cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1141
Views
0
Helpful
13
Replies

Setup Email Server Behind PIX 501

thenetwerx
Level 1
Level 1

I am new to Cisco PIX configurations and need help setting up an email server behind a PIX 501. Actually I am setting up a Barracuda spam filter which will receive the email first for scanning and then it forwards it to an Exchange server.

The PIX is running 6.3.4 and has a default configuration with the exception of VPN setup that someone else configured previously.

Any help is greatly appreciated!

13 Replies 13

Patrick Iseli
Level 7
Level 7

With only one public IP, the outside interface :

Baraccuda server is: 192.168.1.10

Replace the 192.168.1.1o with your internal IP adress and rename my example access-list name < acl_out> with your access-list name if one allready exists.

# Config Access-list :

access-list acl_out permit tcp any interface outside eq smtp

access-group acl_out in interface outside

# Port Adress Translation:

static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255 0 0

Example with a specific public IP of your range. Network Adress Translation example:

# Config:

access-list acl_out permit tcp any host YourPublic-IP1 eq smtp

access-group acl_out in interface outside

static (inside,outside) YourPublic-IP1 Local-IP1 netmask 255.255.255.255 0 0

# Note you may need after changing the NAT or PAT (Translation) to clear the translation table. This will reset all existing sessions.

Command:

clear xlate

Example on Cisco's site:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

sincerely

Patrick

Patrick

Thanks for the quick reply Patrick. I will try it out this afternoon and let you know what the results are.

Now here is a real novice question... Adding lines and then using write memory is easy. But if I make a change to the config file that I don't want or need to edit, how do I do that?

Follow the following guidline:

1.) Do a write mem before you start changing the config.

2.) Save the config for fallback to a text file.

Now you can start changing the config in the command line but do not save it.

Test everything, if you want to go back to your original config you can reboot the firewall.

Otherwise post your configuration and I can tell you exactly what to add in your config but please replave your confidential data as your public IP by a name as PublicIP.

sincerely

Patrick

Hi Patrick,

I am in a real jam here. I tried some of your suggestions and realized I made an error on one of the lines, so I didn't write the changes to mem. Then I issued a reload command to the firewall. Now there is no access out to the internet at all!! I tried rebooting it as well and still no access out. I unplugged the firewall from the cable modem and plugged my laptop into the modem and set the network card properties to the fixed IP of the modem, set the DNS and gateway (all the same as what the PIX have in the config file) and it can access anything on the internet just fine. I am really starting to sweat on this!!

Attached is the running config file (just as it was before all the trouble.)

The config is fine !

You permit any inside traffic to the internet without any limitation.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Reset the Cable Modem ! Sometimes they get jamed with the ARP entries they just allow one address to go out. Reset the cable modem and try again.

Check that the interfaces are up.

show interfaces

Try to ping the outside default gateway (.73) from the ping command line. And be sure that you have a valid DNS server on your hosts.

here are some troubleshooting guides.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_tech_notes_list.html

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009402f.shtml

sincerely

Patrick

Thanks for replying. I wasn't sure if you would be around at this time on a Saturday.

Now that you have my config file, can you rewrite to allow smtp, pop3 and nntp to my Barracuda on the inside network with the following address: 192.168.45.5?

Thanks a million!!

Tim

FYI - I have outside connection to the internet again. I cycled the cable modem and that did the trick.

Any luck on rewriting the config file for me?

Replace the MailPublicIP with your Real Public IP Address with is configured in your DNS MX Record !

access-list ad_out permit tcp any host MailPublicIP eq 25

access-list ad_out permit tcp any host MailPublicIP eq 110

access-list ad_out permit tcp any host MailPublicIP eq 119

static (inside,outside) MailPublicIP 192.168.45.5 netmask 255.255.255.255

# execute a :

clear xlate

# Note this will reset all conections !

Please let me know if you need the config for the same IP address as your outside IP !

sincerely

Patrick

Click on Rate this Post to help identify the most useful NetPro content.

Did it work ?

sincerely

Patrick

Hi Patrick,

By adding the access-list lines to the config file, email starting flowing into the Barracuda.

What is interesting though, is that when I tried to add the static route that you suggested, it didn't take, as if there was an error in the syntax.

So for the time being, I haven't added the static route.

Also, another weird situation... I can no longer ping outside the network to sites on the internet.

Go figure...

Tim

That was not a staic route this is a NAT = Network Address Translation with forwards all traffic from a public IP to an internal private IP !

static (inside,outside) MailPublicIP 192.168.45.5 netmask 255.255.255.255

If you got an error message then it might be that you allready have a static configured ?

Also without a static you would not have traffic flow !

Ping outside world:

access-list ad_out permit icmp any interface outside echo-reply

access-list ad_out permit icmp any interface outside unreachable

access-list ad_out permit icmp any interface outside time-exceeded

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

sincerely

Patrick

Patrick,

Do you have to add the access-list to the outside interface?

access-group 101 out

mwardinterpub
Level 1
Level 1

If possible, you can also use PDM. (PIX device manager) for configuration assistance.

To access the PIX 501 via PDM, just enter the following IP address in your browser (Connect the PC to the inside interface of the PIX and configure it for proper speed and duplex setings)

Also have the latest version of Java installed on the configuration terminal, go to java.com or search on google.com to googledork it.

On your browser, type in the search bar

https://192.168.1.1/html or just 192.168.1.1.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: