Solved

Forward ICMP to internal server PIX

Posted on 2004-03-23
4
406 Views
Last Modified: 2012-05-04
Ok I have been getting denied respones from other mail servers because they can not reslove my mail servers IP. I set up a ptr with my ISP, but my pix box will not let the request go though to the internal mail server. I have set up access-list outsode_in permit icmp any any but only the outside interface on the unit will respond. I have found a link saying I can use a permit icmp any host xxx.xxx.xxx.xxx and that will forward the icmp request but it doesn't seem to work. Any thoughts?
0
Comment
Question by:klause2
  • 2
4 Comments
 
LVL 4

Accepted Solution

by:
hawgpig earned 175 total points
ID: 10657875
puting icmp any any on the outside interface will allow all pings inward....
However I'm not sure how this is going to help you
Here is what you need to have...
a translation to the ouside world with the outside address of the mailserver
static (inside,outside) 66.66.66.66 192.168.0.1 netmask 255.255.255.255
Where 66.66.66.66 is your mailserver outside address and 192.168.0.1 is the internal address of your mail server.
you then need an access-list applied to the ouside interface you said you had one called
outsode_in
you will need to allow this to go through with these commands
access-list outsode_in permit tcp any 66.66.66.66 eq 25 (or smtp)
access-list outsode_in in interface outside

also if you are running exchange or any other ESMTP mail server don't forget to turn of the fixup protocol....I have seen it raise all kinds of havoc....


Good Luck
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 75 total points
ID: 10659759
Resolving IP addresses has nothing to do with being able to ping the server. You fixed that problem with adding the pointer address at your ISP.
As hawgpig stated above, you need to specifically permit incomming SMTP traffic, not icmp, and you MUST have a "static(inside,outside)" line that will create a static NAT map from the public IP address that your email domain resolves to (yourcompany.com), mapping it to the "real" address assinged to the server itself. This is assuming, of course, that the "real" IP address of the server is a private address.
To turn off fixup:

no fixup protocol smtp 25

0
 

Author Comment

by:klause2
ID: 10660695
Ok  I have that set up but I still can't ping the address. Here is what I have
no fixup protocol smtp 25
access-list outside_in permit tcp any host 200.200.200.200 eq pop3
access-list outside_in permit tcp any host 200.200.200.200 eq smtp
access-list outside_in permit tcp any host 200.200.200.200 eq 81
access-list outside_in permit icmp any any
static (inside,outside) 200.200.200.200 204.63.168.112 netmask 255.255.255.255 0 0
access-group outside_in in interface outside

Now I have a router at 200.200.200.201 and my pix is set to 200.200.200.202 but I seem to only be able to ping 200.200.200.201. Maybe I need to fix a setting on my router?

(obviously the IP's have been changed)
0
 

Author Comment

by:klause2
ID: 10660722
Never mind I'm an idiot. It works I just have to ping it fro outside my network. I'm dumb. Thanks for the help.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question