Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allow smtp through pix 501

Hi!

I need some help how to allow smtp traffic to a exchangeserver on lanside.

I tried:

access-list out-to-in permit tcp any host 192.168.0.3 eq smtp

access-group out-to-in in interface outside

static (inside,outside) 192.168.0.3 xxx.xxx.xxx.244 netmask 255.255.255.255 0 0

Do i need to work with more outside ipadresses? Maybe it could be a bad overlap?

Kr

M

7 REPLIES
Hall of Fame Super Blue

Re: Allow smtp through pix 501

Is xxx.xxx.xxx.244 the address that is routable on the Internet ? If so change your config to the following

remove this static statement

static (inside,outside) 192.168.0.3 xxx.xxx.xxx.244 netmask 255.255.255.255 0 0

Add this one

static (inside,outside) xxx.xxx.xxx.244 192.168.0.3 netmask 255.255.255.255

change access-list from

access-list out-to-in permit tcp any host 192.168.0.3 eq smtp

access-list out-to-in permit tcp any host xxx.xxx.xxx.244 eq smtp

Jon

New Member

Re: Allow smtp through pix 501

when i add your static my internet is no longer availble. Neither is it working to access smtp from outside interface. Can i use the same adress for outside interface as i use for my static routes or do i need to create i Global outside ip-pool?

Confused!

Hall of Fame Super Blue

Re: Allow smtp through pix 501

Change the static statement from

static (inside,ourtside) xxx.xxx.xxx.244 192.168.0.3 netmask 255.255.255.255

to

static (inside,outside) tcp interface 25 192.168.0.3 25 netmask 255.255.255.255

I'm assuming your mail server internal address is 192.168.0.3

Jon

New Member

Re: Allow smtp through pix 501

Thanks for your reply! I added some more static statement and access-list and now i'm getting performance issues from inside firewall (not sure from outside). When trying to send or recieve files it's really slow. We have 10/mbit up/down via fiber. Works good with other firewall (dlink).Is there a more effective way to open up for ports www, ssl ,rdp, smtp to internal exchange server 192.168.0.3? All these static just doesnt feel right...

PIX Version 6.3(5)

interface ethernet0 10baset

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password v0o/1tpLdUo.e/eb encrypted

passwd v0o/1tpLdUo.e/eb encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list out-to-in permit icmp any any time-exceeded

access-list out-to-in permit tcp any host xxx.xxx.134.244 eq smtp

access-list out-to-in permit tcp any host xxx.xxx.134.244 eq https

access-list out-to-in permit tcp any host xxx.xxx.134.244 eq www

access-list out-to-in permit tcp any host xxx.xxx.134.244 eq 3389

access-list VPN permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xxx.xxx.134.244 255.255.255.0

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNDHCP 192.168.10.2-192.168.10.10

pdm location 192.168.0.0 255.255.255.0 inside

pdm location 192.168.0.3 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list VPN

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp 192.168.0.3 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https 192.168.0.3 https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 192.168.0.3 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 192.168.0.3 3389 netmask 255.255.255.255 0 0

access-group out-to-in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.134.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set matiasvpn esp-des esp-md5-hmac

crypto dynamic-map dynmapmatias 99 set transform-set matiasvpn

crypto map matiasmap 99 ipsec-isakmp dynamic dynmapmatias

crypto map matiasmap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 88 authentication pre-share

isakmp policy 88 encryption des

isakmp policy 88 hash md5

isakmp policy 88 group 2

isakmp policy 88 lifetime 86400

vpngroup -matIasvpn. address-pool VPNDHCP

vpngroup -matIasvpn. dns-server 192.168.0.3

vpngroup -matIasvpn. wins-server 192.168.0.3

vpngroup -matIasvpn. default-domain netbin.local

vpngroup -matIasvpn. idle-time 1800

vpngroup -matIasvpn. password ********

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh timeout 5

New Member

Re: Allow smtp through pix 501

Hi! Please look at my update!

Thanks!

New Member

Re: Allow smtp through pix 501

reverse the ip addresses in your static statement.

should be: static (inside,outside) xxx.xxx.xxx.244 192.168.0.3 netmask 255.255.255.255

The first ip is the global address the second is the real address.

HTH

New Member

Re: Allow smtp through pix 501

Thanks for your reply! I added some more static statement and access-list and now i'm getting performance issues from inside firewall (not sure from outside). When trying to send or recieve files it's really slow. We have 10/mbit up/down via fiber. Works good with other firewall (dlink).Is there a more effective way to open up for ports www, ssl ,rdp, smtp to internal exchange server 192.168.0.3? All these static just doesnt feel right...

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list out-to-in permit icmp any any time-exceeded

access-list out-to-in permit tcp any host xxx.xxx.134.244 eq smtp

access-list out-to-in permit tcp any host xxx.xxx.134.244 eq https

access-list out-to-in permit tcp any host xxx.xxx.134.244 eq www

access-list out-to-in permit tcp any host xxx.xxx.134.244 eq 3389

access-list VPN permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xxx.xxx.134.244 255.255.255.0

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNDHCP 192.168.10.2-192.168.10.10

pdm location 192.168.0.0 255.255.255.0 inside

pdm location 192.168.0.3 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list VPN

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp 192.168.0.3 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https 192.168.0.3 https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 192.168.0.3 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 192.168.0.3 3389 netmask 255.255.255.255 0 0

access-group out-to-in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.134.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set matiasvpn esp-des esp-md5-hmac

crypto dynamic-map dynmapmatias 99 set transform-set matiasvpn

crypto map matiasmap 99 ipsec-isakmp dynamic dynmapmatias

crypto map matiasmap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 88 authentication pre-share

isakmp policy 88 encryption des

isakmp policy 88 hash md5

isakmp policy 88 group 2

isakmp policy 88 lifetime 86400

vpngroup -matIasvpn. address-pool VPNDHCP

vpngroup -matIasvpn. dns-server 192.168.0.3

vpngroup -matIasvpn. wins-server 192.168.0.3

vpngroup -matIasvpn. default-domain netbin.local

vpngroup -matIasvpn. idle-time 1800

vpngroup -matIasvpn. password ********

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh timeout 5

524
Views
15
Helpful
7
Replies