No Internet Access out from internal network.

Posted on 2005-05-05
Last Modified: 2013-12-29
I just installed a Cisco 515 version 6.3(1) and my main problem is I don't get Internet access from my internal network.  Everything worked fine with the old firewall, Internet, Email, pcAnywhere connections in.  

I have a second problem with email.  I run Exchange 2003.  People in the office can send and receive email fine with MAPI connections.  I have a problem with those who  connect via POP3 from outside my network.  The can recieve email, buy when they try to send, they get an error from Exchange concerning not being able to relay email.  This did not occur with the old firewall.  Again, MAPI connections sent fine, both on new mail and replies.

Here is my config:

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside
ip address inside
route outside 1

global (outside) 1
global (outside) 1 interface
nat (inside) 1 0 0

static (inside,outside) netmask 0 0
static (inside,outside) netmask 0 0
static (inside,outside) netmask 0 0
static (inside,outside) netmask 0 0

access-list public_access_in permit tcp any host eq pop3
access-list public_access_in permit tcp any host eq www
access-list public_access_in permit tcp any host eq https
access-list public_access_in permit tcp any host eq smtp
access-list public_access_in permit tcp any host eq pcanywhere-data
access-list public_access_in permit udp any host eq pcanywhere-status
access-list public_access_in permit tcp any host eq 5633
access-list public_access_in permit udp any host eq 5634
access-list public_access_in permit udp any host eq tftp
access-list private_access_out permit tcp host any eq www
access-list private_access_out deny tcp any any eq www
access-list private_access_out permit ip any any

access-group public_access_in in interface outside
access-group private_access_out in interface inside

I believe the internet problem has to do with my ACL for my private network.  The mail one I have no idea.  I have read a lot concerning configuring this firewall, and I hope my configs aren't too far off.
Question by:Javier196
    LVL 16

    Assisted Solution

    I don't think that the email problem is with the firewall...the POP clients would be using SMTP to send, and your fw permits that. It sounds like the Exchange server is implementing anti-relay measures against the clients, because it doesn't know that they are trusted hosts. I'm not an Exchange guru, but if your address has changed, then maybe that's the source of the issues.

    for surfing:
    "access-list private_access_out deny tcp any any eq www"
    sounds suspiciously like you're blocking all outbound access on port 80. remove that and try again!
    Actually, I would recommend removing the outbound 'permit ip any any' line, and just add permit lines for what is needed. It's a pain, but it is much more secure. At the very least, block outbound port 25 (smtp) for all but your exchange server. This way ppl infected with worms won't be able to send infected emails out.
    LVL 79

    Accepted Solution

    Start by removing the acl from the inside interface. It will help in troubleshooting.

    Make sure you don't have anything like this in the config
       sysopt noproxyarp outside

    Agree with JammyPak <good to see you around again, my friend> that the anti-relay features of the Exchange will prevent POP3 users from sending mail. You can try disabling fixup to see if that helps:
      no fixup protocol smtp 25

    LVL 1

    Author Comment

    I checked the Microsoft Website, and there is a write-up on my email problem:

    "SMTP Clients Receive Relaying Prohibited Error Message When Authenticated Relay Is Enabled";en-us;295164

    This article talks about not being able to  send email behind a PIX Firewall.  It then has a link to another Web page:

    "Cannot send or receive e-mail messages behind a Cisco PIX firewall"

    This page discusses removing Mailguard from the firewall by inserting the "no fixup protocol smtp 25" in your PIX configuration.

    So my mail problem should be solved.  But I still do not have internet.  

    I removed all the ACLs from my inside interface, still no Internet.  Is there any licensing I have to apply before I am allowed outside access.  This is a new PIX.  I cannot figure out why my inside users cannot access the Internet.  My config is pretty straightforward.

    LVL 1

    Author Comment

    I just checked, and I have a unrestrictied 515E

    Except for VPN-3DES-AES, everything is enabled.  

    Also I have unlimited Inside Hosts, Thoughtput, and IKE peers.

    LVL 79

    Expert Comment

    That MS article jives with what I suggested to remove the fixup..

    > Is there any licensing I have to apply before I am allowed outside access.
    Absolutely not with the unristricted 515e

    From the PIX console, can you ping your default gateway? This is the first place I would look..

    No? Check cabling, check "sho interface" make sure you get line UP, protocol UP, look for errors, especially CRC erors. Bad cable, duplex mismatch..

    Yes? Are you using the proper DNS servers?
    Are you trying to ping from an inside host to see if you have access? Can't do it unless you add an access-list to permit icmp

      access-list public_access_in permit icmp any any
    LVL 1

    Author Comment

    All is working fine now.  I was not getting Internet access, but then I left the firewall alone for a few minutes while testing email, and then I suddenly had access to the Internet.  Was the firewall buiding routes?

    Unfortunately, due to our reliance on email, I had to test the PIX during work hours so I could have the poeple at the other offices make sure they still got email.  Also since I could not be down too long, I had to switch back to my old firewall soon after I tested the new PIX.  Once I left the PIX alone for a few minutes, all worked well.

    Thanks to all.  Of all the systems I had to deploy, this one gave me the most apprehension, since I had the least amount of experience with a PIX.  Not that I have my hundred hours of reading in and your assistance, i feel pretty confident about maintaining this unit.  I am actually motived to read some more and exploy all the features of this unit.

    I am sure glad about not having to lug around 3lbs of books back and forth to my house anymore.
    LVL 79

    Expert Comment

    >Was the firewall buiding routes?
    More likely ARP caches timing out on the external router...

    Glad you're working!
    LVL 16

    Expert Comment

    Cheers, lrmoore - I've been around, just lurking in other areas! Unfortunately, I didn't get MVP for 2005, so I  won't get to meet you at this year's summit unless I get reinstated!
    LVL 79

    Expert Comment

    Well, it's still good to see you around once in a while, JP..
    I seriously doubt that I'll be anywhere near the summit anyway....

    Thanks for closing this out, Javier!

     - Cheers, mates     <8-}

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Suggested Solutions

    Messaging apps are amazing tools with the power to do a lot of good, but the truth is the process of collaborating with coworkers requires relationships established through meaningful communication - the kind of communication that only happens face-…
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now