Re: PIX Problem with Lotus Notes port 1352

slofton · ‎08-27-2003

All,

I could really use someone's help. We have recently moved our Internet Mail Server from the Internet to the DMZ. We are running

Lotus Notes Domino. As you can see from the configuration below, I have created the Access Lists to permit tcp 1352 traffic to travel

from the inside interface to the DMZ and vice-versa. However, it's not working. Can anyone give me any advice on this? Thanks in advance.

-Sherman

PIX Version 6.0(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password TbujOHHCKt9BdcKm encrypted

passwd wqN43DRCUCF2L2hn encrypted

hostname kleen-texPIX

domain-name kleen-tex.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol h323 1723

fixup protocol skinny 1723

names

name 192.168.2.11 inetmail

name 192.168.2.12 snitz

access-list 10 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

access-list DMZ permit ip 192.168.2.0 255.255.255.0 any

access-list DMZ permit ip host inetmail 10.0.0.0 255.0.0.0

access-list DMZ permit ip host snitz 10.0.0.0 255.0.0.0

access-list DMZ permit tcp any 10.0.0.0 255.0.0.0 eq 1352

access-list DMZ permit tcp any 10.0.0.0 255.0.0.0 eq smtp

access-list DMZ permit tcp any 10.0.0.0 255.0.0.0 eq pop3

access-list DMZ permit tcp any 10.0.0.0 255.0.0.0 eq www

access-list DMZ permit tcp any 10.0.0.0 255.0.0.0 eq 8383

access-list DMZ permit tcp host inetmail any eq 1352

access-list DMZ permit tcp host inetmail any eq smtp

access-list INTERNAL permit ip 10.0.0.0 255.0.0.0 any

access-list INTERNAL permit tcp any host inetmail eq pop3

access-list INTERNAL permit tcp any host inetmail eq smtp

access-list INTERNAL permit tcp any host inetmail eq www

access-list INTERNAL permit tcp any host inetmail eq 8383

access-list INTERNAL permit tcp any host snitz eq www

access-list INTERNAL permit tcp any host inetmail eq 1352

access-list EXTERNAL permit tcp any host 216.248.130.235 eq smtp

access-list EXTERNAL permit tcp any host 216.248.130.235 eq pop3

access-list EXTERNAL permit tcp any host 216.248.130.235 eq www

access-list EXTERNAL permit tcp any host 216.248.130.235 eq 8383

access-list EXTERNAL permit tcp any host 216.248.130.236 eq www

access-list EXTERNAL deny ip any any

pager lines 24

logging on

logging standby

logging buffered debugging

logging trap alerts

logging history alerts

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside xxx.xxx.xxx.xxx 255.255.255.xxx

ip address inside 10.2.2.x 255.0.0.0

ip address dmz 192.168.2.x 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface dmz

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx

pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside

pdm location xxx.xxx.xxx.xxx 255.255.255.0 inside

pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside

pdm location inetmail 255.255.255.255 dmz

pdm location snitz 255.255.255.255 dmz

pdm logging alerts 100

pdm history enable

arp timeout 14400

global (outside) 1 216.248.130.xxx

global (dmz) 1 192.168.2.21-192.168.2.121 netmask 255.255.255.0

nat (inside) 0 access-list 10

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

nat (dmz) 1 192.168.2.0 255.255.255.0 0 0

alias (inside) xxx.xxx.xxx.xxx snitz 255.255.255.255

alias (inside) xxx.xxx.xxx.xxx inetmail 255.255.255.255

static (dmz,outside) xxx.xxx.xxx.xxx inetmail netmask 255.255.255.255 0 0

static (dmz,outside) xxx.xxx.xxx.xxx snitz netmask 255.255.255.255 0 0

static (inside,dmz) snitz snitz netmask 255.255.255.255 0 0

static (inside,dmz) inetmail inetmail netmask 255.255.255.255 0 0

access-group EXTERNAL in interface outside

access-group INTERNAL in interface inside

access-group DMZ in interface dmz

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

route inside 192.168.1.0 255.255.255.0 10.2.2.2 1

route inside 192.168.223.0 255.255.255.0 10.2.2.200 2

timeout xlate 3:00:00

timeout conn 24:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s

ip 0:30:00 sip_media 0:02:00

timeout uauth 0:00:00 absolute

aaa-server radius-authport 1812

aaa-server radius-acctport 1813

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server AuthInbound protocol radius

aaa-server AuthInbound (inside) host 10.2.2.2 id10t1969 timeout 5

http server enable

http 10.3.3.3 255.255.255.255 inside

snmp-server host inside xxx.xxx.xxx.xxx

snmp-server location xxxxxxxxxxxxxxxxxxx

snmp-server contact xxxxxxxxxxxxxxxxxx

snmp-server community xxxxxxxxxxx

snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set DES esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set DES

crypto map partner-map 10 ipsec-isakmp dynamic dynmap

crypto map partner-map client configuration address initiate

crypto map partner-map client authentication AuthInbound

crypto map partner-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption 3des

isakmp policy 8 hash md5

isakmp policy 8 group 2

isakmp policy 8 lifetime 86400

vpngroup kleen-tex1 address-pool vpnpool

vpngroup kleen-tex1 wins-server 10.2.2.2

vpngroup kleen-tex1 split-tunnel 10

vpngroup kleen-tex1 idle-time 1800

vpngroup kleen-tex1 password ********

telnet 10.0.0.0 255.0.0.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

snursten · ‎09-01-2003

Common mistake Sherman,

This line:

access-list DMZ permit tcp host inetmail any eq 1352

is the wrong way round. I'm pretty sure you need:

access-list DMZ permit tcp host inetmail eq 1352 any

as 1352 is now the src port responding.

HTH,

S

slofton · ‎09-03-2003

Thanks for your help. Looking at what you offered, I believe that the syntax is incorrect. Is it possible that you meant:

access-list DMZ permit tcp any host inetmail eq 1352

I will give that a try and let you know if it works. Thanks for your input!

Regards,

Sherman

mostiguy · ‎09-03-2003

Disclaimer: I don't know anything about Lotus Notes, and am an Exchange bigot ;-)

You are natting from inside to the DMZ - does Notes work with nat? The only subnet you are excluding from nat on the inside interface is to 192.168.1.0, whereas the DMZ subnet is 192.168.2.0.

On the premise that Notes may not like nat, I would add

access-list 10 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

then nat (inside) 0 access-list 10

This will stop NAT between inside and DMZ, after do a clear xlate, which will possibly break connections (it wipes the state table clean), so you might want to do it off hours

slofton · ‎09-04-2003

Thanks for your input. However, NOTES uses tcp port 1352 to communicate with one another. Similar to if it were a normal mail server using smtp and pop3. actually the statements u suggested are already in place for my vpn (remote access). That's why the DMZ is addressed as 192.168.2.0. 192.168.1.0 is for the VPN users. Thanks for your suggestion. I do appreciate it.

Sherman