troubleshooting Question

PIX 501 SMTP-Exchange config

Avatar of chris143
chris143 asked on
Hardware FirewallsNetworking
14 Comments1 Solution557 ViewsLast Modified:
I need to configure this PIX to allow SMTP traffic to a internal Exchange Server. I post the config below.
The only hurdle I have is that I need to do this remotely and I was not 100% confident I would not crash the PIX and the get locked out.

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Jwsezsa5FEn/kHTg encrypted
passwd Jwsezsa5FEn/kHTg encrypted
hostname test
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list nonat permit ip 10.10.10.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list split_tunnel permit ip 10.10.10.0 255.255.255.0 172.16.0.0 255.255.255.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 100.50.10.177 255.255.255.248
ip address inside 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 172.16.0.10-172.16.0.100
pdm location 10.10.10.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.10.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 100.50.10.176 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set CSDA_SET esp-3des esp-md5-hmac
crypto dynamic-map CSDA_DYN 10 set transform-set CSDA_SET
crypto map CSDA_MAP 10 ipsec-isakmp dynamic CSDA_DYN
crypto map CSDA_MAP interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 14400
vpngroup test address-pool VPNPOOL
vpngroup test dns-server 10.10.10.254
vpngroup test wins-server 10.10.10.254
vpngroup test split-tunnel split_tunnel
vpngroup test idle-time 1800
vpngroup test password ********
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd address 10.10.10.110-10.10.10.115 inside
dhcpd dns 10.10.10.254
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80

Thanks in advance!!

Chris
ASKER CERTIFIED SOLUTION
rsivanandan

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Log in to continue reading
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform for $9.99/mo
View membership options
Unlock 1 Answer and 14 Comments.
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
The Value of Experts Exchange in My Daily IT Life

Experts Exchange (EE) has become my company's go-to resource to get answers. I've used EE to make decisions, solve problems and even save customers. OutagesIO has been a challenging project and... Keep reading >>

Mike

Owner of Outages.IO
Phoenix, Arizona, United States
Member Since 2016
Join a full scale community that combines the best parts of other tools into one platform.
Unlock 1 Answer and 14 Comments.
View membership options
“All of life is about relationships, and EE has made a virtual community a real community. It lifts everyone's boat.”
William Peck

Member since 2004