Pat is giving me static

Answered Question
Mar 19th, 2010

I am trying to route mail thru my pix

and do not see any traffic passing thru the pix  am I missing something?


commands Ive added.


access-list inbound extended permit tcp any host 192.168.3.5 eq smtp

static (inside,outside) tcp 70.70.70.70 smtp 192.168.3.5 smtp netmask 255.255.255.255

I thought I read something that I needed to play with the fixup command, but dont know.


as you can tell  the 70 interface is the outside of my pix  and the 3.5 is the mail server.


I also cannot figure out the proper debug commands to watch traffic


Thanks


Dave

Correct Answer by John Blakley about 6 years 11 months ago

Dave,


If this is in fact a PIX, then you should run "clear xlate" and that will force the xlate table to be rebuilt. Other than that, your config looks fine.


HTH,

John

Correct Answer by Collin Clark about 6 years 11 months ago

Dave-


Your config looks good. Turn your logging to debug~


logging buffered debug

logging enable


then try it. From an outside device you can telnet to 70.70.70.70 on port 25


Then check your logs. You should see the TCP connection being built. If there is a problem it should state that too. Feel free to post the results of the log and we'll see if we can help. Also a


show access-list | i 70.70.70.70


will show hit counts on the ACL. They should be incrementing as you test.


Hope it helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Collin Clark Fri, 03/19/2010 - 07:47

Dave-


Your config looks good. Turn your logging to debug~


logging buffered debug

logging enable


then try it. From an outside device you can telnet to 70.70.70.70 on port 25


Then check your logs. You should see the TCP connection being built. If there is a problem it should state that too. Feel free to post the results of the log and we'll see if we can help. Also a


show access-list | i 70.70.70.70


will show hit counts on the ACL. They should be incrementing as you test.


Hope it helps.

Correct Answer
John Blakley Fri, 03/19/2010 - 11:18

Dave,


If this is in fact a PIX, then you should run "clear xlate" and that will force the xlate table to be rebuilt. Other than that, your config looks fine.


HTH,

John

n1fcc Fri, 03/19/2010 - 12:08

My pix is running 7.2  the logging commands didnt work or do

I submit them from config T.


Ive tried the clear xlate,  im now waiting for some mail to pass

n1fcc Fri, 04/02/2010 - 20:03

Im still not seeing any traffic.


Do i need an access group statement or anything else to make this work


When i show access-list  i see no hits.


Dave

n1fcc Fri, 04/02/2010 - 20:24

here is a copy of my config  to demonstrate my lack of skill,  and what i will call for lack of a better term  configuration creep.

Attachment: 
Jon Marshall Sat, 04/03/2010 - 00:21

Dave


I can't read your attachment but based on your comment about access-group have you applied the access-list to the outside interface ie.


access-group inbound in interface outside


Jon

n1fcc Sun, 04/04/2010 - 19:38

wr t
: Saved
:
PIX Version 7.2(2)
!
hostname eastpix
domain-name cisco.com
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 70.70.70.70 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 4
ip address 192.168.200.1 255.255.255.0
!
<--- More --->

boot system flash:/pix722.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.com
access-list 100 extended permit ip 192.168.3.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 10.28.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.34.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.220.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list 101 extended permit ip 192.168.3.0 255.255.255.0 10.28.1.0 255.255.255.0
access-list 102 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 103 extended permit ip 192.168.3.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list 104 extended permit ip 192.168.3.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list 107 extended permit ip 192.168.3.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list 108 extended permit ip 192.168.3.0 255.255.255.0 192.168.34.0 255.255.255.0
access-list 111 extended permit ip 192.168.3.0 255.255.255.0 192.168.220.0 255.255.255.0
access-list x extended permit icmp any any
access-list 105 extended permit ip 192.168.3.0 255.255.255.0 192.168.110.0 255.255.255.0
<--- More --->

access-list inbound extended permit tcp any host 192.168.3.5 eq smtp
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 70.70.70.70 smtp 192.168.3.5 smtp netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 70.70.70.71 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
<--- More --->

group-policy vpn3000 internal
group-policy vpn3000 attributes
dns-server value 68.87.71.226
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 107
default-domain value moido.com
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 8 set transform-set myset
crypto dynamic-map dynmap 10 set transform-set strong
crypto map canton 10 match address 100
crypto map canton 10 set peer 1.1.1.1
crypto map canton 10 set transform-set strong
crypto map canton 20 match address 104
crypto map canton 20 set peer 2.2.2.2
crypto map canton 20 set transform-set strong
crypto map canton 30 match address 103
crypto map canton 30 set peer 3.3.3.3
crypto map canton 30 set transform-set strong
<--- More --->

crypto map canton 40 match address 101
crypto map canton 40 set peer 4.4.4.4
crypto map canton 40 set transform-set strong
crypto map canton 50 match address 105
crypto map canton 50 set peer 5.5.5.5
crypto map canton 50 set transform-set strong
crypto map canton 80 match address 111
crypto map canton 80 set peer 6.6.6.6
crypto map canton 80 set transform-set strong
crypto map canton 65500 ipsec-isakmp dynamic dynmap
crypto map canton interface outside
crypto map mymap 8 ipsec-isakmp dynamic dynmap
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 8
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
<--- More --->

  group 2
lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication (outside) none
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 4.4.4.4 type ipsec-l2l
tunnel-group 4.4.4.4 ipsec-attributes
pre-shared-key *
tunnel-group 6.6.6.6 type ipsec-l2l
tunnel-group 7.7.7.7 ipsec-attributes
pre-shared-key *
tunnel-group 8.8.8.8 type ipsec-l2l
tunnel-group 8.8.8.8 ipsec-attributes
pre-shared-key *
tunnel-group 9.9.9.9 type ipsec-l2l
tunnel-group 9.9.9.9 ipsec-attributes
pre-shared-key *
<--- More --->

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication (outside) none
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
pre-shared-key *
tunnel-group 4.4.4.4 type ipsec-l2l
tunnel-group 4.4.4.4 ipsec-attributes
pre-shared-key *
tunnel-group 5.5.5.5 type ipsec-l2l
tunnel-group 5.5.5.5 ipsec-attributes
<--- More --->

  pre-shared-key *
isakmp keepalive threshold 10 retry 3
tunnel-group 6.6.6.6 type ipsec-l2l
tunnel-group 6.6.6.6 ipsec-attributes
pre-shared-key *
telnet 192.168.3.0 255.255.255.0 inside
telnet 192.168.200.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 1
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
<--- More --->

   inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
prompt hostname context
Cryptochecksum:7ce604f250b00ade16927c4c44d02ff9
: end
[OK]

John Blakley Mon, 04/05/2010 - 07:18

David,


This line:


access-list inbound extended permit tcp any host 192.168.3.5 eq smtp


needs to be changed to your public address that you're mapping to:


access-list inbound extended permit tcp any host 70.70.70.70 eq smtp


That should get you fixed up....


HTH,

John

Actions

This Discussion

Related Content