Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


No Internet Access out from internal network.

Posted on 2005-05-05
Medium Priority
Last Modified: 2013-12-29
I just installed a Cisco 515 version 6.3(1) and my main problem is I don't get Internet access from my internal network.  Everything worked fine with the old firewall, Internet, Email, pcAnywhere connections in.  

I have a second problem with email.  I run Exchange 2003.  People in the office can send and receive email fine with MAPI connections.  I have a problem with those who  connect via POP3 from outside my network.  The can recieve email, buy when they try to send, they get an error from Exchange concerning not being able to relay email.  This did not occur with the old firewall.  Again, MAPI connections sent fine, both on new mail and replies.

Here is my config:

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside xxx.xxx.20.98
ip address inside
route outside xxx.xxx.20.97 1

global (outside) 1 xxx.xxx.20.100-xxx.xxx.20.110
global (outside) 1 interface
nat (inside) 1 0 0

static (inside,outside) xxx.xxx.20.98 netmask 0 0
static (inside,outside) xxx.xxx.20.101 netmask 0 0
static (inside,outside) xxx.xxx.20.102 netmask 0 0
static (inside,outside) xxx.xxx.20.103 netmask 0 0

access-list public_access_in permit tcp any host xxx.xxx.20.98 eq pop3
access-list public_access_in permit tcp any host xxx.xxx.20.98 eq www
access-list public_access_in permit tcp any host xxx.xxx.20.98 eq https
access-list public_access_in permit tcp any host xxx.xxx.20.98 eq smtp
access-list public_access_in permit tcp any host xxx.xxx.20.101 eq pcanywhere-data
access-list public_access_in permit udp any host xxx.xxx.20.101 eq pcanywhere-status
access-list public_access_in permit tcp any host xxx.xxx.20.102 eq 5633
access-list public_access_in permit udp any host xxx.xxx.20.102 eq 5634
access-list public_access_in permit udp any host xxx.xxx.20.103 eq tftp
access-list private_access_out permit tcp host any eq www
access-list private_access_out deny tcp any any eq www
access-list private_access_out permit ip any any

access-group public_access_in in interface outside
access-group private_access_out in interface inside

I believe the internet problem has to do with my ACL for my private network.  The mail one I have no idea.  I have read a lot concerning configuring this firewall, and I hope my configs aren't too far off.
Question by:Javier196
  • 4
  • 3
  • 2
LVL 16

Assisted Solution

JammyPak earned 1000 total points
ID: 13938523
I don't think that the email problem is with the firewall...the POP clients would be using SMTP to send, and your fw permits that. It sounds like the Exchange server is implementing anti-relay measures against the clients, because it doesn't know that they are trusted hosts. I'm not an Exchange guru, but if your address has changed, then maybe that's the source of the issues.

for surfing:
"access-list private_access_out deny tcp any any eq www"
sounds suspiciously like you're blocking all outbound access on port 80. remove that and try again!
Actually, I would recommend removing the outbound 'permit ip any any' line, and just add permit lines for what is needed. It's a pain, but it is much more secure. At the very least, block outbound port 25 (smtp) for all but your exchange server. This way ppl infected with worms won't be able to send infected emails out.
LVL 79

Accepted Solution

lrmoore earned 1000 total points
ID: 13939920
Start by removing the acl from the inside interface. It will help in troubleshooting.

Make sure you don't have anything like this in the config
   sysopt noproxyarp outside

Agree with JammyPak <good to see you around again, my friend> that the anti-relay features of the Exchange will prevent POP3 users from sending mail. You can try disabling fixup to see if that helps:
  no fixup protocol smtp 25


Author Comment

ID: 13940512
I checked the Microsoft Website, and there is a write-up on my email problem:

"SMTP Clients Receive Relaying Prohibited Error Message When Authenticated Relay Is Enabled"

This article talks about not being able to  send email behind a PIX Firewall.  It then has a link to another Web page:

"Cannot send or receive e-mail messages behind a Cisco PIX firewall"

This page discusses removing Mailguard from the firewall by inserting the "no fixup protocol smtp 25" in your PIX configuration.

So my mail problem should be solved.  But I still do not have internet.  

I removed all the ACLs from my inside interface, still no Internet.  Is there any licensing I have to apply before I am allowed outside access.  This is a new PIX.  I cannot figure out why my inside users cannot access the Internet.  My config is pretty straightforward.

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.


Author Comment

ID: 13940653
I just checked, and I have a unrestrictied 515E

Except for VPN-3DES-AES, everything is enabled.  

Also I have unlimited Inside Hosts, Thoughtput, and IKE peers.

LVL 79

Expert Comment

ID: 13940691
That MS article jives with what I suggested to remove the fixup..

> Is there any licensing I have to apply before I am allowed outside access.
Absolutely not with the unristricted 515e

From the PIX console, can you ping your default gateway? This is the first place I would look..

No? Check cabling, check "sho interface" make sure you get line UP, protocol UP, look for errors, especially CRC erors. Bad cable, duplex mismatch..

Yes? Are you using the proper DNS servers?
Are you trying to ping from an inside host to see if you have access? Can't do it unless you add an access-list to permit icmp

  access-list public_access_in permit icmp any any

Author Comment

ID: 13940923
All is working fine now.  I was not getting Internet access, but then I left the firewall alone for a few minutes while testing email, and then I suddenly had access to the Internet.  Was the firewall buiding routes?

Unfortunately, due to our reliance on email, I had to test the PIX during work hours so I could have the poeple at the other offices make sure they still got email.  Also since I could not be down too long, I had to switch back to my old firewall soon after I tested the new PIX.  Once I left the PIX alone for a few minutes, all worked well.

Thanks to all.  Of all the systems I had to deploy, this one gave me the most apprehension, since I had the least amount of experience with a PIX.  Not that I have my hundred hours of reading in and your assistance, i feel pretty confident about maintaining this unit.  I am actually motived to read some more and exploy all the features of this unit.

I am sure glad about not having to lug around 3lbs of books back and forth to my house anymore.
LVL 79

Expert Comment

ID: 13941086
>Was the firewall buiding routes?
More likely ARP caches timing out on the external router...

Glad you're working!
LVL 16

Expert Comment

ID: 13944766
Cheers, lrmoore - I've been around, just lurking in other areas! Unfortunately, I didn't get MVP for 2005, so I  won't get to meet you at this year's summit unless I get reinstated!
LVL 79

Expert Comment

ID: 13945208
Well, it's still good to see you around once in a while, JP..
I seriously doubt that I'll be anywhere near the summit anyway....

Thanks for closing this out, Javier!

 - Cheers, mates     <8-}

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Make the most of your online learning experience.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question