1. Home
  2. Cisco Systems
  3. how static(dmz,ouside) work?

how static(dmz,ouside) work?

305011: Built static TCP translation from dmz:10.99.7.66/110 to outside:10.99.127.252/110 302013: Built inbound TCP connection 1040 for outside:10.99.127.254/2069 (10.99.127.254/2069) to dmz:10.99.7.66/110 (10.99.127.252/110) 305011: Built static TCP translation from dmz:10.99.7.66/25 to outside:10.99.127.252/25 302013: Built inbound TCP connection 1041 for outside:10.99.127.254/2071 (10.99.127.254/2071) to dmz:10.99.7.66/25 (10.99.127.252/25) ... 302014: Teardown TCP connection 1040 for outside:10.99.127.254/2069 to dmz:10.99.7.66/110 duration 0:02:01 bytes 0 SYN Timeout 302014: Teardown TCP connection 1041 for outside:10.99.127.254/2071 to dmz:10.99.7.66/25 duration 0:02:01 bytes 0 SYN Timeout 305012: Teardown static TCP translation from dmz:10.99.7.66/110 to outside:10.99.127.252/110 duration 0:02:06 305012: Teardown static TCP translation from dmz:10.99.7.66/25 to outside:10.99.127.252/25 duration 0:02:07

mail-server in dmz has default gateway defined to PIX dmz ip. 'netstat

-an' on mail-server said about connection from outside host - SYN_RCVD and do nothing.

PIX config (partial): ... access-list acl_dmz permit tcp host 10.99.7.66 host 10.99.9.1 eq smtp access-list acl_dmz permit udp host 10.99.7.66 host 10.99.9.1 eq domain access-list acl_dmz permit tcp host 10.99.7.66 eq smtp 10.99.127.248

255.255.255.248 access-list acl_dmz permit tcp host 10.99.7.66 eq pop3 10.99.127.248 255.255.255.248 access-list acl_out permit tcp 10.99.127.248 255.255.255.248 host 10.99.127.252 eq smtp access-list acl_out permit tcp 10.99.127.248 255.255.255.248 host 10.99.127.252 eq pop3 access-list acl_out deny ip any any access-list acl_in permit tcp 10.99.0.0 255.255.240.0 host 10.99.7.66 eq ssh access-list acl_in permit tcp 10.99.0.0 255.255.240.0 host 10.99.7.66 eq smtp access-list acl_in permit tcp 10.99.0.0 255.255.240.0 host 10.99.7.66 eq domain access-list acl_in permit udp host 10.99.9.1 eq domain 10.99.7.64 255.255.255.224 access-list acl_in permit tcp 10.99.0.0 255.255.240.0 host 10.99.7.66 eq telnet access-list outside_nonat permit ip host 10.99.7.66 host 10.99.127.254 access-list inside_nonat permit ip 10.99.0.0 255.255.240.0 10.99.7.64 255.255.255.224 pager lines 24 logging on logging monitor debugging mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside 10.99.127.253 255.255.255.248 ip address inside 10.99.15.251 255.255.255.0 ip address dmz 10.99.7.65 255.255.255.224 nat (inside) 0 access-list inside_nonat static (dmz,outside) tcp 10.99.127.252 smtp 10.99.7.66 smtp netmask 255.255.255.255 0 0 static (dmz,outside) tcp 10.99.127.252 pop3 10.99.7.66 pop3 netmask 255.255.255.255 0 0 static (inside,dmz) 10.99.15.0 10.99.15.0 netmask 255.255.255.0 0 0 static (inside,dmz) 10.99.9.0 10.99.9.0 netmask 255.255.255.0 0 0 static (inside,dmz) 10.99.0.0 10.99.0.0 netmask 255.255.255.0 0 0 access-group acl_out in interface outside access-group acl_in in interface inside access-group acl_dmz in interface dmz ...

Any ideas?

Reply to
Frozer
Loading thread data ...

Moin,

the static command maps an internal private ip address to an external official ip address. Access-Lists define the access from the untrusted external device to your DMZ device.

Use this Example to define your smtp & pop3 traffic:

static (dmz,outside) External_NAT_IP DMZ_IP netmask 255.255.255.255 access-list acl_outside permit tcp host External_SMTP_POP3_Client host External_NAT_IP eq 25 access-list acl_outside permit tcp host External_SMTP_POP3_Client host External_NAT_IP eq 110

That's all.

Greetings Gerd

Reply to
Gerd EMail

Thank for answer. The problem is not PIX misconfiguration, mail-server has wrong ip netmask 255.0.0.0 (must 255.255.255.224). After changing to right netmask everything work fine.

Theme closed.

Reply to
Frozer

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.