troubleshooting Question

PIX 501 SMTP-Exchange config

Avatar of chris143
chris143 asked on
NetworkingHardware Firewalls
14 Comments1 Solution557 ViewsLast Modified:
I need to configure this PIX to allow SMTP traffic to a internal Exchange Server. I post the config below.
The only hurdle I have is that I need to do this remotely and I was not 100% confident I would not crash the PIX and the get locked out.

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Jwsezsa5FEn/kHTg encrypted
passwd Jwsezsa5FEn/kHTg encrypted
hostname test
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list nonat permit ip 10.10.10.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list split_tunnel permit ip 10.10.10.0 255.255.255.0 172.16.0.0 255.255.255.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 100.50.10.177 255.255.255.248
ip address inside 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 172.16.0.10-172.16.0.100
pdm location 10.10.10.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.10.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 100.50.10.176 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set CSDA_SET esp-3des esp-md5-hmac
crypto dynamic-map CSDA_DYN 10 set transform-set CSDA_SET
crypto map CSDA_MAP 10 ipsec-isakmp dynamic CSDA_DYN
crypto map CSDA_MAP interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 14400
vpngroup test address-pool VPNPOOL
vpngroup test dns-server 10.10.10.254
vpngroup test wins-server 10.10.10.254
vpngroup test split-tunnel split_tunnel
vpngroup test idle-time 1800
vpngroup test password ********
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd address 10.10.10.110-10.10.10.115 inside
dhcpd dns 10.10.10.254
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80

Thanks in advance!!

Chris
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 14 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 14 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros