Solved

how to enable 995 and 465 on pf515e

Posted on 2006-11-28
12
487 Views
Last Modified: 2013-11-16
I need to enable pop3s and smtps on the mention cisco firewall. it is an pix 7.0 and it has three interfaces.
1. wan_to_2811
2.inside
3.dmz.

Im trying to add a rule
access_list wan_to_2811_access_in extended tcp any any eq 995.

It doesnt work? Do i need to configure something else?

 
0
Comment
Question by:shkumbin
  • 6
  • 6
12 Comments
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
I would assume you're doing natting on the pix ? I need to know that to suggest you a solution. If yes;

static(inside,outside) <SMTP_Public_IP> <SMTP_Internal_IP> netmask 255.255.255.255

access_list wan_to_2811_access_in extended tcp any host <SMTP_Public_IP> eq 995

access-group wan_to_2811 in interface outside  

Now, if you're doing the nat on the 2811, you should do the below;

static(inside,outside) <SMTP_Internal_IP> <SMTP_Internal_IP> netmask 255.255.255.255

access_list wan_to_2811_access_in extended tcp any host <SMTP_Internal_IP> eq 995

access-group wan_to_2811 in interface outside

Cheers,
Rajesh
0
 

Author Comment

by:shkumbin
Comment Utility
Rajesh,

I think my colegue is doing some NAT in the PIX im not very aware of it.
But what we need now is just to enable those two ports 995 and 465 to have access to the mail server on WAN.
 
What we need to add for this please can you describe it?
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
static(inside,outside) <SMTP_Public_IP> <SMTP_Internal_IP> netmask 255.255.255.255

access_list wan_to_2811_access_in extended tcp any host <SMTP_Public_IP> eq 995
access_list wan_to_2811_access_in extended tcp any host <SMTP_Public_IP> eq 465

access-group wan_to_2811 in interface outside

The above are the commands needed in that case. So ;

<SMTP_Public_IP> => This is the public ip address that is used by his smtp server

<SMTP_Internal_IP> => This is the private ip address (inside the lan) used by his smtp server

The ports 995 and 465 looks like Gmail to me ??? I believe it is for incoming connections right ?

Cheers,
Rajesh
0
 

Author Comment

by:shkumbin
Comment Utility
Yes thats true,
We werent able to managed this we will try it tomorow. In this case as described do we need to put the IP of gmail server im i right?
why can not be any to any in this case?

p.s. sorry i'm not working on the firewall that way im asking stuped things.
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
So you want to allow outgoing gmail connections ? In that case you don't need any of those above. By default all the outgoing connections are allowed unless you have a outgoing access-list applied on the inside interface of the pix.

A simple solution would be to post the pix configuration and clarify the above question and we can go from there.

There are *NO* stupid questions :-)

Cheers,
Rajesh
0
 

Author Comment

by:shkumbin
Comment Utility
Are you there Rajesh to post now the configuration please tell me as soon as you can.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Post it. But before that mention if this is for outgoing connections. It would be incoming connection only if you work for GMAIL :-)

Cheers,
Rajesh
0
 

Author Comment

by:shkumbin
Comment Utility
<comment edited by PashaMod for users privacy>

so we want from inside interface to be able to log in to gmail pop server (using Microsoft Outlook).
here is PIX configuration:

asdm image flash:/asdm504.bin
asdm location Hipper 255.255.255.255 dmz
asdm location Mail_Server 255.255.255.255 dmz
asdm location WWW_Server 255.255.255.255 dmz
asdm location ExLibris 255.255.255.255 dmz
asdm location UMSB 255.255.255.255 dmz
asdm location angel 255.255.255.255 inside
asdm location 123.123.13.132 255.255.255.255 wan_to_2811
asdm location 123.123.13.132255.255.255.255 wan_to_2811
asdm location seeucluster 255.255.255.255 dmz
asdm location cst 255.255.255.255 dmz
no asdm history enable
: Saved
:
PIX Version 7.0(4)
!
hostname pf515e
domain-name seeu.edu.mk
enable password MjlIbT.1zK3F3/RL encrypted
names
name 123.123.13.132 ExLibris
name 123.123.13.132 WWW_Server
name 123.123.13.132 Mail_Server
name 123.123.13.132 Hipper description Total Controler
name 123.123.13.132 UMSB
name 123.123.13.132 angel description Angel LMS
name 123.123.13.132 seeucluster description SEEU Cluster
name 123.123.13.132 cst description CST Web Pages
!
interface Ethernet0
 nameif wan_to_2811
 security-level 0
 ip address 123.123.13.132 255.255.255.192
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.10.1.2 255.255.0.0
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 123.123.13.132 255.255.255.224
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
access-list wan_to_2811_access_in extended permit tcp any host Mail_Server eq smtp
access-list wan_to_2811_access_in extended permit tcp any host Mail_Server eq pop3
access-list wan_to_2811_access_in extended permit tcp any host WWW_Server eq www
access-list wan_to_2811_access_in extended permit tcp any host ExLibris eq www
access-list wan_to_2811_access_in extended permit tcp any host ExLibris eq https
access-list wan_to_2811_access_in extended permit tcp any host WWW_Server eq pop3
access-list wan_to_2811_access_in extended permit tcp any host Mail_Server eq imap4
access-list wan_to_2811_access_in extended permit tcp any host WWW_Server eq imap4
access-list wan_to_2811_access_in extended permit tcp any host UMSB eq www
access-list wan_to_2811_access_in extended permit tcp any host UMSB eq https
access-list wan_to_2811_access_in extended permit tcp any host WWW_Server eq ssh
access-list wan_to_2811_access_in extended permit tcp any host WWW_Server eq ftp
access-list wan_to_2811_access_in extended permit tcp any host UMSB eq 3389
access-list wan_to_2811_access_in extended permit tcp any host 123.123.13.132 eq www
access-list wan_to_2811_access_in extended permit tcp any host seeucluster eq www
access-list wan_to_2811_access_in extended permit tcp any host cst eq www
access-list wan_to_2811_access_in remark Allow smtps traffic!
access-list wan_to_2811_access_in extended permit tcp any any eq 465
access-list wan_to_2811_access_in remark Allow pop3s traffic!
access-list wan_to_2811_access_in extended permit tcp any any eq 995
access-list inside_access_in extended permit tcp any host ExLibris eq 6505
access-list inside_access_in extended permit tcp any host ExLibris eq 4145
access-list inside_access_in extended permit tcp any host ExLibris eq 6145
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in extended permit tcp any any eq imap4
access-list inside_access_in extended permit tcp any any eq pop3
access-list inside_access_in extended permit tcp any any eq smtp
access-list inside_access_in extended permit udp any any eq isakmp
access-list inside_access_in remark Mobimak SMS
access-list inside_access_in extended permit tcp any any eq 8443
access-list inside_access_in extended permit tcp any any eq pptp
access-list inside_access_in extended permit tcp any any eq ident
access-list inside_access_in extended permit tcp any any eq lotusnotes
access-list inside_access_in extended permit tcp any any eq rtsp
access-list inside_access_in extended permit tcp any any eq 7070
access-list inside_access_in extended permit tcp any any eq h323
access-list inside_access_in extended permit tcp any any eq 1503
access-list inside_access_in extended permit tcp 10.10.2.0 255.255.255.0 any eq ssh
access-list inside_access_in extended permit tcp 10.10.2.0 255.255.255.0 any eq ftp
access-list inside_access_in extended permit tcp 10.10.2.0 255.255.255.0 any eq ftp-data
access-list inside_access_in remark This Policy is defined for Professor Alp Kut to use Remote Desktop Connection to his University.
access-list inside_access_in extended permit tcp any host 123.123.13.132 eq 3389
access-list inside_access_in remark This Policy is defined for Prof. Derya Birant to use Remote Desktop Connection to her University.
access-list inside_access_in extended permit tcp any host 123.123.13.132 eq 3389
access-list inside_access_in extended permit gre any any
access-list inside_access_in remark L2TP traffic for VPN
access-list inside_access_in extended permit udp any any eq 1701
pager lines 24
logging asdm informational
mtu wan_to_2811 1500
mtu inside 1500
mtu dmz 1500
ip verify reverse-path interface dmz
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image flash:/asdm504.bin
no asdm history enable
arp timeout 14400
global (wan_to_2811) 15 interface
global (inside) 15 interface
global (dmz) 15 interface
nat (inside) 15 10.10.0.0 255.255.0.0
static (dmz,wan_to_2811) Hipper Hipper netmask 255.255.255.255
static (dmz,wan_to_2811) Mail_Server Mail_Server netmask 255.255.255.255
static (dmz,wan_to_2811) WWW_Server WWW_Server netmask 255.255.255.255
static (dmz,wan_to_2811) ExLibris ExLibris netmask 255.255.255.255
static (dmz,wan_to_2811) UMSB UMSB netmask 255.255.255.255
static (inside,wan_to_2811) 123.123.13.132  angel netmask 255.255.255.255
static (dmz,wan_to_2811) seeucluster seeucluster netmask 255.255.255.255
static (dmz,wan_to_2811) cst cst netmask 255.255.255.255
access-group wan_to_2811_access_in in interface wan_to_2811
access-group inside_access_in in interface inside
route wan_to_2811 0.0.0.0 0.0.0.0 123.123.13.132 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username monitor password KEQRmOrieLtgCIos encrypted privilege 3
http server enable
http 10.10.0.0 255.255.0.0 inside
snmp-server host inside 10.10.1.15 community public version 2c
snmp-server host wan_to_2811 123.123.13.132 community public version 2c
snmp-server host inside 123.123.13.132 community public version 2c
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map wan_to_2811-class
 match default-inspection-traffic
!
!
policy-map wan_to_2811-policy
 description WAN service policy
 class wan_to_2811-class
  inspect ftp
  inspect sqlnet
  inspect h323 ras
  inspect xdmcp
  inspect tftp
  inspect icmp error
  inspect rtsp
  inspect sunrpc
  inspect mgcp
  inspect esmtp
  inspect sip
  inspect netbios
  inspect pptp
  inspect ctiqbe
  inspect snmp
  inspect http
  inspect rsh
  inspect icmp
  inspect ils
  inspect h323 h225
  inspect dns
  inspect skinny
policy-map outside-policy
!
service-policy wan_to_2811-policy interface wan_to_2811
Cryptochecksum:1231231231212312312: end

shkumbin
0
 

Author Comment

by:shkumbin
Comment Utility
Rajesh, i forgot to tell you that we will not use any more 62.162.98.5 Mail_Server
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 195 total points
Comment Utility
access-list inside_access_in extended permit tcp any <GmailServer Address> eq 995
access-list inside_access_in extended permit tcp any <GmailServer Address> eq 465

Now instead of the GmailServer Address you can give 'any' also but not recommended due to security reasons.

Cheers
Rajesh
0
 

Author Comment

by:shkumbin
Comment Utility
Rajesh, for security reason i will request from the support team to delete the question as i put the configuration file of the pix but for you i also will request to retain the points.

does this it is posible what you think?
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Yeah, you can have that comment deleted, no problem.

From next time onwards, while posting the configuration, omit the passwords and remove the 2 octects of public ip address.

Cheers,
Rajesh
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now