Configuring Web Access on PIX 515E

Answered Question
Apr 27th, 2007

I am setting up Web Access for mail and I need open port 443 to inbound traffic for HTTPS (SSL-secured HTTP); port 993 to inbound traffic for SSL-secured IMAP; port 995 to inbound traffic for SSL-secured POP and port 25 to inbound traffid for SMTP.

I see where SMTP is already set up on port 25 using the PERMIT command. Do I use the same format for the others? I don't really understand the FIXUP command. Do I have to configure these ports using this command also? Thanks

Steve Kent

I have this problem too.
0 votes
Correct Answer by mark.j.hodge about 9 years 7 months ago

Just as long as you are aware.. If a problem is known about, it becomes less of a problem.

There should be a "Rate this post" menu, bottom right. It's nice to be appreciated :-)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mark.j.hodge Fri, 04/27/2007 - 07:28

Assuming your webmail server is the same as you SMTP server then yes. Just open up the appropriate ports on your outside interface inbound access list.

Fixup only works for a specific set of protocols to perform a deeper, application level, inspection of the traffic. You may find that you need to turn it off for your application, if extended SMTP commands are used. With fixup on only the seven RFC 821 commands are allowed.

** please rate if posts are helpful **

steve_kent Fri, 04/27/2007 - 07:35

OK I will give it a try ... but my web access server is not the same as the other smtp server. but I didn't see anything in my start configuration that actually identified a specific machine for smtp traffic

mark.j.hodge Fri, 04/27/2007 - 07:43

There is probably a static mapping setup, this will provide a NAT translation from your outside global address to your inside local address for the SMTP server.

You will need an equivelent mapping to your web access server. Can you post the output from "show static"?

steve_kent Fri, 04/27/2007 - 07:51

Yes I see it now:

pixfirewall# show static

static (inside,outside) 0 0

static (inside,outside) netmask 255.255.255.255 0 0

static (inside,outside) netmask 255.255.255.255 0 0

static (inside,outside) netmask 255.255.255.255 0 0

static (inside,outside) netmask 255.255.255.255 0 0

static (inside,outside) netmask 255.255.255.255 0 0

static (inside,outside) netmask 255.255.255.255 0 0

Here is my access-list for smtp:

access-list 101 line 7 permit tcp any host eq smtp (hitcnt=262734)

I am getting an error when I enter this same line with a new public ip. I am thinking perhaps it won't let me use two lines in "access-list 101 for smtp. Do I need to start an access-list 102 to get it to take it?

mark.j.hodge Fri, 04/27/2007 - 08:01

No, you can only have one access-list applied to the outside interface at a time. There is no issue having multiple access-list entries for the same protocol.

Your new line should be something like

access-list 101 line 8 permit tcp any host eq smtp.

If this doesn't work can you post the error message.

*** please rate posts if helpful ***

steve_kent Fri, 04/27/2007 - 08:13

so does this look right for the differnet protocols?

access-list 101 permit tcp any host eq smtp

access-list 101 permit tcp any host eq smtp

access-list 101 permit tcp any host eq https

access-list 101 permit tcp any host eq imap4

access-list 101 permit tcp any host eq pop3

mark.j.hodge Fri, 04/27/2007 - 08:24

Previously you stated you needed to allow pop3s on port 995, the pop3 identifier means standard pop3 port 110.

If you modify the access-list in this way, you will add the entried to the end of the access-list. The list is checked in sequence, so if there is a deny further up your traffic may be blocked.

Other than those minor details your access-list looks fine.

** please rate if posts are helpful **

steve_kent Fri, 04/27/2007 - 08:29

No I checked and there are no deny statement in my access-list 101

mark.j.hodge Fri, 04/27/2007 - 08:18

Have you changed these addresses for security reasons?

If not, using Class A network 150.0.0.0 for your internal addresses could cause you real headaches in the future. Accrding to IANA the 150/8 subnet is allocated to "Various Registries", which ususaly means IPSs.

http://www.iana.org/assignments/ipv4-address-space

Unless the address range has been allocated to your organisation, you should use RFC 1918 address internaly.

http://www.isi.edu/in-notes/rfc1918.txt

** please rate posts if helpful **

steve_kent Fri, 04/27/2007 - 08:22

THe 150.1.X.X has been used for internal for over 6 years now. Our chief here didn't want to change it because there would be a very very slight possibility of running into a conflict with the internet address in Japan. That decision was way above my pay grade .. THanks for all the help. How do I go about rating your posts? I would like to give you the credit you deserve .. Thanks again

Correct Answer
mark.j.hodge Fri, 04/27/2007 - 08:27

Just as long as you are aware.. If a problem is known about, it becomes less of a problem.

There should be a "Rate this post" menu, bottom right. It's nice to be appreciated :-)

Actions

This Discussion