Re: PIX 501

ramesys12 · ‎10-06-2005

I need some help configuring SSL packets forwarded to a webserver. The problem is that the pix is live and is already forwarding SMTP to mail. but we need to use the same ip which the mail server utilizes for SSL web.

The xternal pool available is

ext.ext.ext.1 ( outside ip )

ext.ext.ext.2 ( want to use SMTP and SSL)

ext.ext.ext.3 ( Should not be used )

internal range

172.16.0.1

*********************************

access-list 101 permit icmp any any echo-reply

access-list 101 permit tcp host 6.1.5.ext host ext.ext.ext.2 eq smtp

access-list 101 permit tcp any host ext.ext.ext.3 eq https

access-list nonat permit ip 172.16.0.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside ext.ext.ext.1 subnet.subnet.subnet.subnet

ip address inside 172.16.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool uk 192.168.1.1-192.168.1.100

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) ext.ext.ext.2 172.16.0.10 netmask 255.255.255.255 0 0

static (inside,outside) ext.ext.ext.3 172.16.0.11 netmask 255.255.255.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 ext.ext.ext.4 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

floodguard enable

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

console timeout 0

terminal width 80

ramesys12 · ‎10-06-2005

Just to clarify further We want to use

ext.ext.ext.2 ( want to use SMTP and SSL) to forward ext.ext.ext.2 smtp to 172.16.0.10

ext.ext.ext.2 SSL to 172.16.0.11

usign the same external ip I am not sure hwo I should change the config without breaking anything.

Note : I have been asked not use the ext.ext.ext.3 ( Should not be used ) so this command

access-list 101 permit tcp any host ext.ext.ext.3 eq https

will need to be removed.

Please advise.

Any help will be greatly appreciated.

jackko · ‎10-06-2005

no static (inside,outside) ext.ext.ext.2 172.16.0.10 netmask 255.255.255.255 0 0

static (inside,outside) tcp ext.ext.ext.2 25 172.16.0.10 25 netmask 255.255.255.255

static (inside,outside) tcp ext.ext.ext.2 443 172.16.0.11 443 netmask 255.255.255.255

access-list 101 permit tcp any ext.ext.ext.2 eq 25

access-list 101 permit tcp any ext.ext.ext.2 eq 443

access-group 101 in interface outside

clear xlate

you need to fresh the ip address translation i.e. "clear xlate". it will drop all the existing connections, however, it will reconnect straight away. unfortunately this few seconds interruption is not aviodable.

ramesys12 · ‎10-06-2005

access-list 101 permit icmp any any echo-reply

access-list 101 permit tcp host 6.1.5.ext host ext.ext.ext.2 eq smtp

access-list 101 permit tcp any host ext.ext.ext.3 eq https

access-list nonat permit ip 172.16.0.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside ext.ext.ext.1 subnet.subnet.subnet.subnet

ip address inside 172.16.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool uk 192.168.1.1-192.168.1.100

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp ext.ext.ext.2 25 172.16.0.10 25 netmask 255.255.255.255

static (inside,outside) tcp ext.ext.ext.2 443 172.16.0.11 443 netmask 255.255.255.255

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 ext.ext.ext.4 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

floodguard enable

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

console timeout 0

terminal width 80

The access-list is a bit different as they receive emails from only one server (ISP).

So the above config looks ok does it if any of the lines go missing while I am doing this that means something has gone wrong.

As I did try making a simialr config change yesterday and all internal traffic stopped going out...so simply taking a clear picture.

To get that to work last night I had to add these two lines back again manually

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

not sure why they disappeared

jackko · ‎10-06-2005

it's fine if you are going to restrict the smtp access from the isp only.

without the command "nat (inside) 1 0.0.0.0 0.0.0.0 0 0 ", no internal user will be able to access the internet since the pix will not perform pat anymore.

jackko · ‎10-06-2005

from you last post:

access-list 101 permit icmp any any echo-reply

access-list 101 permit tcp host 6.1.5.ext host ext.ext.ext.2 eq smtp

access-list 101 permit tcp any host ext.ext.ext.3 eq https

access-list nonat permit ip 172.16.0.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside ext.ext.ext.1 subnet.subnet.subnet.subnet

ip address inside 172.16.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool uk 192.168.1.1-192.168.1.100

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp ext.ext.ext.2 25 172.16.0.10 25 netmask 255.255.255.255

static (inside,outside) tcp ext.ext.ext.2 443 172.16.0.11 443 netmask 255.255.255.255

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 ext.ext.ext.4 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

floodguard enable

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

console timeout 0

terminal width 80

access-list 101 permit tcp any host ext.ext.ext.3 eq https

should be

access-list 101 permit tcp any host ext.ext.ext.2 eq https