port-object eq imap4
port-object eq smtp
port-object eq 32122
access-list inside_access permit ip LAN 255.255.255.0 any
access-list inside_access permit ip DMZ 255.255.255.0 any
access-list outside_access permit tcp any host PUB-SRV-MX1 object-group Internet-2-SRV-MX1
ip address outside 87.247.235.xx 255.255.255.240
ip address inside 10.254.32.254 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nat0_inside
nat (inside) 1 access-list inside_access 0 0
static (inside,outside) PUB-SRV-MX1 DMZ-SRV-MX1 netmask 255.255.255.255 0 0
access-group outside_access in interface outside
access-group inside_access in interface inside
route outside 0.0.0.0 0.0.0.0 88.36.59.xx 1
route inside LAN 255.255.255.0 DMZ-FW1 1
PS:quando cerco di collegarmi al server in dmz, se simultaneamente dalla shell dello stesso digito
netstat -an | grep 192.168.5.10
l'output è
TCP 10.254.32.2:25 192.168.5.10:2541 SYN_RECEIVED
Grazie a tutti,
Ciao.
Hal.
Il problema è che il server della lan non comunica con quello in dmz.
Vi posto le mie configurazioni eliminando le parti superflue...
MAIL-SRV(SRV-OX) 192.168.5.10
|
| LAN 192.168.5.0/24
|
|
inside 192.168.5.100
(------- PIX --------) fw-int
outside 10.254.32.1
|
|
|
(DMZ) 10.254.32.0/24
|
|-------(stmp -gateway) 10.254.32.2 DMZ-SRV-MX1
|
|
inside 10.254.32.254
(--------PIX---------) fw-ext
outside 87.247.235.xx
|
|
|-----subnet pubblica 87.247.235.XX/28
|
|
eth 87.247.235.xx
(ROUTER)
|
|80.93.xxx.xx/30 punto-punto
|
|
------ INTERNET
FW-INTERNO
---------------
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname fw-int
domain-name cippa.com
no fixup protocol smtp 25
names
name 192.168.5.0 LAN
name 10.254.32.0 DMZ
name 10.254.32.2 DMZ-SRV-MX1
name 10.254.32.254 DMZ-FW2
name 192.168.5.10 SRV-OX
object-group service Dmz-2-SRV-OX tcp
description Servizi su SRV-OX accessibili da SRV-MX1
port-object eq www
port-object eq https
port-object eq imap4
port-object eq smtp
access-list inside_access permit ip LAN 255.255.255.0 any
access-list nat0_outside permit ip LAN 255.255.255.0 any
access-list outside_access permit tcp host DMZ-SRV-MX1 host SRV-OX object-group Dmz-2-SRV-OX
ip address outside 10.254.32.1 255.255.255.0
ip address inside 192.168.5.100 255.255.255.0
nat (inside) 0 access-list nat0_outside
static (inside,outside) SRV-OX SRV-OX netmask 255.255.255.255 0 0
access-group outside_access in interface outside
access-group inside_access in interface inside
route outside 0.0.0.0 0.0.0.0 DMZ-FW2 1
FW-ESTERNO
---------------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname fw-ext
domain-name cippa.it
names
name 192.168.5.0 LAN
name 10.254.32.0 DMZ
name 192.168.5.10 SRV-OX
name 88.36.59.xx PUB-SRV-MX1
name 10.254.32.1 DMZ-FW1
name 10.254.32.2 DMZ-SRV-MX1
object-group service Internet-2-SRV-MX1 tcp
description Servizi accessibili da Internet verso SRV-MX1
port-object eq https
port-object eq 993
port-object eq imap4
port-object eq smtp
port-object eq 32122
access-list inside_access permit ip LAN 255.255.255.0 any
access-list inside_access permit ip DMZ 255.255.255.0 any
access-list outside_access permit tcp any host PUB-SRV-MX1 object-group Internet-2-SRV-MX1
ip address outside 87.247.235.xx 255.255.255.240
ip address inside 10.254.32.254 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nat0_inside
nat (inside) 1 access-list inside_access 0 0
static (inside,outside) PUB-SRV-MX1 DMZ-SRV-MX1 netmask 255.255.255.255 0 0
access-group outside_access in interface outside
access-group inside_access in interface inside
route outside 0.0.0.0 0.0.0.0 88.36.59.xx 1
route inside LAN 255.255.255.0 DMZ-FW1 1
PS:quando cerco di collegarmi al server in dmz, se simultaneamente dalla shell dello stesso digito
netstat -an | grep 192.168.5.10
l'output è
TCP 10.254.32.2:25 192.168.5.10:2541 SYN_RECEIVED
Grazie a tutti,
Ciao.
Hal.