cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
731
Views
0
Helpful
18
Replies

Pix 501 port forwarding and failing over

mohammad10
Level 1
Level 1

Hi,

I have am a complete beginner with the pix 501 box. We currenty have two sites running a vpn via the pix 501 boxes.

Firstly, our internet connection goes down appox every 2 hours, the only way restablish the internet connection is to reboot the pix and within a few seconds the internet connection is back up. I have no idea why this is being caused.

Secondly we at present use pop3 for our mail, provided by our isp. We are in the process of installing exchange 2003 at our office, along with OWA, so what do i need to do in terms of the Pix config.

Thanks for all your help

MO

18 Replies 18

jmia
Level 7
Level 7

Mo,

Firstly, do you know which license version you have on your pix 501? As this may be causing the internet connection problem, to find out which license you have on your pix, you can issue:

sho ver

The above command will display the licensing details on your pix. The 501 models have three different licensing modes i.e.

10 user license

50 user license

Unlimited user license

Now, for configuring the pix for email, you’ll need the following configured (as an example), in config mode:

access-list smtp permit tcp any host 209.164.3.5 eq smtp

access-group smtp in interface outside

static (inside,outside) tcp 209.164.3.5 smtp smtp netmask 255.255.255.255 0 0

The IP 209.164.3.5 is the public IP for email, this IP should correspond to you email MX record, i.e. the MX record for your domain should point to this IP.

Save with command: write mem and also issue: clear xlate

For OWA access, you’ll need to configure the following (I’ll include the above configuration for SMTP):

access-list smtp permit tcp any host 209.164.3.5 eq smtp

access-list smtp permit tcp any host 209.164.3.6 eq https

access-group smtp in interface outside

static (inside,outside) tcp 209.164.3.5 smtp smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 209.164.3.6 https https netmask 255.255.255.255 0 0

Again, save with: write mem and also issue: clear xlate

If you only have one public IP available then substitute both of the public IP addresses with your outside IP address of your PIX and then use the keyword ‘interface’ on your static command, i.e.

access-list smtp permit tcp any host eq smtp

access-list smtp permit tcp any host eq https

access-group smtp in interface outside

static (inside,outside) tcp interface smtp smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https https netmask 255.255.255.255 0 0

Once again, save with: write mem and also issue: clear xlate – make sure that the MX record points to your outside IP address of your PIX.

You’ll need a SSL certificate for your OWA server.

I hope all the above helps and let me know how you get on or need further help.

Jay

Hi Jay,

Thanks for your rely. We have two office, office one has a 50 user licence and office two has a 10 user licence. both offices are connected via vpn using the Pix 501.

with regards to configuring the pix, i have never done this before, but attempted to connect to the Pix via HyperTerm and i am presented with pix-london, now i take i need to enter a username and password, which i dont have, therefore i may need to reset the passport how do i go about doing that and if i reset the password will i loose the existing config.

thanks for all your help

MO

Mo,

With respect to the problem with the internet access, which site is having the problem? Is it on the 10 user license side or the 50 user license side? How many users do you have on either side?

On the question of password reset – who configured your firewalls? Was it your ISP, if so I would first ask them for the device passwords before attempting password recovery?

I can help out on the configuration for both SMTP and OWA – no problem. By the way were you based? London…

Jay

Hi, office one has a 50 user licence, with about 35 users and office two has a 10 user licence with about 5 users.

Office one is having the internet access problem.

The pix was configured over a year ago and we dont have access to the person who set it up. We are based in london.

Cheers

MO

MO,

Your Office 1 Pix 501 may be at it's limit when it comes to serving your environment. The 501 was designed to act as a Small Office/Home Office/Telecommuter firewall. 35 employees is not a small office. Add to that an Exchange and OWA server and that 501 will be operating far beyond it's intended capacity. The 501 may have a license for 50 users, but with a 133MHz processor and 16MB of RAM, you can only push that 501 but so far.

You might want to seriously consider upgrading your firewall in Office 1 to a 515 or 515e. Since the 501 and 506 have only two interfaces, you should have a 515/515e with a third (DMZ) interface to place your OWA server in. You might also want to place a gateway for your internal Exchange server in the DMZ as well (but that will lead us into a much larger security discussion)

Cisco has a good reference that can help with a Pix/Exchange setup:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278f.html

Not sure what your budget is for this project is, but I strongly suggest that you press for a firewall upgrade. Not matter how you choose to proceed, make sure that you turn off the Pix's SMTP Fixup or you will spend a lot of time troubleshooting the Exchange/Pix combination. Version 6.x host no support for Exchange's ESMTP commands.

Good luck!

Hi,

Thanks for your reply, I am not sure why the pix 501 is sold with a 50 user licence and i assume these are concurrent users. We dont use the net very heavly. But by rebooting i assume that clears the memory. If we want to buy another cisco router, which would be best, at the sametime considering we want a vpn connection with another office, allow users to access OWA, and later on teleworking and on a small budget, plus anywhere you guys can recommend to buy the router.

Thanks

haven't been following the entire conversation.

just on the internal user licence on pix501, you can actually purchase a licence upgrade from 50 to unlimited, which maybe more appropriate.

Hi,

I dont see how extra user licence is going to help, we already have a 50 user licence with only 35 concurrent users.

Thanks

just had a read of the entire conversation.

originally you mentioned the internet will drop every 2 hours. does it happen sharp every 2 hours, or approx. only? will the entire office lose internet, or only a group?

e.g. if the entire office lost internet, then the issue can't be related to the internal user licence of pix, as the number is concurrent connections as you mentioned. just one more thing with the internal user licence, any server or network printer can be counted as well.

further, you mentioned you don't have console before, just wondering if you have break it or you need any assistance.

Hi,

Are there any logs on the pixs that i can view to show what might be causing the problem. Also how do i go about resetting the password on our pix 501. v.6.3

Thanks

for password recovery:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml

in order to discuss your issue, please post the config. i am thinking the issue maybe related to nat/pat. of course after you completed the password recovery process.

Hi guys,

Please find attached a copy of the config for one site.

Thanks

1. pix 6.3.1 has serious bug related to nat/pat, which may cause the issue with accessing the internet.

2. do a "sh int" on the pix and verify whether there is an collisions or deferred packets.

e.g.

interface ethernet0 "outside" is up, line protocol is up

Hardware is xxxxxxx ethernet, address is xxxx.xxxx.xxxx

IP address xxx.xxx.xxx.xxx, subnet mask 255.255.255.252

MTU 1500 bytes, BW 10000 Kbit half duplex

151814605 packets input, 2305396561 bytes, 0 no buffer

Received 2363 broadcasts, 0 runts, 0 giants

47 input errors, 0 CRC, 0 frame, 47 overrun, 0 ignored, 0 abort

343732034 packets output, 2517171516 bytes, 0 underruns

0 output errors, 4036084 collisions, 0 interface resets

0 babbles, 0 late collisions, 5522441 deferred

3 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/133)

output queue (curr/max blocks): hardware (0/122) software (0/1)

Hi, thanks for the replies, but i dont know the username or the password for out pix, it was setup before i joined the company. So how do i go about resetting the username and password and will i loose any of the existing configuration.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: