Solved

Cisco Pix 501 ( Mail server not Accessible for Double Domains )

Posted on 2004-10-04
22
367 Views
Last Modified: 2013-11-16
Hello All;

  This is right confusing.
  I have my Cisco Pix 501 Router set up perfectly.
I have added in another Host into my Mail server, and with its own
Static IP Address. So that this Host will be able to reach the
[Web Mail] interface of our Mail Server. This is a must for this
Paticular domain.
I have set up the "ACL" to match my existing "Mail IP Address"
So that it will work. identical to it.
Now I am able to send/receive mail, but it is Extremly slow.
I am talking 5-10 minutes for receipt, and up to 20 minutes for
Dilevery. This was not the case, when the Mail domain did not have
A "Static IP" but was running on a Virtual IP Address within the Mail Server.

==========
Summary:
------------
  When I type in the "In house" IP address to the mail server for this
Paticular domain, It resolves it perfectly, and brings up the "Web Mail".
But when I type in the actual domain.
example:  mail.domain.com
It will not resolve to nothing.
mail.ipaddress   <-- resolves to nothing.
http:// ipaddress  <-- nothing.
http://  inhouse ipaddress <-- Works like a charm.

This is what makes me think that maybe it could be the Pix Router?
But not really sure.

Incase you are wondering. Yes there is a record in DNS for it.
MX : mail.domain.com
A  .  xx.xxx.xxx.81  <-- Ip address for Domain in mail server
A  . xx.xxx.xxx.82 <-- Primary IP Address for Mail Domain. ( Works great )

Here is my logs so that you can see what is going on.
Actual IP blocked with....   xx.xxx.xxx.

I really am not sure if it is even the router? So I am going
To post this question with a 20-point reward.
If it turns out to be the config, I will add an additional 30-points.
To the Point Reward. To make it 50-Points
=============Config's============
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service web tcp
  description web traffic
  port-object eq www
  port-object eq https
access-list outside_in permit tcp any host xx.xxx.xxx.76 object-group web
access-list outside_in permit tcp any host xx.xxx.xxx.77 object-group web
access-list outside_in permit tcp any host xx.xxx.xxx.78 object-group web
access-list outside_in permit tcp any host xx.xxx.xxx.79 object-group web
access-list outside_in permit tcp any host xx.xxx.xxx.80 object-group web
access-list outside_in permit udp any host xx.xxx.xxx.76 eq domain
access-list outside_in permit udp any host xx.xxx.xxx.78 eq domain
access-list outside_in permit tcp any host xx.xxx.xxx.76 eq ftp

access-list outside_in permit tcp host 204.74.100.10 host xx.xxx.xxx.76 eq domain
access-list outside_in permit tcp host 204.74.97.97 host xx.xxx.xxx.76 eq domain
access-list outside_in permit tcp host 204.74.104.97 host xx.xxx.xxx.76 eq domain

access-list outside_in permit tcp any host xx.xxx.xxx.82 eq smtp
access-list outside_in permit tcp any host xx.xxx.xxx.82 eq pop3
access-list outside_in permit tcp any host xx.xxx.xxx.82 eq 8181
access-list outside_in permit tcp any host xx.xxx.xxx.82 eq www
access-list outside_in permit tcp any host xx.xxx.xxx.82 eq 8384

access-list outside_in permit tcp any host xx.xxx.xxx.84 eq 1755
access-list outside_in permit tcp any host xx.xxx.xxx.83 object-group web
access-list outside_in remark File Program TCP Connection
access-list outside_in permit tcp any host xx.xxx.xxx.89 eq 4662
access-list outside_in remark File Program UDP
access-list outside_in permit udp any host xx.xxx.xxx.89 eq 4672
access-list outside_in permit tcp any host xx.xxx.xxx.84 eq 554
access-list outside_in permit udp any host xx.xxx.xxx.84 eq 1755
access-list outside_in permit udp any host xx.xxx.xxx.84 eq 5004

access-list outside_in permit tcp any host xx.xxx.xxx.81 eq 8181
access-list outside_in permit tcp any host xx.xxx.xxx.81 eq www
access-list outside_in permit tcp any host xx.xxx.xxx.81 eq 8384
access-list outside_in permit tcp any host xx.xxx.xxx.81 eq pop3
access-list outside_in permit tcp any host xx.xxx.xxx.81 eq smtp

access-list outside_in permit tcp host 204.74.100.10 host xx.xxx.xxx.77 eq domain
access-list outside_in permit tcp host 204.74.97.97 host xx.xxx.xxx.77 eq domain

access-list outside_in permit tcp host 204.74.104.97 host xx.xxx.xxx.77 eq domai
n
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xx.xxx.xxx.85 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.176 255.255.255.255 inside
pdm location 192.168.1.177 255.255.255.255 inside
pdm location 192.168.1.178 255.255.255.255 inside
pdm location 192.168.1.179 255.255.255.255 inside
pdm location 192.168.1.180 255.255.255.255 inside
pdm location 192.168.1.181 255.255.255.255 inside
pdm location 192.168.1.182 255.255.255.255 inside
pdm location 192.168.1.175 255.255.255.255 inside
pdm location 192.168.1.183 255.255.255.255 inside
pdm location 192.168.1.184 255.255.255.255 inside
pdm location 192.168.1.185 255.255.255.255 inside
pdm location 192.168.1.186 255.255.255.255 inside
pdm location 192.168.1.187 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.0 outside
pdm location xx.xxx.xxx.75 255.255.255.255 outside
pdm location 204.74.97.97 255.255.255.255 outside
pdm location 204.74.100.10 255.255.255.255 outside
pdm location 204.74.104.97 255.255.255.255 outside
pdm location 192.168.1.188 255.255.255.255 inside
pdm location 192.168.1.189 255.255.255.255 inside
pdm location 192.168.1.190 255.255.255.255 inside
pdm location 192.168.1.191 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 xx.xxx.xxx.87
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xxx.xxx.76 192.168.1.176 netmask 255.255.255.255 0 0

static (inside,outside) xx.xxx.xxx.77 192.168.1.177 netmask 255.255.255.255 0 0

static (inside,outside) xx.xxx.xxx.78 192.168.1.178 netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.xxx.79 192.168.1.179 netmask 255.255.255.255 0 0

static (inside,outside) xx.xxx.xxx.80 192.168.1.180 netmask 255.255.255.255 0 0

static (inside,outside) xx.xxx.xxx.81 192.168.1.181 netmask 255.255.255.255 0 0

static (inside,outside) xx.xxx.xxx.82 192.168.1.182 netmask 255.255.255.255 0 0

static (inside,outside) xx.xxx.xxx.75 192.168.1.175 netmask 255.255.255.255 0 0

static (inside,outside) xx.xxx.xxx.83 192.168.1.183 netmask 255.255.255.255 0 0

static (inside,outside) xx.xxx.xxx.84 192.168.1.184 netmask 255.255.255.255 0 0

static (inside,outside) xx.xxx.xxx.85 192.168.1.185 netmask 255.255.255.255 0 0

static (inside,outside) xx.xxx.xxx.86 192.168.1.186 netmask 255.255.255.255 0 0

static (inside,outside) xx.xxx.xxx.87 192.168.1.187 netmask 255.255.255.255 0 0

static (inside,outside) xx.xxx.xxx.88 192.168.1.188 netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.xxx.90 192.168.1.190 netmask 255.255.255.255 0 0

static (inside,outside) xx.xxx.xxx.89 192.168.1.189 netmask 255.255.255.255 0 0

static (inside,outside) xx.xxx.xxx.91 192.168.1.191 netmask 255.255.255.255 0 0

access-group outside_in in interface outside
route outside 0.0.0.0 255.255.255.0 xx.xxx.xxx.85 1
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.85 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd dns xx.xxx.xxx.83 192.168.1.178
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:509953bc3e02bb7c840ba4946cf2ce9d
: end
============End Config's===========

Thank you
Carrzkiss
0
Comment
Question by:Wayne Barron
  • 11
  • 11
22 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Can you post result of "show access-list" pasting only this part, showing the (hitcount= )
>access-list outside_in permit tcp any host xx.xxx.xxx.81 eq 8181
access-list outside_in permit tcp any host xx.xxx.xxx.81 eq www
access-list outside_in permit tcp any host xx.xxx.xxx.81 eq 8384
access-list outside_in permit tcp any host xx.xxx.xxx.81 eq pop3
access-list outside_in permit tcp any host xx.xxx.xxx.81 eq smtp

If you are trying to access by resolving DNS to the public IP, then you need alias

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

0
 
LVL 30

Author Comment

by:Wayne Barron
Comment Utility
access-list outside_in line 26 permit tcp any host xx.xxx.xxx.81 eq 8181 (hitcnt
=0)
access-list outside_in line 27 permit tcp any host xx.xxx.xxx.81 eq www (hitcnt=
0)
access-list outside_in line 28 permit tcp any host xx.xxx.xxx.81 eq 8384 (hitcnt
=0)
access-list outside_in line 29 permit tcp any host xx.xxx.xxx.81 eq pop3 (hitcnt
=0)
access-list outside_in line 30 permit tcp any host xx.xxx.xxx.81 eq smtp (hitcnt
=0)

The following link does not exist
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

thank you
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Are you trying to access the public IP from inside the network, or from outside?
You need a CCO account to access the actual link. Here's the text:
Introduction
This document explains the use of the alias command on the Cisco Secure PIX Firewall.

The alias command has two possible functions:

It can be used to do "DNS Doctoring" of DNS replies from an external DNS server.

In DNS Doctoring, the PIX "changes" the DNS response from a DNS server to be a different IP address than the DNS server actually answered for a given name.

This process is used when we want the actual application call from the internal client to connect to an internal server by its internal IP address.

It can be used to do "Destination NAT" (dnat) of one destination IP address to another IP address.

In dnat, the PIX "changes" the destination IP of an application call from one IP address to another IP address.

This process is used when we want the actual application call from the internal client to the server in a perimeter (dmz) network by its external IP address. This does not "doctor" the DNS replies.
For example, if a host sends a packet to 99.99.99.99, you can use the alias command to redirect traffic to another address, such as 10.10.10.10. You can also use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. For more information, consult the PIX documentation.

Hardware and Software Versions
The information in this document is based on the software and hardware versions below.


Cisco Secure PIX Firewall Software Releases 5.0.x and later

Translating an Internal Address with DNS Doctoring
In the first example, the web server has an IP address of 10.10.10.10, and the global IP address of this web server is 99.99.99.99.

Note: The DNS server is on the outside. Verify that the DNS server resolves your domain name to the global IP address of the web server by issuing an nslookup command. The result of the nslookup on the client PC should be the internal IP address of the server (10.10.10.10), because the DNS reply gets doctored as it passes through the PIX.

Also note that, for DNS fixup to work properly, proxy-arp has to be disabled. If you are using the alias command for DNS fixup, disable proxy-arp with the following command after the alias command has been executed.

sysopt noproxyarp internal_interface

Network Diagram


If we want the machine with the IP address 10.10.10.25 to access this web server by its domain name (www.mydomain.com), we need to implement the alias command as follows:

alias (inside) 10.10.10.10 99.99.99.99 255.255.255.255
!--- This command sets up DNS Doctoring. It is initiated from the clients in
!--- the "inside" network. It watches for DNS replies that contain
!--- 99.99.99.99, then replaces the 99.99.99.99 address with the 10.10.10.10
!--- address in the "DNS reply" sent to the client PC.

Next, a static translation must be created for the web server, and we need to give anyone on the Internet access to the web server on port 80 (http):

static(inside,outside) 99.99.99.99 10.10.10.10 netmask 255.255.255.255
!--- This command creates a static translation between the web server's
!--- real address 10.10.10.10 to the global IP address 99.99.99.99.

To grant permission for access, you should use access list commands, as shown below.

access-list 101 permit tcp any host 99.99.99.99 eq www
access-group 101 in interface outside
!--- These commands permit any outside user to access the web server on port 80.

If you prefer the older syntax, you can use a conduit command as follows.

conduit permit tcp host 99.99.99.99 eq www any
!--- This command permits any outside user to access the web server on port 80.
Translating a DMZ Address with Destination NAT
If the web server is on the DMZ network of the PIX, the alias command must be used to do Destination NAT (dnat). In our example, the web server on the DMZ has an IP address of 192.168.100.10, and the outside IP address for this web server is 99.99.99.99. We want to use dnat to translate the IP address 99.99.99.99 to 192.168.100.10 on the actual call to the server; the DNS call and reply will be unchanged. In this example the DNS response seen by the internal client PC will be the external 99.99.99.99 IP address, since it is not DNS doctored.

Network Diagram


In this example, we want machines in the 10.10.10.0 /24 network to access this web server in the DMZ by its external domain name (www.mydomain.com). We do not want the PIX to do DNS Doctoring of the DNS replies. Instead, we want the PIX to dnat the external (global) IP Address of the web server to its "real" DMZ address (192.168.100.10).

We need to use the alias command to perform dnat:

alias(inside) 99.99.99.99 192.168.100.10 255.255.255.255
!--- This sets up the Destination NAT. In this example the DNS reply is not
!--- doctored by the PIX because the external address (99.99.99.99) does not
!--- match the foreign IP address in the alias command (the second IP).
!--- But the call will be "dnat-ed" because the destination address
!--- in the call will match the dnat IP address in the alias command (the first IP).

Note: The IP addresses in the alias command are in reverse order compared with the example above for DNS Doctoring.

Next, a static translation must be created for the web server, and we need to give anyone on the Internet access to the web server on port 80 (http):

static(dmz,outside) 99.99.99.99 192.168.100.10 netmask 255.255.255.255
!--- This command creates a static translation between the web server's
!--- real address 192.168.100.10 to the global IP address 99.99.99.99.
To grant permission for access, you should use access list commands, as shown below.

access-list 101 permit tcp any host 99.99.99.99 eq www
access-group 101 in interface outside
!--- These commands permit any outside user to access the web server on port 80.
If you prefer the older syntax, you can use a conduit command as follows.

conduit permit tcp host 99.99.99.99 eq www any
!--- This command permits any outside user to access the web server on port 80.
Other Configuration Notes

The interface in the alias command should be the "interface" that the clients are calling from.

If there are also clients on the DMZ, you could add another alias for the DMZ interface (this one would be DNS doctoring).

For instance, let's say that, in the example above, you want other clients on the DMZ to use the external DNS but to call the web server by its DMZ address. To do this, you would create an additional alias command, tied to the DMZ interface, in order to DNS doctor the DNS reply packets.
alias (dmz) 192.168.100.10 99.99.99.99 255.255.255.255
!--- This command sets up DNS Doctoring. It is initiated from the clients in
!--- the "dmz" network. It watches for DNS replies that contain
!--- 99.99.99.99, then replaces the 99.99.99.99 address with the 192.168.100.10
!--- address in the "DNS reply" sent to the client PC.
You can have multiple alias commands tied to different interfaces on the same PIX.
0
 
LVL 30

Author Comment

by:Wayne Barron
Comment Utility
Hello [lrmoore];

  A lot of reading :-)

  Ok, got a question for you?
  I may be misunderstanding the concept behind the "Alias" in the PIX, so if I am,
Please correct me.

  We have 4 domain current, all domains a reachable from outside/inside the Pix.
  Mail server works outside/inside the Pix. ( Primary Domain Mail )

Why if the other Domains & Mail Domain ( Primary Domain ) work.
Would this be because the "Alias" needs to be in place for the
mail.SecondDomain.com ? = xx.xxx.xxx.81 --> Translates Inhouse 192.168.1.181
To work? As right now, I am only able to connect to the SecondDomain.com
"WebMail Interface" by use of the
192.168.1.181  ...  
As for the Primary Mail Domain. I type in it's mail.domain.com and wa-la
I am there, with no prolems ( Inside/Outside ) the Pix.

Is this correct?
0
 
LVL 30

Author Comment

by:Wayne Barron
Comment Utility
[Quote]Are you trying to access the public IP from inside the network, or from outside?[/Quote]
Inside & Outside the Pix. Should not matter, as all other domains are reachable, with
No problems.

[Quote]You need a CCO account to access the actual link. Here's the text:[/Quote]
   That does not make since in my case, as I am able to reach All
Domains by there "Link" mail.domain.com  www.domain.com and so forth

Confused.

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You've got multiple issues here
Let's start from outside the firewall, public at large.
If I send email to user@primarydomain.com, my dns server helps me resolve MX records to mail.prymarydomain.com, with A record of your Public IP address xx.xxx.xxx.82
Same if I send email to user@seconddomain.com, dns resolves MX record to mail.seconddomain.com, with A record of your public IP address xx.xxx.xxx.81
Same if I send email to user@thirddomain.com, MX = mail.thirddomain.com, A record = xx.xxx.xxx.83
All mail gets sent directly to TCP port 25, directed to each of the respective A record public IP address
Same with web interface. www.primarydomain.com A record = xx.xxx.xxx.81, www.seconddomain.com A record = xx.xxx.xxx.82, etc.

Now, if I am on the INside of the firewall, if I want to get to any of these servers, and I type http://www.primarydomain.com, my LOCAL DNS server should resolve that not to the public ip, but to the private ip 192.168.1.181
Same with all the others. The LOCAL DNS server should always resolve to the private IP address. This is assuming of course, that you have a primary DNS for your domains located somewhere outside your local LAN, and you have another DNS server inside your local LAN that only handles private IP's...

IF - you have only one DNS server, and it serves both the public and the private LAN, or for some reason cannot resolve locally to private IP addresses, then you can use the "alias".
If I type in www.seconddomain.com and the DNS server (outside the PIX) returns xx.xxx.xxx.82, then the alias will intercept the dns return, swap that out to present my resolver with the private ip 192.168.1.181
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>The following link does not exist
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

Yes, it does exist, but you must have a Cisco CCO login account to view it.
If you can't get to http://www.cisco.com, then you have a serious DNS issue.

Have you tried getting a dnsreport on each of your domain names?
http://www.dnsreport.com
0
 
LVL 30

Author Comment

by:Wayne Barron
Comment Utility
The link finally popped up a :Login Dialog:
Cannot remember if I have an account for CCO or not.
I know that I have an account with them, but do not know if CCO
Is covered under it.

I will do some checking. and see what I can find out.

p.s.
  The PIX works great, there is no issue's with it what so ever.
DNS works great as well. No issues either.

I will check in on the CCO account, and see if I have one.?

At the present time, I only have DNS Server(s) behind the PIX.
I am thinking about putting on of them outside of the PIX, but
Not right this moment.
Primary DNS --> Backup DNS

Also, Can I use "CCO" if I do not have an account? Does it cost to have the CCO Account?

Also;
Would this be accurate?

10.10.10.10.   -->Resolved to: --> 192.168.1.181
99.99.99.99.   -->Resolved to: --> xx.xxx.xxx.81  
Is this correct above?
If so, then would this be correct?

alias (inside) 192.168.1.181 xx.xxx.xxx.81 255.255.255.255
static(inside,outside)xx.xxx.xxx.81 192.168.1.181 netmack 255.255.255.255
access-list 101 permit tcp any host xx.xxx.xxx.81 eq www
access-group 101 in interface outside

DNAT
alias(inside)xx.xxx.xxx.81 192.168.1.181 255.255.255.255

static(dmz,outside) xx.xxx.xxx.81 192.168.1.181 netmask 255.255.255.255

access-list 101 permit tcp any host xx.xxx.xxx.81 eq www
access-group 101 in interface outside

conduit permit tcp host xx.xxx.xxx.81 eq www any

Thank you
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
YES:
>alias (inside) 192.168.1.181 xx.xxx.xxx.81 255.255.255.255
>static(inside,outside)xx.xxx.xxx.81 192.168.1.181 netmack 255.255.255.255
>access-list 101 permit tcp any host xx.xxx.xxx.81 eq www
>access-group 101 in interface outside

PLUS, you must add this (in the fine print of the link):
   sysopt noproxyarp inside


0
 
LVL 30

Author Comment

by:Wayne Barron
Comment Utility

>alias (inside) 192.168.1.181 xx.xxx.xxx.81 255.255.255.255
>static(inside,outside)xx.xxx.xxx.81 192.168.1.181 netmack 255.255.255.255
>access-list 101 permit tcp any host xx.xxx.xxx.81 eq www
>access-group 101 in interface outside
 
(in the fine print of the link):
sysopt noproxyarp inside

Do not follow? ( Sorry, I know something simple )

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Just add this command to the config after you add the alias command:

pix(config)#sysopt noproxyarp inside



0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 30

Author Comment

by:Wayne Barron
Comment Utility
I tried it?

alias (inside) 192.168.1.181 xx.xxx.xxx.81 255.255.255.255
static(inside,outside)xx.xxx.xxx.81 192.168.1.181 netmask 255.255.255.255
access-list 101 permit tcp any host xx.xxx.xxx.81 eq www
access-group 101 in interface outside
pix(config)#sysopt noproxyarp inside

And this is what it looks like when I try to [Paste To Host]
=========================
pixfirewall# alias (inside) 192.168.1.181 xx.xxx.xxx.81 255.255.255.255
Type help or '?' for a list of available commands.
pixfirewall# static(inside,outside)xx.xxx.xxx.81 192.168.1.181 netmask 255.255$
Type help or '?' for a list of available commands.
pixfirewall# access-list 101 permit tcp any host xx.xxx.xxx.81 eq www
Type help or '?' for a list of available commands.
pixfirewall# access-group 101 in interface outside
Type help or '?' for a list of available commands.
pixfirewall# pix(config)#sysopt noproxyarp inside
Type help or '?' for a list of available commands.

=========================

So no records are begin inserted.

This already existed to begin with
static(inside,outside)xx.xxx.xxx.81 192.168.1.181 netmask 255.255.255.255
## In mine it has the "2 x 0's " at the end......                   255.255.255.255 0 0

These "2" I was pretty sure they existed, but cannot locate them in the [Show Run]
Do not know how they would appear, or were they would appear

access-list 101 permit tcp any host xx.xxx.xxx.81 eq www
access-group 101 in interface outside

=========================

I do not know? I am at a loss, and am getting tired of messing with it for now.
I will try it again tomorrow sometime. And see if I can find something that is a miss.

I am awaiting a person right now, that is running the same Mail Server as me,
That is doing what I am "trying" to do. So I will see what he says.

Take Care and thank you, in hopes that I have not aggrivated you too much today.
Over this mess.

Carrzkiss
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Oh, you can't just cut/paste this:

>pix(config)#sysopt noproxyarp inside

Just cut/paste this part:
     sysopt noproxyarp inside

And you can't cut/paste the "xxx.xx" placeholders...

>pixfirewall# alias (inside) 192.168.1.181 xx.xxx.xxx.81 255.255.255.255
Tells me you are not in "config" mode:

pixfirewall#config term
pixfirewall(config)#   <== now you can cut/paste, make changes..

Whew! Lot of work for a measly 20 points don't you think?
0
 
LVL 30

Author Comment

by:Wayne Barron
Comment Utility
:-)
 ''''''''''''''''''''''''''''''
And you can't cut/paste the "xxx.xx" placeholders...
''''''''''''''''''''''''''''

 Trust me, I changed the ...  xx.xxx.xxx.81
To its actual IP Address.

No offense, but I am not that new to computers, Just new to the PIX.
Certain things are a given, and are common sense.

Yep, I forgot about the " config term" part.

It is all pasted in. And nothing works. So?? That is it.


==
Whew! Lot of work for a measly 20 points don't you think?
==

This is listed in the Original Posting.

[Quote]
I really am not sure if it is even the router? So I am going
To post this question with a 20-point reward.
If it turns out to be the config, I will add an additional 30-points.
To the Point Reward. To make it 50-Points
[/Quote]
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
OK, OK, just joshing about the points, trying to keep it jovial...All I care about is helping you out..

>It is all pasted in. And nothing works. So?? That is it.

Nothing works? At all? Did it break everything that was already working?
Or was there no change in those things that already didn't work?

Can you post your resulting complete config?

0
 
LVL 30

Author Comment

by:Wayne Barron
Comment Utility
Yep.

  Mail server is done. through the network, but not on the Machine.
 Web is done...............

  This is a dag-on night mare!!!!!!!!!!!!!!!

  Forget it, I will figure something out.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Best of luck to you!

Post back here whatever you figure out..

0
 
LVL 30

Author Comment

by:Wayne Barron
Comment Utility
Figured Out?

  In the [ Device Manager ] All the " Access Rules " are gone.
Except the [ Implicit Outbound Rule ]
All other rules that I made are gone?

  Viewing the Hyper Terminal
Everything is in there?
Very strange situation here.

Once I submitted what you gave me, is got rid of the " ACL's " in the Device Manager
But why is it still showing when I go into Config in "Hyper Terminal " ??

Any idea's ?

  would it be best to reset everything back to factory Defaults.
And then put everything back in again?

  I need to know something a.s.a.p.
More for Mail, then anything.

  I am having to Refresh this page in order to find out if a post is made.
This is a pain in the butt
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Sounds like a big "oops"...

What happens if you put this back in:

  access-group outside_in in interface outside

You probably just over-wrote that with this:
  >access-group 101 in interface outside
0
 
LVL 30

Author Comment

by:Wayne Barron
Comment Utility
OK, That got it back to working.
It is now showing up everything in the [Device Manager]
That was a quick fix.
Thanks for that.

Sites & Mail are back to working now.

Unfortunantly, The other Domain's Mail.domain.com Web mail Interface is not work.

But it's web site is, always has been,
So i am going to leave it as is, until I hear from that other guy.

I will post back in here what ever my findings/fixes are.

Take Care
Thanks
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 20 total points
Comment Utility
Whew! Keeping my fingers crossed!

- Cheers!
0
 
LVL 30

Author Comment

by:Wayne Barron
Comment Utility
lrmoore;

  Even though you was unable to assist me in getting the other domain to use it's Assigned IP
You did spend a lot of time in here asisting me in this issue. So i am going to give you the points.
Not for the information, but for you time.
You are a good person. EE is lucky to have you in here.

Take Care
Carrzkiss
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now