?
Solved

PIX 506 Morass

Posted on 2004-11-04
8
Medium Priority
?
394 Views
Last Modified: 2013-11-16
Hello -  I have just been assigned responsibility for getting a mail server set up behind a PIX 506.  The PIX has been configured by at least 5 different people - and I am not permitted to "dump" the configuration and start over again.  I have read the posts on this site, and the instructions on ciscos website - but I am finally ready to admit defeat!
The pix handles a VPN for a remote office, and the top routes for 4 branches worth of cisco IP phones.  

This should be easy, but then I am used to the sonicwall GUI!  

All I need to do is a port map  from the outside IP of the PIX to the mail server "DELLBOT"

access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq smtp
static (inside,outside) tcp interface smtp DELLBOT smtp netmask 255.255.255.255 0 0
access-group 101 in interface outside

I have been asked to post as little of the config as possible - But I can post more if necessary.

Thanks in advance!

Tom
0
Comment
Question by:tvurt
  • 5
  • 3
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12495941
Typically, what you have posted is all you need
 - access-list entry permitting inbound smtp from "any" - check
 - static nat/pat xlate - check
 - access-group to apply the access-list - check

Next issue is placement within the acl 101. Is there any entry above this new line that might block packets, keeping in mind that acls are applied top down always.

Next issue is the server itself. Is it Exchange? Then disable fixup:
    no fixup protocol smtp 25

Does this server have the right default gateway pointing to the PIX inside IP address? Subnet mask is correct? DNS entries are correct?

MX records are correct?

How are you testing?
0
 

Author Comment

by:tvurt
ID: 12496215
Well at least I have SOMTHING right!

The server is exchange, and I have the no fixup in the config. The access list is LAST in the list, I will try moving it up to the first entry.  I see nothing explictly denying those packets, but I know little about the pix.  

The server has full connectiviy to the LAN and to the Internet.  

the "real" MX records are not changed yet. Do to:

Testing:  I have configured another functional exchange server from a foriegn domain to "think" it is the DNS master for the MX domain of the "DELLBOT" Server, I have then changed the DNS and MX records just on the single foriegn server to point to the external IP address of the PIX.  

Thanks in advance.

Tom


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12496260
OK. Check the thread here. Just went through this yesterday with another poster:

http://www.experts-exchange.com/Hardware/Routers/Q_21193718.html

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:tvurt
ID: 12740306
Ok - finally getting back to this.  I am still unable to get this working!  Help!

Here is a larger bit of the config - there is a bit of stuff for the VPN and AAA auth as well, but I hope you can see the a problem in this area!

PIX Version 6.2(2)

nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxx
encrypted passwd xxxxxx
encrypted hostname xxxxxx
domain-name asecu.local
clock timezone EST -5 clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names name 192.168.41.21 DELLBOT
access-list 70 permit tcp any host 24.239.80.16 eq smtp
access-list inside_access_in permit ip 192.168.42.0 255.255.255.0
any access-list inside_access_in permit icmp 192.168.41.0 255.255.255.0 any
access-list inside_access_in permit ip 192.168.41.0 255.255.255.0 any
access-list inside_access_in permit icmp 192.168.42.0 255.255.255.0 any
access-list inside_access_in permit icmp 192.168.43.0 255.255.255.0 any
access-list inside_access_in permit ip 192.168.43.0 255.255.255.0 any
access-list 80 permit ip 192.168.42.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list 80 permit ip 192.168.41.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list 80 permit ip 192.168.43.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list 80 permit ip 172.16.41.0 255.255.255.0 192.168.125.0 255.255.255.0
pager lines 24
logging on logging buffered warnings
interface ethernet0 10full
interface ethernet1 10full mtu outside 1500 mtu inside 1500
ip address outside 24.239.80.16 255.255.255.0
ip address inside 192.168.41.1 255.255.255.0
ip audit info action alarm ip audit attack action alarm
ip local pool vpn 192.168.125.5-192.168.125.10
pdm location 192.168.0.0 255.255.0.0
inside pdm location 192.168.125.0 255.255.255.0
outside pdm location 192.168.42.0 255.255.255.0
inside pdm location 192.168.42.0 255.255.255.0
outside pdm location 192.168.41.0 255.255.255.0
outside pdm location DELLBOT 255.255.255.255
inside pdm location 192.168.43.0 255.255.255.0
inside pdm location 172.168.41.0 255.255.255.0
inside pdm location 172.16.41.0 255.255.255.0
inside pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface nat (inside) 0
access-list 80 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface smtp DELLBOT smtp netmask 255.255.255.255 0 0
access-group 70 in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 24.239.80.1 1
route inside 172.16.41.0 255.255.255.0 192.168.41.7 1
route inside 192.168.42.0 255.255.255.0 192.168.41.7 1
route inside 192.168.43.0 255.255.255.0 192.168.41.7 1
timeout xlate 0:05:00

Thanks in advance.

Tom


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12740562
Let's start my removing the access-list from the inside interface. It is not needed anyway
  no  access-group inside_access_in in interface inside

Remove this route entry. there is no reason to route the local subnet to another gateway:
  no  route inside 172.16.41.0 255.255.255.0 192.168.41.7 1

Everything else checks out:
  no fixup protocol smtp 25  <== check
  access-list 70 permit tcp any host 24.239.80.16 eq smtp
  access-group 70 in interface outside  <== check
  name 192.168.41.21 DELLBOT
  static (inside,outside) tcp interface smtp DELLBOT smtp netmask 255.255.255.255 0 0  <== check
  route outside 0.0.0.0 0.0.0.0 24.239.80.1 1 <== check

That should be all you need on the PIX.
Now check these off on the server:
   IP address 192.168.41.21
   Subnet Mask 255.255.255.0
   Default gateway 192.168.41.7 <==?? This should NOT be the PIX .1 else you won't get to the other networks

Router 192.168.41.7:
  default gatway pointing to PIX 192.168.41.1 ?

>PIX Version 6.2(2)
Fairly buggy version. Highly suggest updating to 6.3(4) if possible



   
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 13703176
How's it going? Have you found a solution? Do you need more information?
Can you close this question?

http://www.experts-exchange.com/help.jsp#hs5

Thanks for attending to this long-forgotten question.

<-8}
0
 

Author Comment

by:tvurt
ID: 13706433
It was actually the ISP blocking the traffic.  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13706457
Thanks for the update!
- Cheers!
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month8 days, 18 hours left to enroll

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question