eli290
asked on
PIX firewall config problems
I am unable to connect to my exchange server via the outside mail address (mail.city.com). I can connect inside the domain via the server name (mail1.city.pri) I have a barracuda spam device installed as well. Mail is flowing fine both ways. I just think that there is something in the firewall that is not allowing me to connect via the mail.city.com. My external MX records are correct with my domain name host.
>>I am unable to connect to my exchange server via the outside mail address (mail.city.com).
Are you trying to do this from inside the firewall? If so, then you are trying to access the publicly routable IP address of the mail server and are creating a "hairpin" traffic flow, which the PIX will not allow. However, I'm not sure since you don't mention any IP addressing for these DNS entries or how your PIX interfaces are addressed.
Please provide this additional information and we can look further. You may want to post your PIX config...that would shed some light...
Are you trying to do this from inside the firewall? If so, then you are trying to access the publicly routable IP address of the mail server and are creating a "hairpin" traffic flow, which the PIX will not allow. However, I'm not sure since you don't mention any IP addressing for these DNS entries or how your PIX interfaces are addressed.
Please provide this additional information and we can look further. You may want to post your PIX config...that would shed some light...
ASKER
names
access-list External_in remark "External packets allowed in"
access-list External_in permit icmp any any echo-reply
access-list External_in permit icmp any any source-quench
access-list External_in permit icmp any any unreachable
access-list External_in permit icmp any any time-exceeded
access-list External_in permit tcp host 204.89.170.141 host 64.72.93.135 eq ftp
access-list External_in permit tcp host 204.89.170.141 host 64.72.93.135 range 2
000 5000
access-list External_in permit icmp host 204.89.170.141 host 64.72.93.135 echo
access-list External_in permit gre 166.241.242.192 255.255.255.192 host 64.72.93
.135
access-list External_in permit gre 166.241.240.128 255.255.255.192 host 64.72.93
.135
access-list External_in permit tcp 166.241.242.192 255.255.255.192 host 64.72.93
.135 eq pptp
access-list External_in permit tcp 166.241.240.128 255.255.255.192 host 64.72.93
.135 eq pptp
access-list External_in permit udp 166.241.242.192 255.255.255.192 host 64.72.93
.135 eq 5008
access-list External_in permit udp 166.241.240.128 255.255.255.192 host 64.72.93
.135 eq 5008
access-list External_in permit gre 166.161.213.40 255.255.255.248 host 64.72.93.
135
access-list External_in permit tcp 166.161.213.40 255.255.255.248 host 64.72.93.
135 eq pptp
access-list External_in permit udp 166.161.213.40 255.255.255.248 host 64.72.93.
135 eq 5008
access-list External_in permit udp any host 64.72.93.136 eq 110
access-list External_in permit udp any host 64.72.93.136 eq 25
access-list External_in permit tcp any host 64.72.93.136 eq smtp
access-list External_in permit tcp any host 64.72.93.136 eq pop3
access-list External_in permit icmp any host 64.72.93.136 echo
access-list Internal_out remark "Allow outbound traffic"
access-list Internal_out permit udp any any eq biff
access-list Internal_out permit tcp any any eq pop3
access-list Internal_out permit tcp any any eq smtp
access-list Internal_out permit tcp any any eq https
access-list Internal_out permit tcp any any eq www
access-list Internal_out permit tcp any any eq domain
access-list Internal_out permit udp any any eq domain
access-list Internal_out permit tcp any any eq ftp
access-list Internal_out permit tcp any any eq ftp-data
access-list Internal_out permit tcp any any eq telnet
access-list Internal_out permit icmp any any
access-list Internal_out permit tcp any any gt 1024
access-list Internal_out permit udp any any gt 1024
access-list Internal_out permit tcp any any eq 465
access-list Internal_out permit tcp any any eq 993
access-list Internal_out permit tcp any any eq 995
access-list Internal_out permit tcp any any eq imap4
access-list Internal_out permit tcp any any eq ssh
access-list Internal_out permit udp any any eq isakmp
access-list Internal_out permit udp host 64.72.93.136 any eq ntp
pager lines 24
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered emergencies
logging trap emergencies
logging history informational
logging facility 21
logging host inside 10.42.196.138
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any echo outside
mtu outside 1500
mtu inside 1500
ip address outside 64.72.93.133 255.255.255.224
ip address inside 10.43.248.3 255.255.254.0
ip verify reverse-path interface outside
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.43.249.251 255.255.255.255 inside
pdm location 10.43.250.0 255.255.255.0 inside
pdm location 10.43.251.0 255.255.255.0 inside
pdm location 10.43.251.19 255.255.255.255 inside
pdm location 10.43.248.0 255.255.248.0 inside
pdm location 166.241.240.128 255.255.255.192 outside
pdm location 166.241.242.192 255.255.255.192 outside
pdm location 204.89.170.141 255.255.255.255 outside
pdm location 10.42.196.138 255.255.255.255 inside
pdm location 166.161.213.40 255.255.255.248 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 64.72.93.134 netmask 255.255.255.224
nat (inside) 1 10.43.248.0 255.255.248.0 0 0
static (inside,outside) 64.72.93.135 10.43.251.19 netmask 255.255.255.255 0 0
static (inside,outside) 64.72.93.136 10.43.248.11 netmask 255.255.255.255 0 0
access-group External_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.72.93.129 1
route inside 10.0.0.0 255.0.0.0 10.43.248.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
ntp authenticate
ntp server 192.5.41.41 source outside
ntp server 18.72.0.3 source outside prefer
ntp server 10.42.196.1 source inside prefer
ntp server 18.26.4.105 source outside
ntp server 128.9.176.30 source outside
ntp server 129.6.15.28 source outside
http server enable
http 10.0.0.0 255.0.0.0 inside
access-list External_in remark "External packets allowed in"
access-list External_in permit icmp any any echo-reply
access-list External_in permit icmp any any source-quench
access-list External_in permit icmp any any unreachable
access-list External_in permit icmp any any time-exceeded
access-list External_in permit tcp host 204.89.170.141 host 64.72.93.135 eq ftp
access-list External_in permit tcp host 204.89.170.141 host 64.72.93.135 range 2
000 5000
access-list External_in permit icmp host 204.89.170.141 host 64.72.93.135 echo
access-list External_in permit gre 166.241.242.192 255.255.255.192 host 64.72.93
.135
access-list External_in permit gre 166.241.240.128 255.255.255.192 host 64.72.93
.135
access-list External_in permit tcp 166.241.242.192 255.255.255.192 host 64.72.93
.135 eq pptp
access-list External_in permit tcp 166.241.240.128 255.255.255.192 host 64.72.93
.135 eq pptp
access-list External_in permit udp 166.241.242.192 255.255.255.192 host 64.72.93
.135 eq 5008
access-list External_in permit udp 166.241.240.128 255.255.255.192 host 64.72.93
.135 eq 5008
access-list External_in permit gre 166.161.213.40 255.255.255.248 host 64.72.93.
135
access-list External_in permit tcp 166.161.213.40 255.255.255.248 host 64.72.93.
135 eq pptp
access-list External_in permit udp 166.161.213.40 255.255.255.248 host 64.72.93.
135 eq 5008
access-list External_in permit udp any host 64.72.93.136 eq 110
access-list External_in permit udp any host 64.72.93.136 eq 25
access-list External_in permit tcp any host 64.72.93.136 eq smtp
access-list External_in permit tcp any host 64.72.93.136 eq pop3
access-list External_in permit icmp any host 64.72.93.136 echo
access-list Internal_out remark "Allow outbound traffic"
access-list Internal_out permit udp any any eq biff
access-list Internal_out permit tcp any any eq pop3
access-list Internal_out permit tcp any any eq smtp
access-list Internal_out permit tcp any any eq https
access-list Internal_out permit tcp any any eq www
access-list Internal_out permit tcp any any eq domain
access-list Internal_out permit udp any any eq domain
access-list Internal_out permit tcp any any eq ftp
access-list Internal_out permit tcp any any eq ftp-data
access-list Internal_out permit tcp any any eq telnet
access-list Internal_out permit icmp any any
access-list Internal_out permit tcp any any gt 1024
access-list Internal_out permit udp any any gt 1024
access-list Internal_out permit tcp any any eq 465
access-list Internal_out permit tcp any any eq 993
access-list Internal_out permit tcp any any eq 995
access-list Internal_out permit tcp any any eq imap4
access-list Internal_out permit tcp any any eq ssh
access-list Internal_out permit udp any any eq isakmp
access-list Internal_out permit udp host 64.72.93.136 any eq ntp
pager lines 24
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered emergencies
logging trap emergencies
logging history informational
logging facility 21
logging host inside 10.42.196.138
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any echo outside
mtu outside 1500
mtu inside 1500
ip address outside 64.72.93.133 255.255.255.224
ip address inside 10.43.248.3 255.255.254.0
ip verify reverse-path interface outside
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.43.249.251 255.255.255.255 inside
pdm location 10.43.250.0 255.255.255.0 inside
pdm location 10.43.251.0 255.255.255.0 inside
pdm location 10.43.251.19 255.255.255.255 inside
pdm location 10.43.248.0 255.255.248.0 inside
pdm location 166.241.240.128 255.255.255.192 outside
pdm location 166.241.242.192 255.255.255.192 outside
pdm location 204.89.170.141 255.255.255.255 outside
pdm location 10.42.196.138 255.255.255.255 inside
pdm location 166.161.213.40 255.255.255.248 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 64.72.93.134 netmask 255.255.255.224
nat (inside) 1 10.43.248.0 255.255.248.0 0 0
static (inside,outside) 64.72.93.135 10.43.251.19 netmask 255.255.255.255 0 0
static (inside,outside) 64.72.93.136 10.43.248.11 netmask 255.255.255.255 0 0
access-group External_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.72.93.129 1
route inside 10.0.0.0 255.0.0.0 10.43.248.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
ntp authenticate
ntp server 192.5.41.41 source outside
ntp server 18.72.0.3 source outside prefer
ntp server 10.42.196.1 source inside prefer
ntp server 18.26.4.105 source outside
ntp server 128.9.176.30 source outside
ntp server 129.6.15.28 source outside
http server enable
http 10.0.0.0 255.0.0.0 inside
access-list External_in permit tcp any host 64.72.93.136 eq smtp
static (inside,outside) 64.72.93.136 10.43.248.11 netmask 255.255.255.255 0 0
If 10.43.248.11 is your exchange server, then your config is OK. As I previosuly mentioned, you should cal lyour ISP and request mx record mail.city.com for 64.72.93.136
PS: access-list Internal_out is useless since traffic from higher sec interface to lower sec interface is permitted by default
Regards
static (inside,outside) 64.72.93.136 10.43.248.11 netmask 255.255.255.255 0 0
If 10.43.248.11 is your exchange server, then your config is OK. As I previosuly mentioned, you should cal lyour ISP and request mx record mail.city.com for 64.72.93.136
PS: access-list Internal_out is useless since traffic from higher sec interface to lower sec interface is permitted by default
Regards
ASKER
the exchange server is 10.43.248.12, the barracuda is 10.43.248.11, the mx record is correct though, our mail.cityofpoughkeepsie.co
>I am unable to connect to my exchange server via the outside mail address
>the exchange server is 10.43.248.12
You do not have any static xlates giving this IP and outside address, or matching access-list entry.
If mail is flowing both ways, what is the issue?
>the exchange server is 10.43.248.12
You do not have any static xlates giving this IP and outside address, or matching access-list entry.
If mail is flowing both ways, what is the issue?
Hi eli290
In this case, if you do the following
no static (inside,outside) 64.72.93.136 10.43.248.11 netmask 255.255.255.255 0 0
static (inside,outside) 64.72.93.136 10.43.248.12 netmask 255.255.255.255 0 0
Your exchange will work, but this will bypass barracuda. Your PIX config is OK, and also checked your mx for mail.cityofpoughkeepsie.co
Regards
In this case, if you do the following
no static (inside,outside) 64.72.93.136 10.43.248.11 netmask 255.255.255.255 0 0
static (inside,outside) 64.72.93.136 10.43.248.12 netmask 255.255.255.255 0 0
Your exchange will work, but this will bypass barracuda. Your PIX config is OK, and also checked your mx for mail.cityofpoughkeepsie.co
Regards
ASKER
the issue is that i cant connect from outside my network. I should be able to setup a mail client anywhere to connect via pop3.
ASKER
The barracuda config appears to be correct as well. It asks what ip the exchange is setup on and i entered that as well.
Could this be an internal DNS issue? I dont have any MX records in house setup
Could this be an internal DNS issue? I dont have any MX records in house setup
ASKER
That is one thing that I dont want to do, I dont want to bypass the barracuda.
Hi eli290
"Could this be an internal DNS issue? I dont have any MX records in house setup"
Your internal DNS has nothing to do with MX records since you dont host your own global DNS server.
"the issue is that i cant connect from outside my network"
I know. But the trace ends at barracuda.
MX record correctly points 64.72.93.136 > Pix allows smtp traffic to 64.72.93.136 and translates 64.72.93.136 to 10.43.248.11
Now I telnet mail.cityofpoughkeepsie.co
220 **************************
This must be your barracuda. That means everything outside the barracuda works fine.
Following is an output from my mail server, the output for Outlook mail client to work correctly.
telnet mail.xxx.com 25
220 yyy.xxxxx.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.39
59 ready at Sun, 18 Nov 2007 16:57:09 +0200
I dont know how barracuda works at this point, how does it process the smtp traffic.
Regards
"Could this be an internal DNS issue? I dont have any MX records in house setup"
Your internal DNS has nothing to do with MX records since you dont host your own global DNS server.
"the issue is that i cant connect from outside my network"
I know. But the trace ends at barracuda.
MX record correctly points 64.72.93.136 > Pix allows smtp traffic to 64.72.93.136 and translates 64.72.93.136 to 10.43.248.11
Now I telnet mail.cityofpoughkeepsie.co
220 **************************
This must be your barracuda. That means everything outside the barracuda works fine.
Following is an output from my mail server, the output for Outlook mail client to work correctly.
telnet mail.xxx.com 25
220 yyy.xxxxx.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.39
59 ready at Sun, 18 Nov 2007 16:57:09 +0200
I dont know how barracuda works at this point, how does it process the smtp traffic.
Regards
>access-list External_in permit tcp any host 64.72.93.136 eq pop3
You are only allowing pop3 to your Barracuda, not directly to the exchange.
static (inside,outside) tcp 64.72.93.138 pop3 10.43.248.12 pop3 netmask 255.255.255.255
access-list External_in permit tcp any host 64.72.93.138 eq pop3
You are only allowing pop3 to your Barracuda, not directly to the exchange.
static (inside,outside) tcp 64.72.93.138 pop3 10.43.248.12 pop3 netmask 255.255.255.255
access-list External_in permit tcp any host 64.72.93.138 eq pop3
ASKER
lrmoore - That will allow mail to go through the Barracuda and to the exchange? Or will that bypass the barracuda?
inbound email will still come through the barracuda. And you will be able to connect directly to Exchange using pop3.
ASKER
Ok we entered those lines of code and still have a problem. I still cant figure out why we cant connect. Also what line of code do I need to enter in order for us to connect to our webmail? I know it is port 443.
static (inside,outside) tcp 64.72.93.138 https 10.43.248.12 https netmask 255.255.255.255
access-list External_in permit tcp any host 64.72.93.138 eq https
Enter those and then post a complete "new" config
access-list External_in permit tcp any host 64.72.93.138 eq https
Enter those and then post a complete "new" config
ASKER
Ok we are having all sorts of issues now, well the main one is this, our barracuda has stopped working. I am able to access it but it isnt scanning any mail. Here is my current config. The mail server is 10.43.248.12 and the barracuda is 10.43.248.11
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list External_in remark "External packets allowed in"
access-list External_in permit icmp any any echo-reply
access-list External_in permit icmp any any source-quench
access-list External_in permit icmp any any unreachable
access-list External_in permit icmp any any time-exceeded
access-list External_in permit tcp host 204.89.170.141 host 64.72.93.135 eq ftp
access-list External_in permit tcp host 204.89.170.141 host 64.72.93.135 range 2
000 5000
access-list External_in permit icmp host 204.89.170.141 host 64.72.93.135 echo
access-list External_in permit gre 166.241.242.192 255.255.255.192 host 64.72.93
.135
access-list External_in permit gre 166.241.240.128 255.255.255.192 host 64.72.93
.135
access-list External_in permit tcp 166.241.242.192 255.255.255.192 host 64.72.93
.135 eq pptp
access-list External_in permit tcp 166.241.240.128 255.255.255.192 host 64.72.93
.135 eq pptp
access-list External_in permit udp 166.241.242.192 255.255.255.192 host 64.72.93
.135 eq 5008
access-list External_in permit udp 166.241.240.128 255.255.255.192 host 64.72.93
.135 eq 5008
access-list External_in permit gre 166.161.213.40 255.255.255.248 host 64.72.93.
135
access-list External_in permit tcp 166.161.213.40 255.255.255.248 host 64.72.93.
135 eq pptp
access-list External_in permit udp 166.161.213.40 255.255.255.248 host 64.72.93.
135 eq 5008
access-list External_in permit udp any host 64.72.93.136 eq 110
access-list External_in permit udp any host 64.72.93.136 eq 25
access-list External_in permit tcp any host 64.72.93.136 eq smtp
access-list External_in permit tcp any host 64.72.93.136 eq pop3
access-list External_in permit icmp any host 64.72.93.136 echo
access-list Internal_out remark "Allow outbound traffic"
access-list Internal_out permit udp any any eq biff
access-list Internal_out permit tcp any any eq pop3
access-list Internal_out permit tcp any any eq smtp
access-list Internal_out permit tcp any any eq https
access-list Internal_out permit tcp any any eq www
access-list Internal_out permit tcp any any eq domain
access-list Internal_out permit udp any any eq domain
access-list Internal_out permit tcp any any eq ftp
access-list Internal_out permit tcp any any eq ftp-data
access-list Internal_out permit tcp any any eq telnet
access-list Internal_out permit icmp any any
access-list Internal_out permit tcp any any gt 1024
access-list Internal_out permit udp any any gt 1024
access-list Internal_out permit tcp any any eq 465
access-list Internal_out permit tcp any any eq 993
access-list Internal_out permit tcp any any eq 995
access-list Internal_out permit tcp any any eq imap4
access-list Internal_out permit tcp any any eq ssh
access-list Internal_out permit udp any any eq isakmp
access-list Internal_out permit udp host 64.72.93.136 any eq ntp
pager lines 24
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered emergencies
logging trap emergencies
logging history informational
logging facility 21
logging host inside 10.42.196.138
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any echo outside
mtu outside 1500
mtu inside 1500
ip address outside 64.72.93.133 255.255.255.224
ip address inside 10.43.248.3 255.255.254.0
ip verify reverse-path interface outside
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.43.249.251 255.255.255.255 inside
pdm location 10.43.250.0 255.255.255.0 inside
pdm location 10.43.251.0 255.255.255.0 inside
pdm location 10.43.251.19 255.255.255.255 inside
pdm location 10.43.248.0 255.255.248.0 inside
pdm location 166.241.240.128 255.255.255.192 outside
pdm location 166.241.242.192 255.255.255.192 outside
pdm location 204.89.170.141 255.255.255.255 outside
pdm location 10.42.196.138 255.255.255.255 inside
pdm location 166.161.213.40 255.255.255.248 outside
pdm location 10.43.248.11 255.255.255.255 inside
pdm location 10.43.248.12 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 64.72.93.134 netmask 255.255.255.224
nat (inside) 1 10.43.248.0 255.255.248.0 0 0
static (inside,outside) tcp 64.72.93.136 pop3 10.43.248.12 pop3 netmask 255.255.
255.255 0 0
static (inside,outside) tcp 64.72.93.136 smtp 10.43.248.12 smtp netmask 255.255.
255.255 0 0
static (inside,outside) 64.72.93.135 10.43.251.19 netmask 255.255.255.255 0 0
access-group External_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.72.93.129 1
route inside 10.0.0.0 255.0.0.0 10.43.248.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
ntp authenticate
ntp server 192.5.41.41 source outside
ntp server 18.72.0.3 source outside prefer
ntp server 10.42.196.1 source inside prefer
ntp server 18.26.4.105 source outside
ntp server 128.9.176.30 source outside
ntp server 129.6.15.28 source outside
http server enable
http 10.0.0.0 255.0.0.0 inside
floodguard enable
telnet 10.0.0.0 255.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
management-access inside
console timeout 30
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list External_in remark "External packets allowed in"
access-list External_in permit icmp any any echo-reply
access-list External_in permit icmp any any source-quench
access-list External_in permit icmp any any unreachable
access-list External_in permit icmp any any time-exceeded
access-list External_in permit tcp host 204.89.170.141 host 64.72.93.135 eq ftp
access-list External_in permit tcp host 204.89.170.141 host 64.72.93.135 range 2
000 5000
access-list External_in permit icmp host 204.89.170.141 host 64.72.93.135 echo
access-list External_in permit gre 166.241.242.192 255.255.255.192 host 64.72.93
.135
access-list External_in permit gre 166.241.240.128 255.255.255.192 host 64.72.93
.135
access-list External_in permit tcp 166.241.242.192 255.255.255.192 host 64.72.93
.135 eq pptp
access-list External_in permit tcp 166.241.240.128 255.255.255.192 host 64.72.93
.135 eq pptp
access-list External_in permit udp 166.241.242.192 255.255.255.192 host 64.72.93
.135 eq 5008
access-list External_in permit udp 166.241.240.128 255.255.255.192 host 64.72.93
.135 eq 5008
access-list External_in permit gre 166.161.213.40 255.255.255.248 host 64.72.93.
135
access-list External_in permit tcp 166.161.213.40 255.255.255.248 host 64.72.93.
135 eq pptp
access-list External_in permit udp 166.161.213.40 255.255.255.248 host 64.72.93.
135 eq 5008
access-list External_in permit udp any host 64.72.93.136 eq 110
access-list External_in permit udp any host 64.72.93.136 eq 25
access-list External_in permit tcp any host 64.72.93.136 eq smtp
access-list External_in permit tcp any host 64.72.93.136 eq pop3
access-list External_in permit icmp any host 64.72.93.136 echo
access-list Internal_out remark "Allow outbound traffic"
access-list Internal_out permit udp any any eq biff
access-list Internal_out permit tcp any any eq pop3
access-list Internal_out permit tcp any any eq smtp
access-list Internal_out permit tcp any any eq https
access-list Internal_out permit tcp any any eq www
access-list Internal_out permit tcp any any eq domain
access-list Internal_out permit udp any any eq domain
access-list Internal_out permit tcp any any eq ftp
access-list Internal_out permit tcp any any eq ftp-data
access-list Internal_out permit tcp any any eq telnet
access-list Internal_out permit icmp any any
access-list Internal_out permit tcp any any gt 1024
access-list Internal_out permit udp any any gt 1024
access-list Internal_out permit tcp any any eq 465
access-list Internal_out permit tcp any any eq 993
access-list Internal_out permit tcp any any eq 995
access-list Internal_out permit tcp any any eq imap4
access-list Internal_out permit tcp any any eq ssh
access-list Internal_out permit udp any any eq isakmp
access-list Internal_out permit udp host 64.72.93.136 any eq ntp
pager lines 24
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered emergencies
logging trap emergencies
logging history informational
logging facility 21
logging host inside 10.42.196.138
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any echo outside
mtu outside 1500
mtu inside 1500
ip address outside 64.72.93.133 255.255.255.224
ip address inside 10.43.248.3 255.255.254.0
ip verify reverse-path interface outside
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.43.249.251 255.255.255.255 inside
pdm location 10.43.250.0 255.255.255.0 inside
pdm location 10.43.251.0 255.255.255.0 inside
pdm location 10.43.251.19 255.255.255.255 inside
pdm location 10.43.248.0 255.255.248.0 inside
pdm location 166.241.240.128 255.255.255.192 outside
pdm location 166.241.242.192 255.255.255.192 outside
pdm location 204.89.170.141 255.255.255.255 outside
pdm location 10.42.196.138 255.255.255.255 inside
pdm location 166.161.213.40 255.255.255.248 outside
pdm location 10.43.248.11 255.255.255.255 inside
pdm location 10.43.248.12 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 64.72.93.134 netmask 255.255.255.224
nat (inside) 1 10.43.248.0 255.255.248.0 0 0
static (inside,outside) tcp 64.72.93.136 pop3 10.43.248.12 pop3 netmask 255.255.
255.255 0 0
static (inside,outside) tcp 64.72.93.136 smtp 10.43.248.12 smtp netmask 255.255.
255.255 0 0
static (inside,outside) 64.72.93.135 10.43.251.19 netmask 255.255.255.255 0 0
access-group External_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.72.93.129 1
route inside 10.0.0.0 255.0.0.0 10.43.248.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
ntp authenticate
ntp server 192.5.41.41 source outside
ntp server 18.72.0.3 source outside prefer
ntp server 10.42.196.1 source inside prefer
ntp server 18.26.4.105 source outside
ntp server 128.9.176.30 source outside
ntp server 129.6.15.28 source outside
http server enable
http 10.0.0.0 255.0.0.0 inside
floodguard enable
telnet 10.0.0.0 255.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
management-access inside
console timeout 30
You don't want inbound smtp going to Exchange, but rather to Barracuda..
no static (inside,outside) tcp 64.72.93.136 smtp 10.43.248.12 smtp netmask 255.255.255.255 0 0
clear xlate
static (inside,outside) tcp 64.72.93.136 smtp 10.43.248.11 smtp netmask 255.255.255.255 0 0
Everything else can stay the same.
no static (inside,outside) tcp 64.72.93.136 smtp 10.43.248.12 smtp netmask 255.255.255.255 0 0
clear xlate
static (inside,outside) tcp 64.72.93.136 smtp 10.43.248.11 smtp netmask 255.255.255.255 0 0
Everything else can stay the same.
ASKER
So should replace
static (inside,outside) tcp 64.72.93.136 pop3 10.43.248.12 pop3 netmask 255.255.
255.255 0 0
static (inside,outside) tcp 64.72.93.136 smtp 10.43.248.12 smtp netmask 255.255.
255.255 0 0
with
no static (inside,outside) tcp 64.72.93.136 smtp 10.43.248.12 smtp netmask 255.255.255.255 0 0
clear xlate
static (inside,outside) tcp 64.72.93.136 smtp 10.43.248.11 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 64.72.93.136 pop3 10.43.248.12 pop3 netmask 255.255.
255.255 0 0
static (inside,outside) tcp 64.72.93.136 smtp 10.43.248.12 smtp netmask 255.255.
255.255 0 0
with
no static (inside,outside) tcp 64.72.93.136 smtp 10.43.248.12 smtp netmask 255.255.255.255 0 0
clear xlate
static (inside,outside) tcp 64.72.93.136 smtp 10.43.248.11 smtp netmask 255.255.255.255 0 0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
trying it ....
ASKER
Awesome that worked
ASKER
Thanks for your help, it worked great!!
city.com appears to have mx1.emailsrvr.com as MX record and it shows the IP 207.97.245.101. After you correct this by calling your ISP, make sure NAT statement is entered in your PIX config
static (inside,outside) tcp interface smtp yourinsidemailserverip smtp netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq smtp
or
static (inside,outside) outsideipforexchange yourinsidemailserverip 255.255.255.255 0 0
access-list outside_access_in permit tcp any host outsideipofexchange eq smtp
Regards