[fw-wiz] Webmail Server in DMZ

From: Michael H (af_pilot33_at_hotmail.com)
Date: 05/14/04

  • Next message: ArkanoiD: "Re: [fw-wiz] Worms, Air Gaps and Responsibility"
    To: firewall-wizards@honor.icsalabs.com
    Date: Thu, 13 May 2004 16:53:53 -0700
    
    

    Greetings,

    I'm setting up a dmz for the first time and would like to put a front end
    web mail server in the dmz to get another layer between my mail server and
    the outside world. I'm using the Cisco site
    www.cisco.com/warp/public/110/mailserver_dmz.html as my guide, but still
    have some questions.

    Here is my network:
                             Webmail
                             Frontend
    Email 172.x.x.x
    Backend | A.B.C.D
    10.x.x.x --------------PIX--------------Internet

    I need to pass traffic, obviously from the Frontend to the Backend server,
    to include https traffic. Here is my guess as to what I need:

    static (dmz, outside) A.B.C.D 172.x.x.x netmask 255.255.255.255 0 0
    static (inside, dmz) 172.x.x.x 10.x.x.x netmask 255.255.255.255 0 0

    access-list dmz_https permit tcp any host A.B.C.D eq https
    access-list inside_https permit tcp any host 172.x.x.x eq https

    access-group dmz_https in interface outside
    access-group inside_https in interface dmz

    I would include any additional protocols in the dmz/inside https ACL
    necessary, but I'm wondering if my logic is sound. As I said, I'm new to
    having a dmz and not a pix guru by any means. Any input on how to do this or
    suggestions on better ways of accomplishing my task are greatly appreciated.

    regards,
    Michael

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: ArkanoiD: "Re: [fw-wiz] Worms, Air Gaps and Responsibility"

    Relevant Pages

    • ASA5510 dmz mail server forwarding to lan mail server
      ... I am trying to bring up a new mail server in the dmz. ... access-group outside_access_in in interface outside ...
      (comp.dcom.sys.cisco)
    • Re: Firewall and DMZ topology
      ... If the MAIL server is in the DMZ. ... >able to sniff all the traffic on the internal side of the firewall, ... >>The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • Re: Help! DMZ on Pix515
      ... I was of course missing static routes to the DMZ. ... interface Ethernet0 ... access-list inside_access_out extended permit tcp 0.0.0.0 255.255.255.0 ... access-group outside_access_in in interface outside ...
      (comp.dcom.sys.cisco)
    • [fw-wiz] PIX 515 7.1 vs: 8.0
      ... to assign an address to anything connected to those interfaces (dmz ... DHCPD and internet access, but even if I try the same ACLs and statics ... interface Ethernet0 ... access-group outside in interface outside ...
      (Firewall-Wizards)
    • Re: Help! DMZ on Pix515
      ... I can't reach anything on the DMZ from the outside. ... interface Ethernet0 ... access-list inside_access_out extended permit tcp 0.0.0.0 255.255.255.0 ... access-group outside_access_in in interface outside ...
      (comp.dcom.sys.cisco)