04-13-2007 10:06 PM - edited 03-11-2019 03:00 AM
I am new to Cisco PIX configurations and need help setting up an email server behind a PIX 501. Actually I am setting up a Barracuda spam filter which will receive the email first for scanning and then it forwards it to an Exchange server.
The PIX is running 6.3.4 and has a default configuration with the exception of VPN setup that someone else configured previously.
Any help is greatly appreciated!
04-14-2007 06:31 AM
With only one public IP, the outside interface :
Baraccuda server is: 192.168.1.10
Replace the 192.168.1.1o with your internal IP adress and rename my example access-list name < acl_out> with your access-list name if one allready exists.
# Config Access-list :
access-list acl_out permit tcp any interface outside eq smtp
access-group acl_out in interface outside
# Port Adress Translation:
static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255 0 0
Example with a specific public IP of your range. Network Adress Translation example:
# Config:
access-list acl_out permit tcp any host YourPublic-IP1 eq smtp
access-group acl_out in interface outside
static (inside,outside) YourPublic-IP1 Local-IP1 netmask 255.255.255.255 0 0
# Note you may need after changing the NAT or PAT (Translation) to clear the translation table. This will reset all existing sessions.
Command:
clear xlate
Example on Cisco's site:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
sincerely
Patrick
Patrick
04-14-2007 07:26 AM
Thanks for the quick reply Patrick. I will try it out this afternoon and let you know what the results are.
Now here is a real novice question... Adding lines and then using write memory is easy. But if I make a change to the config file that I don't want or need to edit, how do I do that?
04-14-2007 10:41 AM
Follow the following guidline:
1.) Do a write mem before you start changing the config.
2.) Save the config for fallback to a text file.
Now you can start changing the config in the command line but do not save it.
Test everything, if you want to go back to your original config you can reboot the firewall.
Otherwise post your configuration and I can tell you exactly what to add in your config but please replave your confidential data as your public IP by a name as PublicIP.
sincerely
Patrick
04-14-2007 08:03 PM
Hi Patrick,
I am in a real jam here. I tried some of your suggestions and realized I made an error on one of the lines, so I didn't write the changes to mem. Then I issued a reload command to the firewall. Now there is no access out to the internet at all!! I tried rebooting it as well and still no access out. I unplugged the firewall from the cable modem and plugged my laptop into the modem and set the network card properties to the fixed IP of the modem, set the DNS and gateway (all the same as what the PIX have in the config file) and it can access anything on the internet just fine. I am really starting to sweat on this!!
Attached is the running config file (just as it was before all the trouble.)
04-14-2007 08:31 PM
The config is fine !
You permit any inside traffic to the internet without any limitation.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Reset the Cable Modem ! Sometimes they get jamed with the ARP entries they just allow one address to go out. Reset the cable modem and try again.
Check that the interfaces are up.
show interfaces
Try to ping the outside default gateway (.73) from the ping command line. And be sure that you have a valid DNS server on your hosts.
here are some troubleshooting guides.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_tech_notes_list.html
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009402f.shtml
sincerely
Patrick
04-14-2007 08:54 PM
Thanks for replying. I wasn't sure if you would be around at this time on a Saturday.
Now that you have my config file, can you rewrite to allow smtp, pop3 and nntp to my Barracuda on the inside network with the following address: 192.168.45.5?
Thanks a million!!
Tim
04-14-2007 09:16 PM
FYI - I have outside connection to the internet again. I cycled the cable modem and that did the trick.
Any luck on rewriting the config file for me?
04-14-2007 10:42 PM
Replace the MailPublicIP with your Real Public IP Address with is configured in your DNS MX Record !
access-list ad_out permit tcp any host MailPublicIP eq 25
access-list ad_out permit tcp any host MailPublicIP eq 110
access-list ad_out permit tcp any host MailPublicIP eq 119
static (inside,outside) MailPublicIP 192.168.45.5 netmask 255.255.255.255
# execute a :
clear xlate
# Note this will reset all conections !
Please let me know if you need the config for the same IP address as your outside IP !
sincerely
Patrick
Click on Rate this Post to help identify the most useful NetPro content.
04-16-2007 10:52 AM
Did it work ?
sincerely
Patrick
04-16-2007 11:44 AM
Hi Patrick,
By adding the access-list lines to the config file, email starting flowing into the Barracuda.
What is interesting though, is that when I tried to add the static route that you suggested, it didn't take, as if there was an error in the syntax.
So for the time being, I haven't added the static route.
Also, another weird situation... I can no longer ping outside the network to sites on the internet.
Go figure...
Tim
04-16-2007 04:33 PM
That was not a staic route this is a NAT = Network Address Translation with forwards all traffic from a public IP to an internal private IP !
static (inside,outside) MailPublicIP 192.168.45.5 netmask 255.255.255.255
If you got an error message then it might be that you allready have a static configured ?
Also without a static you would not have traffic flow !
Ping outside world:
access-list ad_out permit icmp any interface outside echo-reply
access-list ad_out permit icmp any interface outside unreachable
access-list ad_out permit icmp any interface outside time-exceeded
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
sincerely
Patrick
04-17-2007 07:45 AM
Patrick,
Do you have to add the access-list to the outside interface?
access-group 101 out
04-17-2007 07:48 AM
If possible, you can also use PDM. (PIX device manager) for configuration assistance.
To access the PIX 501 via PDM, just enter the following IP address in your browser (Connect the PC to the inside interface of the PIX and configure it for proper speed and duplex setings)
Also have the latest version of Java installed on the configuration terminal, go to java.com or search on google.com to googledork it.
On your browser, type in the search bar
https://192.168.1.1/html or just 192.168.1.1.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: