Allow smtp through pix 501

Unanswered Question

Hi!


I need some help how to allow smtp traffic to a exchangeserver on lanside.


I tried:


access-list out-to-in permit tcp any host 192.168.0.3 eq smtp


access-group out-to-in in interface outside


static (inside,outside) 192.168.0.3 xxx.xxx.xxx.244 netmask 255.255.255.255 0 0


Do i need to work with more outside ipadresses? Maybe it could be a bad overlap?


Kr


M






Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Jon Marshall Wed, 10/15/2008 - 08:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Is xxx.xxx.xxx.244 the address that is routable on the Internet ? If so change your config to the following


remove this static statement


static (inside,outside) 192.168.0.3 xxx.xxx.xxx.244 netmask 255.255.255.255 0 0


Add this one


static (inside,outside) xxx.xxx.xxx.244 192.168.0.3 netmask 255.255.255.255


change access-list from


access-list out-to-in permit tcp any host 192.168.0.3 eq smtp


access-list out-to-in permit tcp any host xxx.xxx.xxx.244 eq smtp


Jon

Jon Marshall Thu, 10/16/2008 - 07:23
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Change the static statement from


static (inside,ourtside) xxx.xxx.xxx.244 192.168.0.3 netmask 255.255.255.255


to


static (inside,outside) tcp interface 25 192.168.0.3 25 netmask 255.255.255.255


I'm assuming your mail server internal address is 192.168.0.3


Jon

Thanks for your reply! I added some more static statement and access-list and now i'm getting performance issues from inside firewall (not sure from outside). When trying to send or recieve files it's really slow. We have 10/mbit up/down via fiber. Works good with other firewall (dlink).Is there a more effective way to open up for ports www, ssl ,rdp, smtp to internal exchange server 192.168.0.3? All these static just doesnt feel right...


PIX Version 6.3(5)

interface ethernet0 10baset

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password v0o/1tpLdUo.e/eb encrypted

passwd v0o/1tpLdUo.e/eb encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list out-to-in permit icmp any any time-exceeded

access-list out-to-in permit tcp any host xxx.xxx.134.244 eq smtp

access-list out-to-in permit tcp any host xxx.xxx.134.244 eq https

access-list out-to-in permit tcp any host xxx.xxx.134.244 eq www

access-list out-to-in permit tcp any host xxx.xxx.134.244 eq 3389

access-list VPN permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xxx.xxx.134.244 255.255.255.0

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNDHCP 192.168.10.2-192.168.10.10

pdm location 192.168.0.0 255.255.255.0 inside

pdm location 192.168.0.3 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list VPN

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp 192.168.0.3 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https 192.168.0.3 https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 192.168.0.3 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 192.168.0.3 3389 netmask 255.255.255.255 0 0

access-group out-to-in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.134.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set matiasvpn esp-des esp-md5-hmac

crypto dynamic-map dynmapmatias 99 set transform-set matiasvpn

crypto map matiasmap 99 ipsec-isakmp dynamic dynmapmatias

crypto map matiasmap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 88 authentication pre-share

isakmp policy 88 encryption des

isakmp policy 88 hash md5

isakmp policy 88 group 2

isakmp policy 88 lifetime 86400

vpngroup -matIasvpn. address-pool VPNDHCP

vpngroup -matIasvpn. dns-server 192.168.0.3

vpngroup -matIasvpn. wins-server 192.168.0.3

vpngroup -matIasvpn. default-domain netbin.local

vpngroup -matIasvpn. idle-time 1800

vpngroup -matIasvpn. password ********

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh timeout 5


don-sullivan Wed, 10/15/2008 - 08:47
User Badges:

reverse the ip addresses in your static statement.


should be: static (inside,outside) xxx.xxx.xxx.244 192.168.0.3 netmask 255.255.255.255


The first ip is the global address the second is the real address.


HTH

Thanks for your reply! I added some more static statement and access-list and now i'm getting performance issues from inside firewall (not sure from outside). When trying to send or recieve files it's really slow. We have 10/mbit up/down via fiber. Works good with other firewall (dlink).Is there a more effective way to open up for ports www, ssl ,rdp, smtp to internal exchange server 192.168.0.3? All these static just doesnt feel right...

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list out-to-in permit icmp any any time-exceeded

access-list out-to-in permit tcp any host xxx.xxx.134.244 eq smtp

access-list out-to-in permit tcp any host xxx.xxx.134.244 eq https

access-list out-to-in permit tcp any host xxx.xxx.134.244 eq www

access-list out-to-in permit tcp any host xxx.xxx.134.244 eq 3389

access-list VPN permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xxx.xxx.134.244 255.255.255.0

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNDHCP 192.168.10.2-192.168.10.10

pdm location 192.168.0.0 255.255.255.0 inside

pdm location 192.168.0.3 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list VPN

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp 192.168.0.3 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https 192.168.0.3 https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 192.168.0.3 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 192.168.0.3 3389 netmask 255.255.255.255 0 0

access-group out-to-in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.134.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set matiasvpn esp-des esp-md5-hmac

crypto dynamic-map dynmapmatias 99 set transform-set matiasvpn

crypto map matiasmap 99 ipsec-isakmp dynamic dynmapmatias

crypto map matiasmap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 88 authentication pre-share

isakmp policy 88 encryption des

isakmp policy 88 hash md5

isakmp policy 88 group 2

isakmp policy 88 lifetime 86400

vpngroup -matIasvpn. address-pool VPNDHCP

vpngroup -matIasvpn. dns-server 192.168.0.3

vpngroup -matIasvpn. wins-server 192.168.0.3

vpngroup -matIasvpn. default-domain netbin.local

vpngroup -matIasvpn. idle-time 1800

vpngroup -matIasvpn. password ********

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh timeout 5

Actions

This Discussion