myfootsmells
asked on
Configuring my Cisco PIX 506E
I have one IP address so I'm going to be using PAT. I don't need DHCP compability because I have an internal server that hands out DHCP.
ISP IP: 60.60.60.60
These are the conditions I need:
Block All Incoming Traffic
Block All Outgoing Traffic
Allow the following ports to go outside:
1935, 8080, 80, 21, 143, 443, 25, 3389, 1723, 995, 1863
Allow the following ports to come inside and port forwarded to:
80 to 10.10.1.1
25 to 10.10.1.210
143 to 10.10.1.1
1723 to 10.10.1.1
Now let's two weeks later I need to allow port 1111 to go outside how would I do that?
Thanks.
ISP IP: 60.60.60.60
These are the conditions I need:
Block All Incoming Traffic
Block All Outgoing Traffic
Allow the following ports to go outside:
1935, 8080, 80, 21, 143, 443, 25, 3389, 1723, 995, 1863
Allow the following ports to come inside and port forwarded to:
80 to 10.10.1.1
25 to 10.10.1.210
143 to 10.10.1.1
1723 to 10.10.1.1
Now let's two weeks later I need to allow port 1111 to go outside how would I do that?
Thanks.
ASKER
not much help at those links.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks I will review and assign points.
ASKER
no fixup protocol smtp 25 <- add this if your mail server is Exchange
fixup protocol pptp 1723 <- add if PIX is v6.3 or higher (if not, let me know)
why the no fixup if i'm running exchange?
and why the fixup protocol pptp 1723 if PIX v6.3+
fixup protocol pptp 1723 <- add if PIX is v6.3 or higher (if not, let me know)
why the no fixup if i'm running exchange?
and why the fixup protocol pptp 1723 if PIX v6.3+
a) If you don't disable the "fixup" for smtp, your Exchange server won't be able to receive mail.
b) If a PIX is 6.2 or older, instead of "fixup protocol pptp 1723", you'd need to explicitly allow inbound GRE for inbound PPTP VPN to work, eg:
access-list inbound permit gre any interface outside
Otherwise, if PIX is 6.3+, the "fixup protocol pptp 1723" takes care of it behind the scenes.
cheers
b) If a PIX is 6.2 or older, instead of "fixup protocol pptp 1723", you'd need to explicitly allow inbound GRE for inbound PPTP VPN to work, eg:
access-list inbound permit gre any interface outside
Otherwise, if PIX is 6.3+, the "fixup protocol pptp 1723" takes care of it behind the scenes.
cheers
ASKER
my mail server is exchange but the port i'm forwarding 25 to is my spam filter and then my spam filter will send it to my exchange server.
will i still need this then?
will i still need this then?
That depends on the spam filter appliance - check the documentation for it: if it's considered an "ESMTP" server, then yes you'll need to disable the "smtp fixup". This "fixup" is a feature called "Mailguard".
see also: http://support.microsoft.com/default.aspx?scid=kb;en-us;320027
cheers
see also: http://support.microsoft.com/default.aspx?scid=kb;en-us;320027
cheers
ASKER
and if it's not an ESMTP server i can just take that line out and not do nething else?
If it's not an ESMTP server, but Exchange sends email directly from itself (& not through the spam appliance) then you've still got a problem, since you must disable the Mailguard feature for an ESMTP server to send or receive mail.
cheers
cheers
ASKER
ok then i'll need to disable it then. thanks!
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800948b8.shtml
BR Dushan