Link to home
Start Free TrialLog in
Avatar of clinthammer
clinthammer

asked on

Help needed on opening ports for FTP server and MDaemon

Good Day,

We have a CISCO 515e pix firewall running on our network. Everyone internally connects to the Internet through this firewall.
The firewall ip is 192.168.0.1

1. We have an ftp server running on a Win2k pc. I have already configured the ftp server for access from outside people. This is the command I entered in the firewall config:

static (inside,outside) tcp 80.227.104.242  ftp 192.168.0.49 ftp netmask 255.255.255.0 0 0

It works perfectly with one exception. People inside the office can only use the ip of 192.168.0.49 to connect to the ftp. They cannot use the public ip of 80.227.104.242 as it always times out. However, for outside users the public ip works fine as it should.

How can I configure the firewall to allow inside users to use the public ip?

2. In order to fulfill my boss's need to be a Big Brother (read all emails incoming/outgoing), I need to setup MDaemon on our network. Installing/configuring the program itself is not a hassle. It will be done on a regular pc with ip 192.168.0.50

However, as with the ftp site, I need people to be able to use our public ip as the mail server address. Because, some of the users travel and I don't want them to keep changing mail server address's whenever they leave the office.

Hence, I need to configure the following ports for access on the firewall. Ports should be configured for the ip 192.168.0.50 as this is the ip of the MDaemon box:

SMTP Ports
inbound smtp 25
outbound smtp 25
inbound ODMR 366
Ded. SSL port for smtp 465

POP Ports
inbound pop 110
outbound pop 110
dedicated ssl 995
inbound imap 143
dedicated SSL for IMPA 993

DNS/LDAP/WebAdmin/MD Config ports
query dns 53
ldap port 389
md config 3002
web admin connections 1000

World Client port 3000

Also, someone mentioned that some PIX firewalls have the option called SMTP FIX. How can I disable this?

My knowledge of PIX firewalls is pretty limited ( i usually get help from these forums and vendors)so any help is much appreciated. Or if anyone has a link to commands that I can use, that too would be helpful.

Thank you.
CD

Avatar of Tim Holman
Tim Holman
Flag of United Kingdom of Great Britain and Northern Ireland image

1)  The only way to do this is to either use split DNS (ie have internal users resolve ftp.yoursite.com to your internal, rather than external DNS), or put in a NAT statement that translates the external destination address of your ftp server to your internal one, and follow this up with route statements to ensure traffic leaves the correct interface (ie internal).

2)  Does your boss have the legal right to read all emails ?  Have staff been informed that this is the case ?

3)  'no fixup smtp' will remove what I think you mean by SMTP fix.  Commonly done due to problems with SMTP handling by the PIX, although the later versions shouldn't have any problems.

Good NAT starterguide for PIX:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml
Avatar of clinthammer
clinthammer

ASKER

Hi,

1. Over at the CISCO forums someone gave me this info:

You have couple of options here -

-If you want to alias command then your syntax should be as follows:

alias(inside) 192.168.0.49 80.227.104.242 255.255.255.255

-If you are running PIX 6.2 or above, my suggestion would be to edit your existing static with "dns" keyword added as follows -

static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp dns netmask 255.255.255.0

2. The boss is actually the President a.k.a. Owner and founder hence I think he has the right to read all emails sent and received from the company domain because he owns the domain and all property. We are in the Middle East so laws here are q uite different.

Ooops... forgot about the alias command, sorry !
If it helps, documentation is here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

Interesting point about whether or not company owners have the legal right to read all emails - if you're interested I've just been reading this:

http://management.about.com/cs/people/a/MonitorEE062501.htm

Looks like Boss is God after all - even with Hotmail accessed from an employer's machine.

You've got me worried now...
Tried the alias and static - none worked.

Will keep at it tomorrow.
ASKER CERTIFIED SOLUTION
Avatar of Tim Holman
Tim Holman
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
tim holman: you da man :)

all I did was actually leave my current static statement:

static (inside,outside) tcp 80.227.104.242  ftp 192.168.0.49 ftp netmask 255.255.255.0 0 0

and add:
alias (inside) 192.168.0.49 80.227.104.242 255.255.255.255

And it connected fine. People inside and outside both connect using the dns name  ftp.mmg-me.com

I didn't need to add this:
access-list 101 permit tcp any host 80.227.104.242 eq ftp
access-group 101 in interface outside

However, can you tell me what those 2 last lines were for?

Thanks.
CD

Tim holman: My original question asked for assistance on configuring the firewall for numerous ports. However, I accepted your answer soon.

I will work on the config myself now. Although, if I need assistance, can you provide me with it please?

Thanks.
CD
Hi CD,

Would need to see your whole config to work out why you didn't need the last two lines that I suggested.  If you don't have access lists, then by default everyone can go out, but nothing can come in (according to the security levels 100 and 0 on the interaces).
Let me know if you need more help !

Cheers,

Tim
Here is the config:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 9jNfZuG3TC5tCVH0 encrypted
hostname MMGFIRE
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_access_in permit ip any any
access-list acl_in permit ip any any
access-list acl_in permit icmp any any
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq telnet
access-list acl_in permit tcp any any eq pop3
access-list acl_in permit tcp any any eq smtp
access-list acl_in permit tcp any any eq sqlnet
access-list acl_in permit tcp any any eq ftp
access-list acl_in permit tcp any host 192.168.0.49 eq ftp

access-list acl_out permit ip any any

access-list acl_out permit icmp any any
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any any eq telnet
access-list acl_out permit tcp any any eq pop3
access-list acl_out permit tcp any any eq smtp
access-list acl_out permit tcp any any eq sqlnet
 access-list acl_out permit tcp any any eq ftp
access-list acl_out permit tcp any host 192.168.0.49 eq ftp
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 80.227.104.242 255.255.255.252
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
alias (inside) 192.168.0.49 80.227.104.242 255.255.255.255
static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp dns  netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 80.227.104.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location

no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:ad733da2879b2e1898b472f6e1588e27
: end
[OK]
It worked because you already had access lists to allow ftp in:

access-list acl_in permit tcp any any eq ftp
access-list acl_in permit tcp any host 192.168.0.49 eq ftp

..although if you want to be specific and only allow ftp access to 192.168.0.49, then remove the first line by putting 'no access-list acl_in permit tcp any any eq ftp'

I've run this through the CCO config checker - it tells me the following, if it's any help:

WARNING: The 'access-list' statement:
  'access-list acl_out permit ip any any'
allows ip traffic to initiate connections from the outside to a higher security
level interface, for any source and destination, whenever there is an active translation
in the PIX.
TRY THIS: These types of access-lists can be useful for testing in a lab environment,
but should be used with extreme care in a production environment. Check your security
policy.

WARNING: The 'access-list' statement:
  'access-list acl_out permit icmp any any'
allows icmp traffic to initiate connections from the outside to a higher security
level interface, for any source and destination, whenever there is an active translation
in the PIX.
TRY THIS: These types of access-lists can be useful for testing in a lab environment,
but should be used with extreme care in a production environment. Check your security
policy.

WARNING: There are access-lists defined that are not applied in the configuration
with an 'access-group', 'crypto map', 'crypto dynamic-map', 'vpngroup {name} split-tunnel'
'nat 0', 'aaa accounting match', 'aaa authentication match', or 'aaa authorization
match' command:
  access-list inside_access_in permit ip any any
TRY THIS: Make sure that these access-lists are required in your configuration.
(e.g. used for RADIUS authorization)

INFO: The following interfaces have been set to autonegotiate their speed and
duplex settings:
  ethernet0
  ethernet1
NOTE: Even though the default is to set automatic speed sensing for the interfaces
with the 'interface hardware_id auto' command, Cisco recommends to specify the
speed of the network interfaces; for example, '10baset', '10full', '100basetx',
'100full', '1000basesx', or '1000sxfull'. This lets the PIX Firewall operate in
network environments that may include switches or other devices that do not handle
auto sensing correctly. If speed/duplex are hardcoded on the PIX, configure the
speed/duplex on the neighboring device also.

INFO: The 'Xlate' timeout is greater than 1 hour.
The xlate timeout determines the idle time until a translation slot is freed. Increase
the system performance by setting this timer to 1 hour with the configuration command,
'timeout xlate 1:00:00'.

WARNING: The console is set to never timeout.
TRY THIS: Consider configuring a finite timeout for the console. For example, 'console
timeout 5' will configure a 5 minute timeout for the console.
REFERENCE: For more information, see 'Console timeout' command.

WARNING: There is no banner configured for this device.
TRY THIS: In some jurisdictions, civil and/or criminal prosecution of unauthorized
users is much easier when a banner warning them that their access is unauthorized.
Legal notification requirements are complex and these should be discussed with
your own legal counsel. Once the appropriate login warning has been developed for
your firewall, you may incorporate it into your unit for display before all interactive
logins with the 'banner login' configuration command.

INFO: The 'alias' command is being used in the configuration.
NOTE: The 'nat' command with the 'dns' option can now perform the same function.
REFERENCE: For more information, see 'NAT' command with 'DNS' option.
I will review the above and get back to you Tim. Thanks a lot.

I'm also just playing with Mdaemon here. I have created a subdomain called xxwebmail.xx-xx.com

I intend on using this subdomain for users to go to Webmail.

Suppose our public ip is 10.10.10.10 and private ip of the Mdaemon machine is 192.168.0.36. The Webmail function is only accessible through port 3000, i.e. http://192.168.0.36:3000 on the Mdaemon machine.

What command do I issue to let any requests at 10.10.10.10:3000 go to 192.168.0.36:3000
and
how can I point the subdomain to 10.10.10.10:3000? I assume I have to use some sort of name command?

Thanks.
CD
This would do the job:

access-list acl_out permit tcp any any eq 3000
static (inside,outside) tcp 10.10.10.10 3000 192.168.0.36 3000 dns  netmask 255.255.255.255 0 0
Thanks Tim.

There is one problem though. As I am inside the office - behind the firewall, I cannot use the public ip
i.e. http://10.10.10.10:3000 to connect to the webmail.  I have to use the subdomain-> http://xxwebmail.xx-xx.com

Wmat command would I use to bind http://xxwebmail.xx-xx.com to http://10.10.10.10:3000

Also please note, that I need to only allow web access to this public ip, nothing else.

To make it safer can I alter the access list for this:

access-list acl_out permit tcp any 10.10.10.10 eq 3000
Make sure xxwebmail.xx-xx.com resolves to your external IP address on your internal DNS servers ?
For now lets assume xxwebmail.xx-xx.com is mmgwebmail.mmg-me.com

I want this domain to resolve to my public ip (it is in the config above) 80.227.104.242 port 3000.  Also, since Mdaemon's webmail service runs on port 3000, hence 192.168.0.36 port 3000, I need to resolve the public ip as well to this private ip.

so its like this:

mmgwebmail.mmg-me.com -> 80.227.104.242 port 3000 -> 192.168.0.36 port 3000

God I hate non gui firewalls :(
I'm lost...  is this what you're trying to do:

Internal client initiates connection to mmgwebmail.mmg-me.com
Internal DNS resolves this to 80.227.104.242
Client gets routed to the firewall in search of 80.227.104.242.
The alias / dns commands on the firewall bounces the request back to 192.168.0.36
Client connects to 192.168.0.36 directly, webmail works.

?
Yes. Just to add it is Internal and External client.

e.g. I am internal client at office with my laptop. However, I go to USA for a trip so I thus become an external client.

I am in contact with our mail provider to find out if they can resolve mmgwebmail.mmg-me.com  to 80.227.104.242:3000

So all I really need to do is have the firewall bounce requests on 80.227.104.242:3000 to 192.168.0.36:3000

I am sorry for not making it clear Tim.

CD
These lines will allow you to access 80.227.104.242 on port 3000 when you're 'external' -

access-list acl_out permit tcp any any eq 3000
static (inside,outside) tcp  80.227.104.242 3000 192.168.0.36 3000 dns  netmask 255.255.255.255 0 0

Also, change your passwords.  You can reverse engineer the hashes to find out the passwords:

enable password 2KFQnbNIdI.2KYOU encrypted
passwd 9jNfZuG3TC5tCVH0 encrypted

...so as this is now public information, a cracker could in theory get your original PIX passwords !

Sorry for the delay.

The internal ip now changed from 192.168.0.36 to 192.168.0.39
Port is still 3000

I tried your config lines but to no avail so I added my own based on my previous ftp commands. These are the lines I added:

access-list acl_in permit tcp any any eq 3000
access-list acl_in permit tcp any host 192.168.0.39 eq 3000
access-list acl_out permit tcp any any eq 3000
access-list acl_out permit tcp any host 192.168.0.39 eq 3000
static (inside,outside) tcp 80.227.104.242 3000 192.168.0.39 3000 dns  netmask 255.255.255.255 0 0

I forwarded http://mmgwebmail.mmg-me.com to 80.227.104.242:300

It still does not connect and times out. Anything wrong with my config?

CD
Nothing wrong with this config - the static command will translate 80.227.104.242 to 192.168.0.39 for port 3000.
I'm assuming your internal DNS resolves http://mmgwebmail.mmg-me.com to 80.227.104.242 ?
Have you removed the alias command ?
Could you post up the revised config - it would be easier for me to troubleshoot !
This is the current config:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100

hostname MMGFIRE
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names

access-list inside_access_in permit ip any any
access-list acl_in permit ip any any
access-list acl_in permit icmp any any
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq telnet
access-list acl_in permit tcp any any eq pop3
access-list acl_in permit tcp any any eq smtp
access-list acl_in permit tcp any any eq sqlnet
access-list acl_in permit tcp any any eq ftp
access-list acl_in permit tcp any host 192.168.0.49 eq ftp
access-list acl_in permit tcp any any eq 3000
access-list acl_in permit tcp any host 192.168.0.39 eq 3000

access-list acl_out permit ip any any
access-list acl_out permit icmp any any
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any any eq telnet
access-list acl_out permit tcp any any eq pop3
access-list acl_out permit tcp any any eq smtp
access-list acl_out permit tcp any any eq sqlnet
access-list acl_out permit tcp any any eq ftp
access-list acl_out permit tcp any host 192.168.0.49 eq ftp
access-list acl_out permit tcp any any eq 3000
access-list acl_out permit tcp any host 192.168.0.39 eq 3000

pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 80.227.104.242 255.255.255.252
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
alias (inside) 192.168.0.49 80.227.104.242 255.255.255.255
static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp netmask 255.255.
255.255 0 0
static (inside,outside) tcp 80.227.104.242 3000 192.168.0.39 3000 dns  netmask 2
55.255.255.255 0 0

access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 80.227.104.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80


A friend at home could connect to the site but the redirect url sent him to our public ip. So what I did was use www.no-ip.com for a url name. Now http://mmgwebmail.mmg-me.com redirects to http://mmgwebmail.servehttp.com

I don't know if they can still see the ip. Also, I can't connect to the site using the proper url name - I can only use the internal up. As for the ftp site, I think I need an alias command but this alias command needs to redirect to a port.

e.g. alias (inside) 192.168.0.39 3000 80.227.104.242 3000 255.255.255.255

But cisco doesn't accept this?
Actually Tim, I'm having a bigger problem.

I added these lines fine:

access-list acl_in permit tcp any any eq 3000
access-list acl_in permit tcp any host 192.168.0.39 eq 3000
access-list acl_out permit tcp any any eq 3000
access-list acl_out permit tcp any host 192.168.0.39 eq 3000
static (inside,outside) tcp 80.227.104.242 3000 192.168.0.39 3000 dns  netmask 255.255.255.255 0 0

People outside our network can access the site http://mmgwebmail.mmg-me.com fine but they can see our public ip of 80.227.104.242.

So I didn't want them to do this. I then proceeded to remove the above 5 lines with the "no" command for each of them.

Please note that initially after entering those 5 lines, I did not write to memory (write mem). But now after I removed them I did.

After this, people could still access the site even though the lines were removed. This is a huge problem. The onlyt way I could prevent this was by rebooting the firewall. Shouldn't the write mem command write the current config to memory?

Do you know why it would let people access the site even thought I used the write mem command? I am losing hair over this matter!!!
You do not need to "write mem" to apply changes.  They will be instantaneous.  "write mem" saves config to flash, so it's
there next time you reboot.
This statement in your access list allows anything to come into your network:

access-list acl_out permit ip any any

..generally a bad idea, and also explains why removal of the access lists above did not prevent access.

You need to look at restriciting these access lists.  You may as well remove all of access-list acl_in, seeming you will have unlimited inside to outside access by default (without any access lists, the security levels of the interfaces come into effect).

access-list inside_access_in permit ip any any
access-list acl_in permit ip any any
access-list acl_in permit icmp any any
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq telnet
access-list acl_in permit tcp any any eq pop3
access-list acl_in permit tcp any any eq smtp
access-list acl_in permit tcp any any eq sqlnet
access-list acl_in permit tcp any any eq ftp
access-list acl_in permit tcp any host 192.168.0.49 eq ftp
access-list acl_in permit tcp any any eq 3000
access-list acl_in permit tcp any host 192.168.0.39 eq 3000

Your acl_out's need restricting as follows.  Trim down to this, if all you want is for outside hosts to connect to your ftp and webmail:

access-list acl_out permit tcp any host 192.168.0.49 eq ftp
access-list acl_out permit tcp any host 192.168.0.39 eq 3000

Any any is not good.  Be specific !

REMOVE the alias statement.  Use of 'dns' in your static NAT command handles the dns doctoring in PIX 6.3.


You will need static statements for each port you want to forward - so far we've only covered ftp and 3000, so translate smtp, pop3, ssl etc as you've done for ftp/3000 - eg

static (inside,outside) tcp 80.227.104.242 smtp 192.168.0.49 smtp netmask 255.255.255.255 0 0

..use the DNS statement for any service you want internal users to see by 'external' address - eg

static (inside,outside) tcp 80.227.104.242 http 192.168.0.49 http netmask 255.255.255.255 0 0


Also, how are you doing the redirection of http://mmgwebmail.mmg-me.com to 80.227.104.242:3000 ?  
Hi Tim,

Thank you very much for your input.

I never setup the firewall when we first purchased it. IT was an engineer who did it and from what you have told me, I don't think he did a great job. First thing in the morning, I will make the changes to better protect my network.

1. I added this for the ftp site actually:

alias (inside) 192.168.0.49 80.227.104.242 255.255.255.255

Initially, the static command for the ftp site (static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp netmask 255.255.255.255 0 0) only let people from outside connect to the ftp using ftp://ftp.mmg-me.com.

Note: Our webspace provider redirected the url ftp://ftp.mmg-me.com using a CNAME

So I added the alias command so that people inside my network (behind the firewall) could connect to the ftp using ftp://ftp.mmg-me.com

I am positive without the alias statement, they could not connect from inside using the ftp url. I will double check this tomorrow though.

2. As for the access lists:

access-list acl_out permit ip any any
access-list acl_out permit icmp any any
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any any eq telnet
access-list acl_out permit tcp any any eq pop3
access-list acl_out permit tcp any any eq smtp
access-list acl_out permit tcp any any eq sqlnet
access-list acl_out permit tcp any any eq ftp
access-list acl_out permit tcp any host 192.168.0.49 eq ftp
access-list acl_out permit tcp any any eq 3000
access-list acl_out permit tcp any host 192.168.0.39 eq 3000

For now, I only want ftp and webmail so I will remove the unneeded. Just 2 quick questions. What do these lines signify or mean:

access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any any eq pop3

3. The redirection of http://mmgwebmail.mmg-me.com is done through our webspace provider (I have access to the control panel of our account). I use the "Redirect url" option.


4. I think I have discovered why our Internet bandwidth is excess all the time. It is because the access list allow anyone from outside to access our internal network. Please correct me if im wrong.

Just another q to clear up something on my mind. You mentioned this allows all outside users to enter our network. hence the removal of these lines:

access-list acl_in permit tcp any any eq 3000
access-list acl_in permit tcp any host 192.168.0.39 eq 3000
access-list acl_out permit tcp any any eq 3000
access-list acl_out permit tcp any host 192.168.0.39 eq 3000
static (inside,outside) tcp 80.227.104.242 3000 192.168.0.39 3000 dns  netmask 255.255.255.255 0 0

Would still let outsiders access. The thing bugging me is if i removed the above lines esp the static line, how would the firewall know to redirect all external requests to the internal ip 192.168.0.39 3000.

It doesn't matter if http://mmgwebmail.mmg-me.com is redirected to http://80.227.104.242:3000. The firewall shouldn't know where to send such port 3000 requests too. Unless it autodetects in the internal network which computer/workstation has port 3000 open?!

Thanks.
CD

p.s. I wish I could give you more points or rather if you were located in the Middle East, we would surely hire you as our network consultant. The people here are clueless even though they have all these fancy certifications!  

Someone mentioned in another thread that there's a bug with 6.3(1) that retains access-lists in memory even after removing via command line.  The fix is a reboot, or 6.3(3).  Pretty bad bug... !
Thanks. I just found that out too. Rebooted and it is finenow.

The only thing im trying to get to work now is to allow internal users usage of http://mmgwebmail.mmg-me.com to access the webmail.

So far this is what I entered:

access-list acl_out permit tcp any host 192.168.0.39 eq 3000
access-list acl_out permit tcp any any eq 3000
static (inside,outside) tcp  80.227.104.242 3000 192.168.0.39 3000 dns  netmask 255.255.255.255 0 0
static (inside,outside) tcp 80.227.104.242 http 192.168.0.39 http netmask 255.255.255.255 0 0

Still doesn't let me access it from inside using the url. I am going to go at for another 4 hrs until end of day.
Don't forget to put DNS into your statics to do the dns doctoring !

static (inside,outside) tcp 80.227.104.242 http 192.168.0.39 http **DNS** netmask 255.255.255.255 0 0

If we continue to have problems with this, maybe we should go back to the old alias method....

Can you try this ?

sysopt noproxyarp ethernet1
 OR sysopt noproxyarp inside (one of these should work !)
alias (inside) 192.168.0.39 80.227.104.242 255.255.255.255
static(inside,outside) tcp 80.227.104.242 3000 192.168.0.39 3000 netmask 255.255.255.255
static(inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp netmask 255.255.255.255
access-list 101 permit tcp any host 80.227.104.242 eq www
access-list 101 permit tcp any host 80.227.104.242 eq 3000
access-list 101 permit tcp any host 80.227.104.242 eq ftp
access-group 101 in interface outside





Hi Tim,

I tried it all and still no go. Nothing at all :(

I even removed the code for the ftp site because I thought it might be conflicting. So I removed all the code related to the ftp site and entered the code for the webmail but it still would not connect!!!

I decided to extend this thread here: https://www.experts-exchange.com/questions/20909943/CISCO-pix-515e-Cannot-access-internal-email-webmail-using-public-ip-or-domain-name.html

Some more points available because this question has become really long and can be somewhat confusing (esp because of all the config)

CD
Another thing I was testing - related to the ftp this time.

I removed these lines (because I hrd PIX is phasing out the alias command):

static (inside,outside) tcp 80.227.104.242  ftp 192.168.0.49 ftp netmask 255.255.255.0 0 0
alias (inside) 192.168.0.49 80.227.104.242 255.255.255.255

and added only this:
static (inside,outside) tcp 80.227.104.242  ftp 192.168.0.49 ftp netmask 255.255.255.0 0 0

Now I couldn't connect from inside the office (behind firewall) to ftp://ftp.mmg-me.com

then I added this:
static (inside,outside) tcp 80.227.104.242  ftp 192.168.0.49 ftp dns netmask 255.255.255.0 0 0

Still no go. So I am assuming the dns doctoring is not working when the alias command is absent. I'm going to search more about this: need to ensure it works without the alias command because of PIX dropping alias in future.


Hmmm....  as the 'dns' option to the static command is relatively new, it might be wise just sticking to the old alias method.  I will continue work on your new thread !!  ;)