Solved

Forward ICMP to internal server PIX

Posted on 2004-03-23
4
408 Views
Last Modified: 2012-05-04
Ok I have been getting denied respones from other mail servers because they can not reslove my mail servers IP. I set up a ptr with my ISP, but my pix box will not let the request go though to the internal mail server. I have set up access-list outsode_in permit icmp any any but only the outside interface on the unit will respond. I have found a link saying I can use a permit icmp any host xxx.xxx.xxx.xxx and that will forward the icmp request but it doesn't seem to work. Any thoughts?
0
Comment
Question by:klause2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 4

Accepted Solution

by:
hawgpig earned 175 total points
ID: 10657875
puting icmp any any on the outside interface will allow all pings inward....
However I'm not sure how this is going to help you
Here is what you need to have...
a translation to the ouside world with the outside address of the mailserver
static (inside,outside) 66.66.66.66 192.168.0.1 netmask 255.255.255.255
Where 66.66.66.66 is your mailserver outside address and 192.168.0.1 is the internal address of your mail server.
you then need an access-list applied to the ouside interface you said you had one called
outsode_in
you will need to allow this to go through with these commands
access-list outsode_in permit tcp any 66.66.66.66 eq 25 (or smtp)
access-list outsode_in in interface outside

also if you are running exchange or any other ESMTP mail server don't forget to turn of the fixup protocol....I have seen it raise all kinds of havoc....


Good Luck
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 75 total points
ID: 10659759
Resolving IP addresses has nothing to do with being able to ping the server. You fixed that problem with adding the pointer address at your ISP.
As hawgpig stated above, you need to specifically permit incomming SMTP traffic, not icmp, and you MUST have a "static(inside,outside)" line that will create a static NAT map from the public IP address that your email domain resolves to (yourcompany.com), mapping it to the "real" address assinged to the server itself. This is assuming, of course, that the "real" IP address of the server is a private address.
To turn off fixup:

no fixup protocol smtp 25

0
 

Author Comment

by:klause2
ID: 10660695
Ok  I have that set up but I still can't ping the address. Here is what I have
no fixup protocol smtp 25
access-list outside_in permit tcp any host 200.200.200.200 eq pop3
access-list outside_in permit tcp any host 200.200.200.200 eq smtp
access-list outside_in permit tcp any host 200.200.200.200 eq 81
access-list outside_in permit icmp any any
static (inside,outside) 200.200.200.200 204.63.168.112 netmask 255.255.255.255 0 0
access-group outside_in in interface outside

Now I have a router at 200.200.200.201 and my pix is set to 200.200.200.202 but I seem to only be able to ping 200.200.200.201. Maybe I need to fix a setting on my router?

(obviously the IP's have been changed)
0
 

Author Comment

by:klause2
ID: 10660722
Never mind I'm an idiot. It works I just have to ping it fro outside my network. I'm dumb. Thanks for the help.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question