08-27-2003 11:42 AM - edited 02-20-2020 10:57 PM
All,
I could really use someone's help. We have recently moved our Internet Mail Server from the Internet to the DMZ. We are running
Lotus Notes Domino. As you can see from the configuration below, I have created the Access Lists to permit tcp 1352 traffic to travel
from the inside interface to the DMZ and vice-versa. However, it's not working. Can anyone give me any advice on this? Thanks in advance.
-Sherman
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password TbujOHHCKt9BdcKm encrypted
passwd wqN43DRCUCF2L2hn encrypted
hostname kleen-texPIX
domain-name kleen-tex.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol h323 1723
fixup protocol skinny 1723
names
name 192.168.2.11 inetmail
name 192.168.2.12 snitz
access-list 10 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
access-list DMZ permit ip 192.168.2.0 255.255.255.0 any
access-list DMZ permit ip host inetmail 10.0.0.0 255.0.0.0
access-list DMZ permit ip host snitz 10.0.0.0 255.0.0.0
access-list DMZ permit tcp any 10.0.0.0 255.0.0.0 eq 1352
access-list DMZ permit tcp any 10.0.0.0 255.0.0.0 eq smtp
access-list DMZ permit tcp any 10.0.0.0 255.0.0.0 eq pop3
access-list DMZ permit tcp any 10.0.0.0 255.0.0.0 eq www
access-list DMZ permit tcp any 10.0.0.0 255.0.0.0 eq 8383
access-list DMZ permit tcp host inetmail any eq 1352
access-list DMZ permit tcp host inetmail any eq smtp
access-list INTERNAL permit ip 10.0.0.0 255.0.0.0 any
access-list INTERNAL permit tcp any host inetmail eq pop3
access-list INTERNAL permit tcp any host inetmail eq smtp
access-list INTERNAL permit tcp any host inetmail eq www
access-list INTERNAL permit tcp any host inetmail eq 8383
access-list INTERNAL permit tcp any host snitz eq www
access-list INTERNAL permit tcp any host inetmail eq 1352
access-list EXTERNAL permit tcp any host 216.248.130.235 eq smtp
access-list EXTERNAL permit tcp any host 216.248.130.235 eq pop3
access-list EXTERNAL permit tcp any host 216.248.130.235 eq www
access-list EXTERNAL permit tcp any host 216.248.130.235 eq 8383
access-list EXTERNAL permit tcp any host 216.248.130.236 eq www
access-list EXTERNAL deny ip any any
pager lines 24
logging on
logging standby
logging buffered debugging
logging trap alerts
logging history alerts
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.xxx
ip address inside 10.2.2.x 255.0.0.0
ip address dmz 192.168.2.x 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.0 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside
pdm location inetmail 255.255.255.255 dmz
pdm location snitz 255.255.255.255 dmz
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 216.248.130.xxx
global (dmz) 1 192.168.2.21-192.168.2.121 netmask 255.255.255.0
nat (inside) 0 access-list 10
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
nat (dmz) 1 192.168.2.0 255.255.255.0 0 0
alias (inside) xxx.xxx.xxx.xxx snitz 255.255.255.255
alias (inside) xxx.xxx.xxx.xxx inetmail 255.255.255.255
static (dmz,outside) xxx.xxx.xxx.xxx inetmail netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.xxx snitz netmask 255.255.255.255 0 0
static (inside,dmz) snitz snitz netmask 255.255.255.255 0 0
static (inside,dmz) inetmail inetmail netmask 255.255.255.255 0 0
access-group EXTERNAL in interface outside
access-group INTERNAL in interface inside
access-group DMZ in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 192.168.1.0 255.255.255.0 10.2.2.2 1
route inside 192.168.223.0 255.255.255.0 10.2.2.200 2
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s
ip 0:30:00 sip_media 0:02:00
timeout uauth 0:00:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 10.2.2.2 id10t1969 timeout 5
http server enable
http 10.3.3.3 255.255.255.255 inside
snmp-server host inside xxx.xxx.xxx.xxx
snmp-server location xxxxxxxxxxxxxxxxxxx
snmp-server contact xxxxxxxxxxxxxxxxxx
snmp-server community xxxxxxxxxxx
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set DES esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set DES
crypto map partner-map 10 ipsec-isakmp dynamic dynmap
crypto map partner-map client configuration address initiate
crypto map partner-map client authentication AuthInbound
crypto map partner-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
vpngroup kleen-tex1 address-pool vpnpool
vpngroup kleen-tex1 wins-server 10.2.2.2
vpngroup kleen-tex1 split-tunnel 10
vpngroup kleen-tex1 idle-time 1800
vpngroup kleen-tex1 password ********
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
09-01-2003 02:21 PM
Common mistake Sherman,
This line:
access-list DMZ permit tcp host inetmail any eq 1352
is the wrong way round. I'm pretty sure you need:
access-list DMZ permit tcp host inetmail eq 1352 any
as 1352 is now the src port responding.
HTH,
S
09-03-2003 03:34 PM
Thanks for your help. Looking at what you offered, I believe that the syntax is incorrect. Is it possible that you meant:
access-list DMZ permit tcp any host inetmail eq 1352
I will give that a try and let you know if it works. Thanks for your input!
Regards,
Sherman
09-03-2003 06:31 PM
Disclaimer: I don't know anything about Lotus Notes, and am an Exchange bigot ;-)
You are natting from inside to the DMZ - does Notes work with nat? The only subnet you are excluding from nat on the inside interface is to 192.168.1.0, whereas the DMZ subnet is 192.168.2.0.
On the premise that Notes may not like nat, I would add
access-list 10 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
then nat (inside) 0 access-list 10
This will stop NAT between inside and DMZ, after do a clear xlate, which will possibly break connections (it wipes the state table clean), so you might want to do it off hours
09-04-2003 12:30 PM
Thanks for your input. However, NOTES uses tcp port 1352 to communicate with one another. Similar to if it were a normal mail server using smtp and pop3. actually the statements u suggested are already in place for my vpn (remote access). That's why the DMZ is addressed as 192.168.2.0. 192.168.1.0 is for the VPN users. Thanks for your suggestion. I do appreciate it.
Sherman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide