10-07-2005 02:40 AM - edited 02-21-2020 12:26 AM
Hi,
I have am a complete beginner with the pix 501 box. We currenty have two sites running a vpn via the pix 501 boxes.
Firstly, our internet connection goes down appox every 2 hours, the only way restablish the internet connection is to reboot the pix and within a few seconds the internet connection is back up. I have no idea why this is being caused.
Secondly we at present use pop3 for our mail, provided by our isp. We are in the process of installing exchange 2003 at our office, along with OWA, so what do i need to do in terms of the Pix config.
Thanks for all your help
MO
10-07-2005 04:36 AM
Mo,
Firstly, do you know which license version you have on your pix 501? As this may be causing the internet connection problem, to find out which license you have on your pix, you can issue:
sho ver
The above command will display the licensing details on your pix. The 501 models have three different licensing modes i.e.
10 user license
50 user license
Unlimited user license
Now, for configuring the pix for email, youll need the following configured (as an example), in config mode:
access-list smtp permit tcp any host 209.164.3.5 eq smtp
access-group smtp in interface outside
static (inside,outside) tcp 209.164.3.5 smtp
The IP 209.164.3.5 is the public IP for email, this IP should correspond to you email MX record, i.e. the MX record for your domain should point to this IP.
Save with command: write mem and also issue: clear xlate
For OWA access, youll need to configure the following (Ill include the above configuration for SMTP):
access-list smtp permit tcp any host 209.164.3.5 eq smtp
access-list smtp permit tcp any host 209.164.3.6 eq https
access-group smtp in interface outside
static (inside,outside) tcp 209.164.3.5 smtp
static (inside,outside) tcp 209.164.3.6 https
Again, save with: write mem and also issue: clear xlate
If you only have one public IP available then substitute both of the public IP addresses with your outside IP address of your PIX and then use the keyword interface on your static command, i.e.
access-list smtp permit tcp any host
access-list smtp permit tcp any host
access-group smtp in interface outside
static (inside,outside) tcp interface smtp
static (inside,outside) tcp interface https
Once again, save with: write mem and also issue: clear xlate make sure that the MX record points to your outside IP address of your PIX.
Youll need a SSL certificate for your OWA server.
I hope all the above helps and let me know how you get on or need further help.
Jay
10-07-2005 05:48 AM
Hi Jay,
Thanks for your rely. We have two office, office one has a 50 user licence and office two has a 10 user licence. both offices are connected via vpn using the Pix 501.
with regards to configuring the pix, i have never done this before, but attempted to connect to the Pix via HyperTerm and i am presented with pix-london, now i take i need to enter a username and password, which i dont have, therefore i may need to reset the passport how do i go about doing that and if i reset the password will i loose the existing config.
thanks for all your help
MO
10-07-2005 06:09 AM
Mo,
With respect to the problem with the internet access, which site is having the problem? Is it on the 10 user license side or the 50 user license side? How many users do you have on either side?
On the question of password reset who configured your firewalls? Was it your ISP, if so I would first ask them for the device passwords before attempting password recovery?
I can help out on the configuration for both SMTP and OWA no problem. By the way were you based? London
Jay
10-07-2005 06:43 AM
Hi, office one has a 50 user licence, with about 35 users and office two has a 10 user licence with about 5 users.
Office one is having the internet access problem.
The pix was configured over a year ago and we dont have access to the person who set it up. We are based in london.
Cheers
MO
10-07-2005 11:12 AM
MO,
Your Office 1 Pix 501 may be at it's limit when it comes to serving your environment. The 501 was designed to act as a Small Office/Home Office/Telecommuter firewall. 35 employees is not a small office. Add to that an Exchange and OWA server and that 501 will be operating far beyond it's intended capacity. The 501 may have a license for 50 users, but with a 133MHz processor and 16MB of RAM, you can only push that 501 but so far.
You might want to seriously consider upgrading your firewall in Office 1 to a 515 or 515e. Since the 501 and 506 have only two interfaces, you should have a 515/515e with a third (DMZ) interface to place your OWA server in. You might also want to place a gateway for your internal Exchange server in the DMZ as well (but that will lead us into a much larger security discussion)
Cisco has a good reference that can help with a Pix/Exchange setup:
Not sure what your budget is for this project is, but I strongly suggest that you press for a firewall upgrade. Not matter how you choose to proceed, make sure that you turn off the Pix's SMTP Fixup or you will spend a lot of time troubleshooting the Exchange/Pix combination. Version 6.x host no support for Exchange's ESMTP commands.
Good luck!
10-10-2005 12:23 AM
Hi,
Thanks for your reply, I am not sure why the pix 501 is sold with a 50 user licence and i assume these are concurrent users. We dont use the net very heavly. But by rebooting i assume that clears the memory. If we want to buy another cisco router, which would be best, at the sametime considering we want a vpn connection with another office, allow users to access OWA, and later on teleworking and on a small budget, plus anywhere you guys can recommend to buy the router.
Thanks
10-10-2005 05:22 AM
haven't been following the entire conversation.
just on the internal user licence on pix501, you can actually purchase a licence upgrade from 50 to unlimited, which maybe more appropriate.
10-10-2005 05:53 AM
Hi,
I dont see how extra user licence is going to help, we already have a 50 user licence with only 35 concurrent users.
Thanks
10-10-2005 06:22 AM
just had a read of the entire conversation.
originally you mentioned the internet will drop every 2 hours. does it happen sharp every 2 hours, or approx. only? will the entire office lose internet, or only a group?
e.g. if the entire office lost internet, then the issue can't be related to the internal user licence of pix, as the number is concurrent connections as you mentioned. just one more thing with the internal user licence, any server or network printer can be counted as well.
further, you mentioned you don't have console before, just wondering if you have break it or you need any assistance.
10-11-2005 04:57 AM
Hi,
Are there any logs on the pixs that i can view to show what might be causing the problem. Also how do i go about resetting the password on our pix 501. v.6.3
Thanks
10-11-2005 05:22 AM
for password recovery:
in order to discuss your issue, please post the config. i am thinking the issue maybe related to nat/pat. of course after you completed the password recovery process.
10-11-2005 11:28 PM
10-12-2005 04:17 AM
1. pix 6.3.1 has serious bug related to nat/pat, which may cause the issue with accessing the internet.
2. do a "sh int" on the pix and verify whether there is an collisions or deferred packets.
e.g.
interface ethernet0 "outside" is up, line protocol is up
Hardware is xxxxxxx ethernet, address is xxxx.xxxx.xxxx
IP address xxx.xxx.xxx.xxx, subnet mask 255.255.255.252
MTU 1500 bytes, BW 10000 Kbit half duplex
151814605 packets input, 2305396561 bytes, 0 no buffer
Received 2363 broadcasts, 0 runts, 0 giants
47 input errors, 0 CRC, 0 frame, 47 overrun, 0 ignored, 0 abort
343732034 packets output, 2517171516 bytes, 0 underruns
0 output errors, 4036084 collisions, 0 interface resets
0 babbles, 0 late collisions, 5522441 deferred
3 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/133)
output queue (curr/max blocks): hardware (0/122) software (0/1)
10-12-2005 04:45 AM
Hi, thanks for the replies, but i dont know the username or the password for out pix, it was setup before i joined the company. So how do i go about resetting the username and password and will i loose any of the existing configuration.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: