Solved

Complete Pix 501 6.3(3) Configuration with www & smtp server on inside interface

Posted on 2004-09-15
4
356 Views
Last Modified: 2013-11-16
A week ago, our company bought a Cisco Pix 501 that I have been trying to setup - without luck I'm afraid. Now I have reset my configuration (configure factory-default) over telnet and want to start right this time.

My question is as follows:
I need to set up access to a server on the inside that is running Exchange Server 2000 (smtp/25), IIS (www/80), Ftp (ftp/20+21).

Scheme:
Internet->Router->Pix->Inside Network
Pix Ip config:
Ethernet0 (outside): DHCP (X.157.33.244 netmask 255.255.255.240 gateway X.217.157.33.241)
Ethernet1 (inside): 192.168.1.1

Server Ip address (on inside interface): 192.168.1.100
A-Records and MX-Records are setup pointing to the server at: X.157.33.247
Explaination: When mail and www requests are sent to X.157.33.247 it should be redirected/mapped to 192.168.1.100.

Please if you could write me how to configure this the right way.

Also if you could tell me how to open additional ports directing to the same server ip at a later time.
0
Comment
Question by:martingents
  • 2
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12063831
Basic commands to get you started:

ip address outside dhcp setroute
ip address inside 192.168.1.1
global (outside) 1 interface
nat (inside) 1 0 0
static (inside,outside) x.157.33.247 192.168.1.100 netmask 255.255.255.255
access-list outside_in permit tcp any host x.157.33.247 eq smtp
access-list outside_in permit tcp any host x.157.33.247 eq http
access-list outside_in permit tcp any host x.157.33.247 eq ftp
access-list outside_in permit tcp any host x.157.33.247 eq ftp-data
access-group outside_in in interface outside
no fixup protocol smtp 25

To add more ports to the same server in the future, just add the appropriate access-list entry, then re-apply the acl to the interface (required after changes)



0
 

Author Comment

by:martingents
ID: 12065478
Thankyou for your quick response lrmoore, however I still experience some problems.

I have added the script that you suggested, and I have tested that smtp mail IS working both in/out - perfect. Ftp and http however are non functioning, at least not from the inside (DHCP client, example 192.168.1.2) when searching for the corresponding X.x.com. (FQDN for X.217.157.33.247).

Note that I have two sites running in my IIS on the same port (80), but with different dns-names - always worked before. The FTP also worked before (before Pix that is)

I have included my config ex. passwords, names aso. Maybe this will help:
: Saved
: Written 14:05:38.589 UTC Wed Sep 15 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname x
domain-name x.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside-in permit tcp any host X.157.33.247 eq smtp
access-list outside-in permit tcp any host X.157.33.247 eq www
access-list outside-in permit tcp any host X.157.33.247 eq ftp
access-list outside-in permit tcp any host X.157.33.247 eq ftp-data
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside X.157.33.242 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.100 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 X.157.33.248-X.157.33.252 netmask 255.255.255.240
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) X.157.33.247 192.168.1.100 netmask 255.255.255.255 0 0

access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 X.157.33.241 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns X.242.40.51 X.242.40.3
dhcpd wins 192.168.1.100
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain X.local
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
0
 

Author Comment

by:martingents
ID: 12066805
*** New Info ***

A friend of mine tested the services from the outside, and everything seems to work - Perfect!

I still however cannot access inside network ressources by requesting these by their global IP, i.e. X.217.157.33.247

Has this something to do with a loop-back command or something similar?

Other than that, thanx a lot lrmoore! :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12066882
Your issue is that from an inside client, going to an inside host, you cannot use the public IP address, you must use the private IP.
Alternatives include:
- Use Alias command on the PIX to fixup dns
http://www.cisco.com/warp/public/110/alias.html

- Use internal DNS that resolves ftp.domain.com to the internal IP vs the public IP
- Use a hosts file to resolve ftp.domain.com to the internal IP vs the public IP
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now