Re: Another Pix 501 Configuration issue

allanlindsay · ‎09-28-2005

I just purchased a PIX 501 and thought I could get it configured without problemssince my set-up is simple. I also have experience with Linksys and Sonicwalls but since I'm in the big leagues now with Cisco, I'mbeing humbled.

I have a simple set up. 1 Static IP from my ISP that is PPPOE and on the inside I use a 192.168.1.x address. My workstation works fine and can access all I need outside but I'm not able to get smtp, pop3 & www trafic to my server from the outside. My serverIP is 192.168.1.11

The configuration file is below. Since I'm not very schooled on the CL, I have been using the PDM to create my configuration. If you could reference PDM in your reply, itwould really be helpful.

PIX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxx encrypted

passwd xxxxxxx encrypted

hostname pixfirewall

domain-name mydomain.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.1.11 mydomain.com

access-list outside_access_in permit tcp any eq www host mydomain.com eq www

access-list outside_access_in permit tcp any eq smtp host mydomain.com eq smtp

access-list outside_access_in permit tcp any eq pop3 host mydomain.com eq pop3

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location mydomain.com 255.255.255.255 inside

pdm location 209.xxx.xxx.xxx 255.255.255.255 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (outside,inside) tcp mydomain.com www 209.xxx.xxx.xxx www netmask 255.255.255.255 0 0

static (outside,inside) tcp mydomain.com smtp 209.xxx.xxx.xxx smtp netmask 255.255.255.255 0 0

static (outside,inside) tcp mydomain.com pop3 209.xxx.xxx.xxx pop3 netmask 255.255.255.255 0 0

static (inside,outside) mydomain.com mydomain.com dns netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname allanmydomain

vpdn group pppoe_group ppp authentication pap

vpdn username allanmydomain password *********

dhcpd address 192.168.1.100-192.168.1.131 inside

dhcpd dns mydomain.com 209.242.0.2

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxx

: end

[OK]

Thank you for any assistance,

Allan

Patrick Iseli · ‎09-28-2005

The acces-list on the outside interface contain in the Destination the public IP and not the private IP !

The Static has also the wrong syntax

Change the setup to:

name 192.168.1.11 mydomain.com

access-list outside_access_in permit tcp any interface outside eq www

access-list outside_access_in permit tcp any interface outside eq smtp

access-list outside_access_in permit tcp any interface outside eq pop3

static (inside,outside) tcp interface www 192.168.1.11 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp 192.168.1.11 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pop3 192.168.1.11 pop3 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

After that to a < clear xlate >

sincerely

Patrick

allanlindsay · ‎09-28-2005

I didn't get it to work as you described. I added the following and now I'm able to get email and web traffic.

access-list outside_access_in permit tcp any any

static (inside,outside) tcp interface smtp 192.168.1.11 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 192.168.1.11 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pop3 192.168.1.11 pop3 netmask 255.255.255.255 0 0

The above opens up everything from what I can tell and obviously that isn't good.

I'm at least making headway and learning along the way.

Thanks for the help - without it I wouldn't have anything working.

Allan

Patrick Iseli · ‎09-28-2005

Try again with:

# Figure out your Public IP (outside interface):

show ip

show interface

# Then add this lines but replace 'YourPubIP' by your Public IP:

access-list outside_access_in permit tcp any host YourPubIP eq www

access-list outside_access_in permit tcp any host YourPubIP eq smtp

access-list outside_access_in permit tcp any host YourPubIP eq pop3

no access-list outside_access_in permit tcp any any

clear xlate

sincely

Patrick

renil_lambert · ‎09-28-2005

try adding this line

#route outside 0.0.0.0 0.0.0.0

renil

allanlindsay · ‎09-29-2005

This worked too, Thank you!

renil_lambert · ‎09-29-2005

hi allan,

pls do rate the post which helpd u..

thanx

renil