Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 419
  • Last Modified:

Forward ICMP to internal server PIX

Ok I have been getting denied respones from other mail servers because they can not reslove my mail servers IP. I set up a ptr with my ISP, but my pix box will not let the request go though to the internal mail server. I have set up access-list outsode_in permit icmp any any but only the outside interface on the unit will respond. I have found a link saying I can use a permit icmp any host xxx.xxx.xxx.xxx and that will forward the icmp request but it doesn't seem to work. Any thoughts?
0
klause2
Asked:
klause2
  • 2
2 Solutions
 
hawgpigCommented:
puting icmp any any on the outside interface will allow all pings inward....
However I'm not sure how this is going to help you
Here is what you need to have...
a translation to the ouside world with the outside address of the mailserver
static (inside,outside) 66.66.66.66 192.168.0.1 netmask 255.255.255.255
Where 66.66.66.66 is your mailserver outside address and 192.168.0.1 is the internal address of your mail server.
you then need an access-list applied to the ouside interface you said you had one called
outsode_in
you will need to allow this to go through with these commands
access-list outsode_in permit tcp any 66.66.66.66 eq 25 (or smtp)
access-list outsode_in in interface outside

also if you are running exchange or any other ESMTP mail server don't forget to turn of the fixup protocol....I have seen it raise all kinds of havoc....


Good Luck
0
 
lrmooreCommented:
Resolving IP addresses has nothing to do with being able to ping the server. You fixed that problem with adding the pointer address at your ISP.
As hawgpig stated above, you need to specifically permit incomming SMTP traffic, not icmp, and you MUST have a "static(inside,outside)" line that will create a static NAT map from the public IP address that your email domain resolves to (yourcompany.com), mapping it to the "real" address assinged to the server itself. This is assuming, of course, that the "real" IP address of the server is a private address.
To turn off fixup:

no fixup protocol smtp 25

0
 
klause2Author Commented:
Ok  I have that set up but I still can't ping the address. Here is what I have
no fixup protocol smtp 25
access-list outside_in permit tcp any host 200.200.200.200 eq pop3
access-list outside_in permit tcp any host 200.200.200.200 eq smtp
access-list outside_in permit tcp any host 200.200.200.200 eq 81
access-list outside_in permit icmp any any
static (inside,outside) 200.200.200.200 204.63.168.112 netmask 255.255.255.255 0 0
access-group outside_in in interface outside

Now I have a router at 200.200.200.201 and my pix is set to 200.200.200.202 but I seem to only be able to ping 200.200.200.201. Maybe I need to fix a setting on my router?

(obviously the IP's have been changed)
0
 
klause2Author Commented:
Never mind I'm an idiot. It works I just have to ping it fro outside my network. I'm dumb. Thanks for the help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now