chris143
asked on
PIX 501 SMTP-Exchange config
I need to configure this PIX to allow SMTP traffic to a internal Exchange Server. I post the config below.
The only hurdle I have is that I need to do this remotely and I was not 100% confident I would not crash the PIX and the get locked out.
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Jwsezsa5FEn/kHTg encrypted
passwd Jwsezsa5FEn/kHTg encrypted
hostname test
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list nonat permit ip 10.10.10.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list split_tunnel permit ip 10.10.10.0 255.255.255.0 172.16.0.0 255.255.255.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 100.50.10.177 255.255.255.248
ip address inside 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 172.16.0.10-172.16.0.100
pdm location 10.10.10.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.10.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 100.50.10.176 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set CSDA_SET esp-3des esp-md5-hmac
crypto dynamic-map CSDA_DYN 10 set transform-set CSDA_SET
crypto map CSDA_MAP 10 ipsec-isakmp dynamic CSDA_DYN
crypto map CSDA_MAP interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 14400
vpngroup test address-pool VPNPOOL
vpngroup test dns-server 10.10.10.254
vpngroup test wins-server 10.10.10.254
vpngroup test split-tunnel split_tunnel
vpngroup test idle-time 1800
vpngroup test password ********
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd address 10.10.10.110-10.10.10.115 inside
dhcpd dns 10.10.10.254
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Thanks in advance!!
Chris
The only hurdle I have is that I need to do this remotely and I was not 100% confident I would not crash the PIX and the get locked out.
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Jwsezsa5FEn/kHTg encrypted
passwd Jwsezsa5FEn/kHTg encrypted
hostname test
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list nonat permit ip 10.10.10.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list split_tunnel permit ip 10.10.10.0 255.255.255.0 172.16.0.0 255.255.255.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 100.50.10.177 255.255.255.248
ip address inside 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 172.16.0.10-172.16.0.100
pdm location 10.10.10.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.10.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 100.50.10.176 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set CSDA_SET esp-3des esp-md5-hmac
crypto dynamic-map CSDA_DYN 10 set transform-set CSDA_SET
crypto map CSDA_MAP 10 ipsec-isakmp dynamic CSDA_DYN
crypto map CSDA_MAP interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 14400
vpngroup test address-pool VPNPOOL
vpngroup test dns-server 10.10.10.254
vpngroup test wins-server 10.10.10.254
vpngroup test split-tunnel split_tunnel
vpngroup test idle-time 1800
vpngroup test password ********
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd address 10.10.10.110-10.10.10.115 inside
dhcpd dns 10.10.10.254
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Thanks in advance!!
Chris
Last Comment
Just to point out that when services are involved, the access lists need to be extended.
access-list Outside_In extended permit any host <PublicIP> eq 25
or
access-list Outside_In extended permit any interface outside eq 25
access-list Outside_In extended permit any host <PublicIP> eq 25
or
access-list Outside_In extended permit any interface outside eq 25
Actually the keyword 'extended' is optional and without that also, the acl would work.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
I am trying to use those commands Rajesh and getting the following errors. I used your second option above for using my external IP.
static (inside,outside) tcp interface 25 <InternalExchangeIP> 25 netmask 255.255.255.255 - works fine
access-list Outside_In permit any interface outside eq 25 - I get this -
ERROR: access-list <Outside_In> does not exist
access-group Outside_In in interface outside - I get this -
ERROR: invalid protocol: any
Thanks
static (inside,outside) tcp interface 25 <InternalExchangeIP> 25 netmask 255.255.255.255 - works fine
access-list Outside_In permit any interface outside eq 25 - I get this -
ERROR: access-list <Outside_In> does not exist
access-group Outside_In in interface outside - I get this -
ERROR: invalid protocol: any
Thanks
Oops my bad, I missed an 'ip' there; try this;
access-list Outside_In permit tcp any interface outside eq 25
access-group Outside_In in interface outside
Cheers,
Rajesh
access-list Outside_In permit tcp any interface outside eq 25
access-group Outside_In in interface outside
Cheers,
Rajesh
ASKER
It is still is not working.
The first command looks like this with the inside ip address.
static (inside,outside) tcp interface 25 10.10.10.253 25 netmask 255.255.255.0
The 2 new commands you posted do not work. The pix does not error it just acts like the command is wrong.
Thanks.
The first command looks like this with the inside ip address.
static (inside,outside) tcp interface 25 10.10.10.253 25 netmask 255.255.255.0
The 2 new commands you posted do not work. The pix does not error it just acts like the command is wrong.
Thanks.
Do that again by first removing the acl if it is present. That is the syntax for the acl.
access-list Outside_In permit tcp any interface outside eq 25
Cheers,
Rajesh
access-list Outside_In permit tcp any interface outside eq 25
Cheers,
Rajesh
ASKER
Im sorry Rajesh,
Its still not working. No error just this
access-list Outside_In permit tcp any interface outside eq 25
Type help or '?' for a list of available commands.
Its still not working. No error just this
access-list Outside_In permit tcp any interface outside eq 25
Type help or '?' for a list of available commands.
Can you post your current configuration ?
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Jwsezsa5FEn/kHTg encrypted
passwd gVrsm5VvcPPFWt4V encrypted
hostname test
domain-name teest
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list nonat permit ip 10.10.10.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list split_tunnel permit ip 10.10.10.0 255.255.255.0 172.16.0.0 255.255.2
55.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 100.50.10.177 255.255.255.248
ip address inside 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 172.16.0.10-172.16.0.100
pdm location 10.10.10.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.10.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 100.50.10.176 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set CSDA_SET esp-3des esp-md5-hmac
crypto dynamic-map CSDA_DYN 10 set transform-set CSDA_SET
crypto map CSDA_MAP 10 ipsec-isakmp dynamic CSDA_DYN
crypto map CSDA_MAP interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 14400
vpngroup test address-pool VPNPOOL
vpngroup test dns-server 10.10.10.254
vpngroup test wins-server 10.10.10.254
vpngroup test split-tunnel split_tunnel
vpngroup test idle-time 1800
vpngroup test password ********
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
dhcpd address 10.10.10.110-10.10.10.115 inside
dhcpd dns 10.10.10.254
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Thanks
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Jwsezsa5FEn/kHTg encrypted
passwd gVrsm5VvcPPFWt4V encrypted
hostname test
domain-name teest
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list nonat permit ip 10.10.10.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list split_tunnel permit ip 10.10.10.0 255.255.255.0 172.16.0.0 255.255.2
55.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 100.50.10.177 255.255.255.248
ip address inside 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 172.16.0.10-172.16.0.100
pdm location 10.10.10.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.10.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 100.50.10.176 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set CSDA_SET esp-3des esp-md5-hmac
crypto dynamic-map CSDA_DYN 10 set transform-set CSDA_SET
crypto map CSDA_MAP 10 ipsec-isakmp dynamic CSDA_DYN
crypto map CSDA_MAP interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 14400
vpngroup test address-pool VPNPOOL
vpngroup test dns-server 10.10.10.254
vpngroup test wins-server 10.10.10.254
vpngroup test split-tunnel split_tunnel
vpngroup test idle-time 1800
vpngroup test password ********
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
dhcpd address 10.10.10.110-10.10.10.115 inside
dhcpd dns 10.10.10.254
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Thanks
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
I think Rajesh is on to something...make sure your prompt looks like this when you try to issue the "access-list" command:
test(config)#
test(config)#
It is still is not working.
The first command looks like this with the inside ip address.
static (inside,outside) tcp interface 25 10.10.10.253 25 netmask 255.255.255.0
You should set the netmask to 255.255.255.255 as this is an address translation for only one host not a subnet.
The first command looks like this with the inside ip address.
static (inside,outside) tcp interface 25 10.10.10.253 25 netmask 255.255.255.0
You should set the netmask to 255.255.255.255 as this is an address translation for only one host not a subnet.
hope you were able to add the acl ? Lemme know
thnx for the points.
Cheers,
Rajesh
thnx for the points.
Cheers,
Rajesh
Networking
Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.
102K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
If you have a public ip (which is not assigned on the outside interface)
static (inside,outside) <PublicIP> <InternalExchangeIP> netmask 255.255.255.255
access-list Outside_In permit any host <PublicIP> eq 25
access-group Outside_In in interface outside
If you want to use the public ip assigned on the outside interface (port forwarding), then the syntax would be;
static (inside,outside) tcp interface 25 <InternalExchangeIP> 25 netmask 255.255.255.255
access-list Outside_In permit any interface outside eq 25
access-group Outside_In in interface outside.
Cheers,
Rajesh