Solved

Forward ICMP to internal server PIX

Posted on 2004-03-23
4
399 Views
Last Modified: 2012-05-04
Ok I have been getting denied respones from other mail servers because they can not reslove my mail servers IP. I set up a ptr with my ISP, but my pix box will not let the request go though to the internal mail server. I have set up access-list outsode_in permit icmp any any but only the outside interface on the unit will respond. I have found a link saying I can use a permit icmp any host xxx.xxx.xxx.xxx and that will forward the icmp request but it doesn't seem to work. Any thoughts?
0
Comment
Question by:klause2
  • 2
4 Comments
 
LVL 4

Accepted Solution

by:
hawgpig earned 175 total points
ID: 10657875
puting icmp any any on the outside interface will allow all pings inward....
However I'm not sure how this is going to help you
Here is what you need to have...
a translation to the ouside world with the outside address of the mailserver
static (inside,outside) 66.66.66.66 192.168.0.1 netmask 255.255.255.255
Where 66.66.66.66 is your mailserver outside address and 192.168.0.1 is the internal address of your mail server.
you then need an access-list applied to the ouside interface you said you had one called
outsode_in
you will need to allow this to go through with these commands
access-list outsode_in permit tcp any 66.66.66.66 eq 25 (or smtp)
access-list outsode_in in interface outside

also if you are running exchange or any other ESMTP mail server don't forget to turn of the fixup protocol....I have seen it raise all kinds of havoc....


Good Luck
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 75 total points
ID: 10659759
Resolving IP addresses has nothing to do with being able to ping the server. You fixed that problem with adding the pointer address at your ISP.
As hawgpig stated above, you need to specifically permit incomming SMTP traffic, not icmp, and you MUST have a "static(inside,outside)" line that will create a static NAT map from the public IP address that your email domain resolves to (yourcompany.com), mapping it to the "real" address assinged to the server itself. This is assuming, of course, that the "real" IP address of the server is a private address.
To turn off fixup:

no fixup protocol smtp 25

0
 

Author Comment

by:klause2
ID: 10660695
Ok  I have that set up but I still can't ping the address. Here is what I have
no fixup protocol smtp 25
access-list outside_in permit tcp any host 200.200.200.200 eq pop3
access-list outside_in permit tcp any host 200.200.200.200 eq smtp
access-list outside_in permit tcp any host 200.200.200.200 eq 81
access-list outside_in permit icmp any any
static (inside,outside) 200.200.200.200 204.63.168.112 netmask 255.255.255.255 0 0
access-group outside_in in interface outside

Now I have a router at 200.200.200.201 and my pix is set to 200.200.200.202 but I seem to only be able to ping 200.200.200.201. Maybe I need to fix a setting on my router?

(obviously the IP's have been changed)
0
 

Author Comment

by:klause2
ID: 10660722
Never mind I'm an idiot. It works I just have to ping it fro outside my network. I'm dumb. Thanks for the help.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now