Setup Email Server Behind PIX 501

Unanswered Question
Apr 13th, 2007
User Badges:

I am new to Cisco PIX configurations and need help setting up an email server behind a PIX 501. Actually I am setting up a Barracuda spam filter which will receive the email first for scanning and then it forwards it to an Exchange server.


The PIX is running 6.3.4 and has a default configuration with the exception of VPN setup that someone else configured previously.


Any help is greatly appreciated!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Patrick Iseli Sat, 04/14/2007 - 06:31
User Badges:
  • Gold, 750 points or more

With only one public IP, the outside interface :


Baraccuda server is: 192.168.1.10

Replace the 192.168.1.1o with your internal IP adress and rename my example access-list name < acl_out> with your access-list name if one allready exists.


# Config Access-list :

access-list acl_out permit tcp any interface outside eq smtp

access-group acl_out in interface outside

# Port Adress Translation:

static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255 0 0



Example with a specific public IP of your range. Network Adress Translation example:


# Config:


access-list acl_out permit tcp any host YourPublic-IP1 eq smtp


access-group acl_out in interface outside


static (inside,outside) YourPublic-IP1 Local-IP1 netmask 255.255.255.255 0 0


# Note you may need after changing the NAT or PAT (Translation) to clear the translation table. This will reset all existing sessions.


Command:

clear xlate


Example on Cisco's site:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html


sincerely

Patrick

Patrick


thenetwerx Sat, 04/14/2007 - 07:26
User Badges:

Thanks for the quick reply Patrick. I will try it out this afternoon and let you know what the results are.


Now here is a real novice question... Adding lines and then using write memory is easy. But if I make a change to the config file that I don't want or need to edit, how do I do that?

Patrick Iseli Sat, 04/14/2007 - 10:41
User Badges:
  • Gold, 750 points or more

Follow the following guidline:


1.) Do a write mem before you start changing the config.

2.) Save the config for fallback to a text file.


Now you can start changing the config in the command line but do not save it.



Test everything, if you want to go back to your original config you can reboot the firewall.


Otherwise post your configuration and I can tell you exactly what to add in your config but please replave your confidential data as your public IP by a name as PublicIP.


sincerely

Patrick


thenetwerx Sat, 04/14/2007 - 20:03
User Badges:

Hi Patrick,


I am in a real jam here. I tried some of your suggestions and realized I made an error on one of the lines, so I didn't write the changes to mem. Then I issued a reload command to the firewall. Now there is no access out to the internet at all!! I tried rebooting it as well and still no access out. I unplugged the firewall from the cable modem and plugged my laptop into the modem and set the network card properties to the fixed IP of the modem, set the DNS and gateway (all the same as what the PIX have in the config file) and it can access anything on the internet just fine. I am really starting to sweat on this!!


Attached is the running config file (just as it was before all the trouble.)





Attachment: 
Patrick Iseli Sat, 04/14/2007 - 20:31
User Badges:
  • Gold, 750 points or more

The config is fine !

You permit any inside traffic to the internet without any limitation.


global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0


Reset the Cable Modem ! Sometimes they get jamed with the ARP entries they just allow one address to go out. Reset the cable modem and try again.


Check that the interfaces are up.


show interfaces


Try to ping the outside default gateway (.73) from the ping command line. And be sure that you have a valid DNS server on your hosts.


here are some troubleshooting guides.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_tech_notes_list.html

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009402f.shtml


sincerely

Patrick


thenetwerx Sat, 04/14/2007 - 20:54
User Badges:

Thanks for replying. I wasn't sure if you would be around at this time on a Saturday.


Now that you have my config file, can you rewrite to allow smtp, pop3 and nntp to my Barracuda on the inside network with the following address: 192.168.45.5?


Thanks a million!!


Tim

thenetwerx Sat, 04/14/2007 - 21:16
User Badges:

FYI - I have outside connection to the internet again. I cycled the cable modem and that did the trick.


Any luck on rewriting the config file for me?

Patrick Iseli Sat, 04/14/2007 - 22:42
User Badges:
  • Gold, 750 points or more

Replace the MailPublicIP with your Real Public IP Address with is configured in your DNS MX Record !


access-list ad_out permit tcp any host MailPublicIP eq 25

access-list ad_out permit tcp any host MailPublicIP eq 110

access-list ad_out permit tcp any host MailPublicIP eq 119

static (inside,outside) MailPublicIP 192.168.45.5 netmask 255.255.255.255


# execute a :

clear xlate

# Note this will reset all conections !


Please let me know if you need the config for the same IP address as your outside IP !


sincerely

Patrick



Click on Rate this Post to help identify the most useful NetPro content.

thenetwerx Mon, 04/16/2007 - 11:44
User Badges:

Hi Patrick,


By adding the access-list lines to the config file, email starting flowing into the Barracuda.


What is interesting though, is that when I tried to add the static route that you suggested, it didn't take, as if there was an error in the syntax.


So for the time being, I haven't added the static route.


Also, another weird situation... I can no longer ping outside the network to sites on the internet.


Go figure...


Tim

Patrick Iseli Mon, 04/16/2007 - 16:33
User Badges:
  • Gold, 750 points or more

That was not a staic route this is a NAT = Network Address Translation with forwards all traffic from a public IP to an internal private IP !


static (inside,outside) MailPublicIP 192.168.45.5 netmask 255.255.255.255


If you got an error message then it might be that you allready have a static configured ?

Also without a static you would not have traffic flow !


Ping outside world:


access-list ad_out permit icmp any interface outside echo-reply

access-list ad_out permit icmp any interface outside unreachable

access-list ad_out permit icmp any interface outside time-exceeded


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml




sincerely

Patrick

mwardinterpub Tue, 04/17/2007 - 07:45
User Badges:

Patrick,


Do you have to add the access-list to the outside interface?


access-group 101 out

mwardinterpub Tue, 04/17/2007 - 07:48
User Badges:

If possible, you can also use PDM. (PIX device manager) for configuration assistance.


To access the PIX 501 via PDM, just enter the following IP address in your browser (Connect the PC to the inside interface of the PIX and configure it for proper speed and duplex setings)


Also have the latest version of Java installed on the configuration terminal, go to java.com or search on google.com to googledork it.


On your browser, type in the search bar


https://192.168.1.1/html or just 192.168.1.1.

Actions

This Discussion