[afnog] PIX Configuration Issue

[Brian Candler]

On Wednesday 22 June 2005 08:24, Julius Kidubuka wrote:
> Hi all,
>
> From my last posting, I had issues with getting LAN clients to browse the
> internet which issue I successfully resolved.

It would be good if you could report exactly what solved the problem. That 
means that the list readers can see solutions, as well as problems :-)

> Right now, I can't seem to get the LAN PCs to pop and send mail through
> the mail server though they can 'ping' it successfully.

What exactly do you mean "can't pop and send mail"? What exactly are the 
symptoms - i.e. what exactly do the clients try to do, and what exactly is 
the error message they see?

Since you can ping, my first guess is that this is a layer 4-7 problem, or 
else firewalling of TCP. So the first test I would do on the clients is:

    telnet x.x.x.x 25
    telnet x.x.x.x 110

where x.x.x.x is the mailserver IP, and see exactly what response I get back.

I would also try running tcpdump on the mailserver at the same time: something 
like

    tcpdump -i eth0 -n -s1500 -X

> I have done a couple of searches and looked at numerous sample
> configurations where the mail server is placed in a DMZ. I have tried to
> create a 'kind of DMZ' in the best possible way I can by placing the mail
> server on the same subnetwork as the Router and PIX with the use of a
> switch (this is because the PIX I am using only has two ethernet
> interfaces hence I don't specifically have an interface to assign as a DMZ
> interface). This or something else could be the cause of all my mail
> problems.

That's a perfectly reasonable DMZ config, in some ways better than a single 
firewall with three interfaces:

                               DMZ
   outside ------- FIREWALL --------- FIREWALL --------- inside

However, since you've chosen to use private IPs in your DMZ, then there's no 
need to configure NAT on the PIX. (I don't know PIX configuration, so I can't 
say for sure whether you have NAT enabled, but I see some NAT-related config 
lines there)

The way I'd do it is to turn off NAT, and then on the router put a static 
route:

ip route 192.168.10.0 255.255.255.0 192.168.0.2

This is so that any machine in the DMZ which tries to send a packet to 
192.168.10.x will send it to their defaultroute (the router) which in turn 
will forward it to the PIX.

I'd then make sure that everything could ping everything else internally, and 
open TCP connections (setting a 'permit everything' policy on the PIX first 
if necessary). Then I'd clamp down the policies, e.g. so that machines on 
192.168.10.x could make outgoing connections to the mailserver, but not vice 
versa. That is, make it be a firewall.

Finally I'd then enable NAT on the border router to allow everything to access 
the Internet, and set whatever port-forwarding rules are necessary for 
inbound services (e.g. port 25 to mailserver)

Regards,

Brian.