DMZ to Internal connections not working

• From: "Dan Wilkie" <d_j_wilkie@xxxxxxxxx>
• To: isalist@xxxxxxxxxxxxx
• Date: Fri, 3 May 2002 15:24:49 -0600

Hi everyone,

Hope you can help with this one. I have not been successsful in getting a
DMZ STMP server to communicate to an Internal SMTP server.

My ISA NIC are configured as follows (these are example Class C's. I am
using 2 Class C's assigned by our ISP.)

External NIC
IP=192.200.30.2/24
Gateway=192.200.30.1/24   (ISP router)

DMZ NIC
IP=192.200.31.2/24
gateway is blank

Internal NIC
IP=192.168.1.2/24
gateway is also blank

The DMZ SMTP server IP=192.200.31.3. I have configured SMTP packet filters
to allow port 25 in and out to any ip.

The internal SMTP server ip=192.168.1.150 and is published as
192.200.30.57
ext NIC configured with several ip's.  50-60

Also set int protocol rules for outbound port 25 to any.

My LAT only contains the internal segments. 

When tested, I can connect from;

    -ext. SMTP server (192.200.30.200) <-> DMZ SMTP server.

    -ext. SMTP <-> int. SMTP

    -int. SMTP -> DMZ SMTP

But, DMZ (192.200.31.3) to published int (192.200.30.57) is not working.
The IPPEXTD log shows success from 192.200.31.3 to 192.200.31.57 via
192.200.31.2 but no other message from then on about it. An IP Packet Drop
alert is also indicated. I have tried different ports with the same
result. Is there a way to do this? Or am I missing
something? 

With the ISA disabled, pings between all NIC's work fine which
indicates to me that it is not a Win2k routing/misconfiguration issue. The
SMTP servers i am using for this test have been connected to live segments
and tested for connectivity to eliminate any suspicions of
misconfigurations on them.

Maybe this is expected behavior when using two Class C segments for ext
and DMZ. Tom's book, The Learning Zone, MS Technet, and other writings
indicate another option is to subnet 1 segment. Is this the fix?

My next option, which is less favorable, is to make the dmz a private
segment, use tcp/ip filtering, and publish the smtp server instead.

Any thoughts, suggestions, or help would be greatly appreicated. Thanx!
  :)

Other related posts:

• » DMZ to Internal connections not working

1. Home
2. isalist
3. Archive
4. 05-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---