Paisley-Consulting
asked on
Pix 501 Config Question
I am setting up a Pix 501 with a dynamic address.
I am trying to open up various ports so I can hit my Exchange server from the outside..
Whenever I try and map the Exchange address to the outside address I am unable to get to the internet from my internal network.
Here is the command I am using..
static x.x.x.x (public ip) 192.168.207.101 (exchange server address) netmask 255.255.255.255 0 0
As soon as I take out the above line I am able to get to the internet on my internal network.
I tried using both the interface command and the actual outside address...
Any help would be greatly appreciated..
Thanks
Nick
Here is my current config..
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.207.101 EXCHANGE
access-list outside_in permit tcp any host x.x.x.x (public ip) eq https
access-list outside_in permit tcp any host x.x.x.x (public ip) eq pop3
access-list outside_in permit tcp any host x.x.x.x (public ip) eq 995
access-list outside_in permit tcp any host x.x.x.x (public ip) eq 3389
access-list outside_in permit tcp any host x.x.x.x (public ip) eq 52525
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.207.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) interface EXCHANGE netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.207.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.207.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.207.2-192.168.207. 33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:e99e6daf449 db6411711c 85a7766e21 d
: end
pixfirewall#
I am trying to open up various ports so I can hit my Exchange server from the outside..
Whenever I try and map the Exchange address to the outside address I am unable to get to the internet from my internal network.
Here is the command I am using..
static x.x.x.x (public ip) 192.168.207.101 (exchange server address) netmask 255.255.255.255 0 0
As soon as I take out the above line I am able to get to the internet on my internal network.
I tried using both the interface command and the actual outside address...
Any help would be greatly appreciated..
Thanks
Nick
Here is my current config..
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.207.101 EXCHANGE
access-list outside_in permit tcp any host x.x.x.x (public ip) eq https
access-list outside_in permit tcp any host x.x.x.x (public ip) eq pop3
access-list outside_in permit tcp any host x.x.x.x (public ip) eq 995
access-list outside_in permit tcp any host x.x.x.x (public ip) eq 3389
access-list outside_in permit tcp any host x.x.x.x (public ip) eq 52525
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.207.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) interface EXCHANGE netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.207.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.207.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.207.2-192.168.207.
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:e99e6daf449
: end
pixfirewall#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The static commands worked great thanks!!
I tried typing in
access-list outside_in permit tcp any host interface outside eq https
and got the error message "invalid IP address interface"
I put in the original access list that I tried and it seems to be working fine. Everything internally
can get outside and I am able to hit my Exchange Web Server from the outside..
All of my email is directed to another email server (dyndns) for filtering and then I have it coming to port 52525 on my Exchange server.
That is why I don't have port 25 open.
Let me know if this is the correct way to do this..
Thanks
I tried typing in
access-list outside_in permit tcp any host interface outside eq https
and got the error message "invalid IP address interface"
I put in the original access list that I tried and it seems to be working fine. Everything internally
can get outside and I am able to hit my Exchange Web Server from the outside..
All of my email is directed to another email server (dyndns) for filtering and then I have it coming to port 52525 on my Exchange server.
That is why I don't have port 25 open.
Let me know if this is the correct way to do this..
Thanks
Ok found my bad, take out the 'host' on the access let
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq pop3
access-list outside_in permit tcp any interface outside eq 995
access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit tcp any interface outside eq 52525
The reason you would want to use Interface instead of the actual IP address is your outside interface is set to get its IP address via DHCP based on the configuration line "ip address outside dhcp setroute". If the DHCP server assigns a different outside IP address, your inbound access list would need to change to reflect the new IP address. By using 'Interface' instead of the IP address, life will be automatic when the outside IP address changes.
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq pop3
access-list outside_in permit tcp any interface outside eq 995
access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit tcp any interface outside eq 52525
The reason you would want to use Interface instead of the actual IP address is your outside interface is set to get its IP address via DHCP based on the configuration line "ip address outside dhcp setroute". If the DHCP server assigns a different outside IP address, your inbound access list would need to change to reflect the new IP address. By using 'Interface' instead of the IP address, life will be automatic when the outside IP address changes.
You will also have to disable fixup for smtp with Exchange:
no fixup protocol smtp 25
^^