Solved

Pix 501 Config Question

Posted on 2004-10-13
4
730 Views
Last Modified: 2010-04-10
I am setting up a Pix 501 with a dynamic address.
I am trying to open up various ports so I can hit my Exchange server from the outside..
Whenever I try and map the Exchange address to the outside address I am unable to get to the internet from my internal network.
Here is the command I am using..
static x.x.x.x (public ip) 192.168.207.101 (exchange server address) netmask 255.255.255.255 0 0

As soon as I take out the above line I am able to get to the internet on my internal network.

I tried using both the interface command and the actual outside address...

Any help would be greatly appreciated..

Thanks

Nick

Here is my current config..

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.207.101 EXCHANGE
access-list outside_in permit tcp any host x.x.x.x (public ip) eq https
access-list outside_in permit tcp any host x.x.x.x (public ip) eq pop3
access-list outside_in permit tcp any host x.x.x.x (public ip) eq 995
access-list outside_in permit tcp any host x.x.x.x (public ip) eq 3389
access-list outside_in permit tcp any host x.x.x.x (public ip) eq 52525
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.207.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) interface EXCHANGE netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.207.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.207.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.207.2-192.168.207.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:e99e6daf449db6411711c85a7766e21d
: end
pixfirewall#
0
Comment
Question by:Paisley-Consulting
4 Comments
 
LVL 1

Accepted Solution

by:
BK1138 earned 500 total points
ID: 12304812

Change your access list from

access-list outside_in permit tcp any host x.x.x.x (public ip) eq https
access-list outside_in permit tcp any host x.x.x.x (public ip) eq pop3
access-list outside_in permit tcp any host x.x.x.x (public ip) eq 995
access-list outside_in permit tcp any host x.x.x.x (public ip) eq 3389
access-list outside_in permit tcp any host x.x.x.x (public ip) eq 52525

to

access-list outside_in permit tcp any host interface outside eq https
access-list outside_in permit tcp any host interface outside eq pop3
access-list outside_in permit tcp any host interface outside eq 995
access-list outside_in permit tcp any host interface outside eq 3389
access-list outside_in permit tcp any host interface outside eq 52525

This allows the inbound packing into the pix.  Since the outside interface is PAT overloaded, you have to map not just the IP address, but the IP/port to the correct IP/port on the inside.

so

static (inside,outside) interface EXCHANGE netmask 255.255.255.255 0 0

needs to be changed to

static (inside,outside) tcp interface https EXCHANGE https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 EXCHANGE pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 995 EXCHANGE 995 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 EXCHANGE 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 52525 EXCHANGE 52525 netmask 255.255.255.255 0 0

That should get you going and allow all the other PC's on your internal network to continue to get out.

BK
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12304966
BK1138 is correct. You cannot create a 1-1 static nat from the Interface to an inside IP. You break access to anything/everything else. You must choose only the ports that you need open and create individual port translations. I would include port 25 in the list above for inbound email.

You will also have to disable fixup for smtp with Exchange:

    no fixup protocol smtp 25
    ^^
0
 

Author Comment

by:Paisley-Consulting
ID: 12305061
The static commands worked great thanks!!
I tried typing in
access-list outside_in permit tcp any host interface outside eq https

and got the error message "invalid IP address interface"
I put in the original access list that I tried and it seems to be working fine.  Everything internally
can get outside and I am able to hit my Exchange Web Server from the outside..

All of my email is directed to another email server (dyndns) for filtering and then I have it coming to port 52525 on my Exchange server.
That is why I don't have port 25 open.

Let me know if this is the correct way to do this..

Thanks
0
 

Expert Comment

by:bkrogers
ID: 12308373
Ok found my bad, take out the 'host' on the access let

access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq pop3
access-list outside_in permit tcp any interface outside eq 995
access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit tcp any interface outside eq 52525

The reason you would want to use Interface instead of the actual IP address is your outside interface is set to get its IP address via DHCP based on the configuration line "ip address outside dhcp setroute".  If the DHCP server assigns a different outside IP address, your inbound access list would  need to change to reflect the new IP address.  By using 'Interface' instead of the IP address, life will be automatic when the outside IP address changes.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now