PIX 506 Morass

Hello -  I have just been assigned responsibility for getting a mail server set up behind a PIX 506.  The PIX has been configured by at least 5 different people - and I am not permitted to "dump" the configuration and start over again.  I have read the posts on this site, and the instructions on ciscos website - but I am finally ready to admit defeat!
The pix handles a VPN for a remote office, and the top routes for 4 branches worth of cisco IP phones.  

This should be easy, but then I am used to the sonicwall GUI!  

All I need to do is a port map  from the outside IP of the PIX to the mail server "DELLBOT"

access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq smtp
static (inside,outside) tcp interface smtp DELLBOT smtp netmask 255.255.255.255 0 0
access-group 101 in interface outside

I have been asked to post as little of the config as possible - But I can post more if necessary.

Thanks in advance!

Tom
tvurtAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Typically, what you have posted is all you need
 - access-list entry permitting inbound smtp from "any" - check
 - static nat/pat xlate - check
 - access-group to apply the access-list - check

Next issue is placement within the acl 101. Is there any entry above this new line that might block packets, keeping in mind that acls are applied top down always.

Next issue is the server itself. Is it Exchange? Then disable fixup:
    no fixup protocol smtp 25

Does this server have the right default gateway pointing to the PIX inside IP address? Subnet mask is correct? DNS entries are correct?

MX records are correct?

How are you testing?
0
tvurtAuthor Commented:
Well at least I have SOMTHING right!

The server is exchange, and I have the no fixup in the config. The access list is LAST in the list, I will try moving it up to the first entry.  I see nothing explictly denying those packets, but I know little about the pix.  

The server has full connectiviy to the LAN and to the Internet.  

the "real" MX records are not changed yet. Do to:

Testing:  I have configured another functional exchange server from a foriegn domain to "think" it is the DNS master for the MX domain of the "DELLBOT" Server, I have then changed the DNS and MX records just on the single foriegn server to point to the external IP address of the PIX.  

Thanks in advance.

Tom


0
lrmooreCommented:
OK. Check the thread here. Just went through this yesterday with another poster:

http://www.experts-exchange.com/Hardware/Routers/Q_21193718.html

0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

tvurtAuthor Commented:
Ok - finally getting back to this.  I am still unable to get this working!  Help!

Here is a larger bit of the config - there is a bit of stuff for the VPN and AAA auth as well, but I hope you can see the a problem in this area!

PIX Version 6.2(2)

nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxx
encrypted passwd xxxxxx
encrypted hostname xxxxxx
domain-name asecu.local
clock timezone EST -5 clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names name 192.168.41.21 DELLBOT
access-list 70 permit tcp any host 24.239.80.16 eq smtp
access-list inside_access_in permit ip 192.168.42.0 255.255.255.0
any access-list inside_access_in permit icmp 192.168.41.0 255.255.255.0 any
access-list inside_access_in permit ip 192.168.41.0 255.255.255.0 any
access-list inside_access_in permit icmp 192.168.42.0 255.255.255.0 any
access-list inside_access_in permit icmp 192.168.43.0 255.255.255.0 any
access-list inside_access_in permit ip 192.168.43.0 255.255.255.0 any
access-list 80 permit ip 192.168.42.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list 80 permit ip 192.168.41.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list 80 permit ip 192.168.43.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list 80 permit ip 172.16.41.0 255.255.255.0 192.168.125.0 255.255.255.0
pager lines 24
logging on logging buffered warnings
interface ethernet0 10full
interface ethernet1 10full mtu outside 1500 mtu inside 1500
ip address outside 24.239.80.16 255.255.255.0
ip address inside 192.168.41.1 255.255.255.0
ip audit info action alarm ip audit attack action alarm
ip local pool vpn 192.168.125.5-192.168.125.10
pdm location 192.168.0.0 255.255.0.0
inside pdm location 192.168.125.0 255.255.255.0
outside pdm location 192.168.42.0 255.255.255.0
inside pdm location 192.168.42.0 255.255.255.0
outside pdm location 192.168.41.0 255.255.255.0
outside pdm location DELLBOT 255.255.255.255
inside pdm location 192.168.43.0 255.255.255.0
inside pdm location 172.168.41.0 255.255.255.0
inside pdm location 172.16.41.0 255.255.255.0
inside pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface nat (inside) 0
access-list 80 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface smtp DELLBOT smtp netmask 255.255.255.255 0 0
access-group 70 in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 24.239.80.1 1
route inside 172.16.41.0 255.255.255.0 192.168.41.7 1
route inside 192.168.42.0 255.255.255.0 192.168.41.7 1
route inside 192.168.43.0 255.255.255.0 192.168.41.7 1
timeout xlate 0:05:00

Thanks in advance.

Tom


0
lrmooreCommented:
Let's start my removing the access-list from the inside interface. It is not needed anyway
  no  access-group inside_access_in in interface inside

Remove this route entry. there is no reason to route the local subnet to another gateway:
  no  route inside 172.16.41.0 255.255.255.0 192.168.41.7 1

Everything else checks out:
  no fixup protocol smtp 25  <== check
  access-list 70 permit tcp any host 24.239.80.16 eq smtp
  access-group 70 in interface outside  <== check
  name 192.168.41.21 DELLBOT
  static (inside,outside) tcp interface smtp DELLBOT smtp netmask 255.255.255.255 0 0  <== check
  route outside 0.0.0.0 0.0.0.0 24.239.80.1 1 <== check

That should be all you need on the PIX.
Now check these off on the server:
   IP address 192.168.41.21
   Subnet Mask 255.255.255.0
   Default gateway 192.168.41.7 <==?? This should NOT be the PIX .1 else you won't get to the other networks

Router 192.168.41.7:
  default gatway pointing to PIX 192.168.41.1 ?

>PIX Version 6.2(2)
Fairly buggy version. Highly suggest updating to 6.3(4) if possible



   
0
lrmooreCommented:
How's it going? Have you found a solution? Do you need more information?
Can you close this question?

http://www.experts-exchange.com/help.jsp#hs5

Thanks for attending to this long-forgotten question.

<-8}
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tvurtAuthor Commented:
It was actually the ISP blocking the traffic.  
0
lrmooreCommented:
Thanks for the update!
- Cheers!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.