Solved

Forward ICMP to internal server PIX

Posted on 2004-03-23
4
407 Views
Last Modified: 2012-05-04
Ok I have been getting denied respones from other mail servers because they can not reslove my mail servers IP. I set up a ptr with my ISP, but my pix box will not let the request go though to the internal mail server. I have set up access-list outsode_in permit icmp any any but only the outside interface on the unit will respond. I have found a link saying I can use a permit icmp any host xxx.xxx.xxx.xxx and that will forward the icmp request but it doesn't seem to work. Any thoughts?
0
Comment
Question by:klause2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 4

Accepted Solution

by:
hawgpig earned 175 total points
ID: 10657875
puting icmp any any on the outside interface will allow all pings inward....
However I'm not sure how this is going to help you
Here is what you need to have...
a translation to the ouside world with the outside address of the mailserver
static (inside,outside) 66.66.66.66 192.168.0.1 netmask 255.255.255.255
Where 66.66.66.66 is your mailserver outside address and 192.168.0.1 is the internal address of your mail server.
you then need an access-list applied to the ouside interface you said you had one called
outsode_in
you will need to allow this to go through with these commands
access-list outsode_in permit tcp any 66.66.66.66 eq 25 (or smtp)
access-list outsode_in in interface outside

also if you are running exchange or any other ESMTP mail server don't forget to turn of the fixup protocol....I have seen it raise all kinds of havoc....


Good Luck
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 75 total points
ID: 10659759
Resolving IP addresses has nothing to do with being able to ping the server. You fixed that problem with adding the pointer address at your ISP.
As hawgpig stated above, you need to specifically permit incomming SMTP traffic, not icmp, and you MUST have a "static(inside,outside)" line that will create a static NAT map from the public IP address that your email domain resolves to (yourcompany.com), mapping it to the "real" address assinged to the server itself. This is assuming, of course, that the "real" IP address of the server is a private address.
To turn off fixup:

no fixup protocol smtp 25

0
 

Author Comment

by:klause2
ID: 10660695
Ok  I have that set up but I still can't ping the address. Here is what I have
no fixup protocol smtp 25
access-list outside_in permit tcp any host 200.200.200.200 eq pop3
access-list outside_in permit tcp any host 200.200.200.200 eq smtp
access-list outside_in permit tcp any host 200.200.200.200 eq 81
access-list outside_in permit icmp any any
static (inside,outside) 200.200.200.200 204.63.168.112 netmask 255.255.255.255 0 0
access-group outside_in in interface outside

Now I have a router at 200.200.200.201 and my pix is set to 200.200.200.202 but I seem to only be able to ping 200.200.200.201. Maybe I need to fix a setting on my router?

(obviously the IP's have been changed)
0
 

Author Comment

by:klause2
ID: 10660722
Never mind I'm an idiot. It works I just have to ping it fro outside my network. I'm dumb. Thanks for the help.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
QoS on Cisco router 10 59
What is the VPn crypto table on a Cisco ASA? 2 40
VPN Tunnel Stops Working Cisco RV130W 18 77
Cisco ASA 5510 Question 2 30
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question