Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

totaly lost with pix

Hi,

i have a pix 515e with the following config

DMZ Exhange server and a web server

Internal a lot of servers and workstation. When i try to browse the network i cannot see the server in the DMZ. People cannot connect to the exchange server with webmail and outlook.

I am total lost, can somebody help me out.

4 REPLIES
Gold

Re: totaly lost with pix

At the first sight config looks ok (statics and ACLs are configured)

Can you turn on logging

logging on

logging buffered informational

try to access DMZ servers

and than check logs with command

show logg

M.

New Member

Re: totaly lost with pix

106023: Deny udp src DMZ:192.168.11.4/16941 dst inside:192.168.10.4/53 by access-group "dmz"

106023: Deny udp src DMZ:192.168.11.4/16941 dst inside:192.168.10.3/53 by access-group "dmz"

106023: Deny udp src DMZ:192.168.11.4/1025 dst inside:192.168.10.4/53 by access-group "dmz"

106023: Deny udp src DMZ:192.168.11.4/16941 dst inside:192.168.10.4/53 by access-group "dmz"

30.2/51740 (192.168.10.2/51740)

302013: Built outbound TCP connection 29362 for DMZ:192.168.11.4/2594 (192.168.11.4/2594) to inside:192.168.10.2/51741 (192.168.10.2/51741)

302013: Built outbound TCP connection 29363 for DMZ:192.168.11.4/2594 (192.168.11.4/2594) to inside:192.168.10.2/51742 (192.168.10.2/51742)

302013: Built outbound TCP connection 29364 for DMZ:192.168.11.4/2594 (192.168.11.4/2594) to inside:192.168.10.2/51744 (192.168.10.2/51744)

302013: Built outbound TCP connection 29365 for DMZ:192.168.11.4/2594 (192.168.11.4/2594) to inside:192.168.10.2/51746 (192.168.10.2/51746)

302013: Built outbound TCP connection 29366 for DMZ:192.168.11.4/2594 (192.168.11.4/2594) to inside:192.168.10.2/51743 (192.168.10.2/51743

305005: No translation group found for tcp src inside:192.168.14.133/1949 dst outside:84.53.136.74/80

305005: No translation group found for tcp src inside:192.168.14.133/1950 dst outside:84.53.136.33/80

305005: No translation group found for tcp src inside:192.168.14.178/1048 dst outside:84.53.136.74/80

305005: No translation group found for tcp src inside:192.168.14.133/1949 dst outside:84.53.136.74/80

305005: No translation group found for tcp src inside:192.168.14.133/1950 dst outside:84.53.136.33/80

305005: No translation group found for tcp src inside:192.168.14.178/1048 dst outside:84.53.136.74/80

Re: totaly lost with pix

Add:

static (inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

This will allow your whole Inside segment to be able to access DMZ. If needed for access-control for specifici access, apply access-list on inside interface to strictly allow inside hosts to access your DMZ's email server via the allowed port, example TCP 25 (smtp), http & https (tcp 80 & 443) for webmail.

access-list inside permit tcp any host 192.168.11.4 eq smtp --> permit smtp access. Assuming 192.168.11.4 is your email server in DMZ

access-list inside permit tcp any host 192.168.11.4 eq www --> allow webmail (via port 80) to pass through

access-list inside permit tcp any host 192.168.11.4 eq https --> allow secure http (https) to pass throuh

access-list inside deny ip any 192.168.11.0 255.255.255.0 --> deny other inside hosts from connecting to other DMZ's hosts, except for the 3 services above

access-list inside permit ip any any --> allow inside hosts to connect to other segment, i.e internet/outside segment

access-group inside in interface inside --> bind acl to inside interface

You should also modify the following acl on DMZ to rectify the first 4 deny logs

existing : access-list dmz permit udp any eq domain any eq domain

change to: access-list dmz permit udp any any eq domain --> to allow DMZ's 192.168.11.4 to talk to DNS server on inside segment.

The source port on DMZ server can be anything,as long as the destination port is correctly pointing to UDP 53.

HTH

AK

New Member

Re: totaly lost with pix

Hi,

The problem that you have is very simple. It's a port service problem, Microsoft outlook uses a RPC service ports (1025 - 65535) and the OWA (Outlook Web Access) uses http and https ports. The solution is open the follow ports:

TCP:

range 1024 65535

42,80,88,135,137,138,379,390,443,445,691,993,domain,i,imap4,ldap,ldaps,netbios-ssn,pop3,smtp

UDP:

88,389,3368,3369,3389,domain,netbios-dgm, netbios-ns,ntp,nameserver,445,636,135,139,1512

I hope it solve your problem, and excuseme for my bad english.

224
Views
3
Helpful
4
Replies
CreatePlease to create content