Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix 506E and OWA

Hi All,

I am having an issue with Pix 506E.

The pix is running fine, but the owner wants Exchange

2000 Outlook Web Access configure. So He can receive

e-mails from anywhere.

Anyways, I got it working and it runs good.

But then no one can access internet anymore.

I want to set it up where they can access internet

and use Exchange OWA..

Here is my before and after Pix configuration.

Thanks for all your help..

This is the before OWA configure.

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx

passwd xxxxxx

hostname Pix506

domain-name wfgfactor.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.66 255.255.255.240

ip address inside 10.0.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask 255.255.255.255

0 0

conduit permit tcp host x.x.60.66 eq smtp any

route outside 0.0.0.0 0.0.0.0 207.215.60.66 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 10.0.0.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxxxx

This is the one that works for OWA.

The only difference is the STATIC commands and

access-list

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx

passwd xxxxx

hostname Pix506

domain-name wfgfactor.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 100 permit tcp any host 207.215.60.66 eq smtp

access-list 100 permit tcp any host 207.215.60.66 eq www

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside x.x.xx 255.255.255.240

ip address inside 10.0.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.x.66 10.0.0.2 netmask 255.255.255.255 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 207.215.60.66 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 10.0.0.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 10.0.0.2 255.255.255.255 inside

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxx

thank you,

-Paul Hong

  • Other Security Subjects
2 REPLIES
Silver

Re: Pix 506E and OWA

static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask 255.255.255.255

0 0

This works because you forward a port to the smtp port

static (inside,outside) tcp interface www 10.0.0.2 www netmask 255.255.255.255

0 0

Is what you want to add. Get rid of

static (inside,outside) 207.215.60.66 10.0.0.2 netmask 255.255.255.255 0 0

This statically binds that ip address to the server, so only the server can effectively use it. Thus, you clients do not have an address their traffic can be PAT'd to.

So, add the one static, delete the other one, and issue a "clear xlate". Everything should work

New Member

Re: Pix 506E and OWA

Thank you so much.

It worked like a charm and I finally got it

fixed.

I had to add a command in addition to that

in order to make it work:

conduit permit tcp host 207.215.60.66 eq www any

Thanks again.

-Paul Hong

287
Views
0
Helpful
2
Replies