Solved

PIX firewall config problems

Posted on 2007-11-17
23
257 Views
Last Modified: 2010-04-21
I am unable to connect to my exchange server via the outside mail address (mail.city.com). I can connect inside the domain via the server name (mail1.city.pri) I have a barracuda spam device installed as well. Mail is flowing fine both ways. I just think that there is something in the firewall that is not allowing me to connect via the mail.city.com. My external MX records are correct with my domain name host.
0
Comment
Question by:eli290
  • 12
  • 6
  • 4
  • +1
23 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
 Hi eli290
      city.com appears  to have  mx1.emailsrvr.com as MX record and it shows the IP 207.97.245.101. After you correct this by calling your ISP, make sure NAT statement is entered in your PIX config

static (inside,outside) tcp interface smtp yourinsidemailserverip smtp netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq smtp

or

static (inside,outside) outsideipforexchange yourinsidemailserverip  255.255.255.255 0 0
access-list outside_access_in permit tcp any host outsideipofexchange eq smtp

Regards

0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
>>I am unable to connect to my exchange server via the outside mail address (mail.city.com).

Are you trying to do this from inside the firewall?  If so, then you are trying to access the publicly routable IP address of the mail server and are creating a "hairpin" traffic flow, which the PIX will not allow.  However, I'm not sure since you don't mention any IP addressing for these DNS entries or how your PIX interfaces are addressed.

Please provide this additional information and we can look further.  You may want to post your PIX config...that would shed some light...
0
 

Author Comment

by:eli290
Comment Utility
names
access-list External_in remark "External packets allowed in"
access-list External_in permit icmp any any echo-reply
access-list External_in permit icmp any any source-quench
access-list External_in permit icmp any any unreachable
access-list External_in permit icmp any any time-exceeded
access-list External_in permit tcp host 204.89.170.141 host 64.72.93.135 eq ftp
access-list External_in permit tcp host 204.89.170.141 host 64.72.93.135 range 2
000 5000
access-list External_in permit icmp host 204.89.170.141 host 64.72.93.135 echo
access-list External_in permit gre 166.241.242.192 255.255.255.192 host 64.72.93
.135
access-list External_in permit gre 166.241.240.128 255.255.255.192 host 64.72.93
.135
access-list External_in permit tcp 166.241.242.192 255.255.255.192 host 64.72.93
.135 eq pptp
access-list External_in permit tcp 166.241.240.128 255.255.255.192 host 64.72.93
.135 eq pptp
access-list External_in permit udp 166.241.242.192 255.255.255.192 host 64.72.93
.135 eq 5008
access-list External_in permit udp 166.241.240.128 255.255.255.192 host 64.72.93
.135 eq 5008
access-list External_in permit gre 166.161.213.40 255.255.255.248 host 64.72.93.
135
access-list External_in permit tcp 166.161.213.40 255.255.255.248 host 64.72.93.
135 eq pptp
access-list External_in permit udp 166.161.213.40 255.255.255.248 host 64.72.93.
135 eq 5008
access-list External_in permit udp any host 64.72.93.136 eq 110
access-list External_in permit udp any host 64.72.93.136 eq 25
access-list External_in permit tcp any host 64.72.93.136 eq smtp
access-list External_in permit tcp any host 64.72.93.136 eq pop3
access-list External_in permit icmp any host 64.72.93.136 echo
access-list Internal_out remark "Allow outbound traffic"
access-list Internal_out permit udp any any eq biff
access-list Internal_out permit tcp any any eq pop3
access-list Internal_out permit tcp any any eq smtp
access-list Internal_out permit tcp any any eq https
access-list Internal_out permit tcp any any eq www
access-list Internal_out permit tcp any any eq domain
access-list Internal_out permit udp any any eq domain
access-list Internal_out permit tcp any any eq ftp
access-list Internal_out permit tcp any any eq ftp-data
access-list Internal_out permit tcp any any eq telnet
access-list Internal_out permit icmp any any
access-list Internal_out permit tcp any any gt 1024
access-list Internal_out permit udp any any gt 1024
access-list Internal_out permit tcp any any eq 465
access-list Internal_out permit tcp any any eq 993
access-list Internal_out permit tcp any any eq 995
access-list Internal_out permit tcp any any eq imap4
access-list Internal_out permit tcp any any eq ssh
access-list Internal_out permit udp any any eq isakmp
access-list Internal_out permit udp host 64.72.93.136 any eq ntp
pager lines 24
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered emergencies
logging trap emergencies
logging history informational
logging facility 21
logging host inside 10.42.196.138
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any echo outside
mtu outside 1500
mtu inside 1500
ip address outside 64.72.93.133 255.255.255.224
ip address inside 10.43.248.3 255.255.254.0
ip verify reverse-path interface outside
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.43.249.251 255.255.255.255 inside
pdm location 10.43.250.0 255.255.255.0 inside
pdm location 10.43.251.0 255.255.255.0 inside
pdm location 10.43.251.19 255.255.255.255 inside
pdm location 10.43.248.0 255.255.248.0 inside
pdm location 166.241.240.128 255.255.255.192 outside
pdm location 166.241.242.192 255.255.255.192 outside
pdm location 204.89.170.141 255.255.255.255 outside
pdm location 10.42.196.138 255.255.255.255 inside
pdm location 166.161.213.40 255.255.255.248 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 64.72.93.134 netmask 255.255.255.224
nat (inside) 1 10.43.248.0 255.255.248.0 0 0
static (inside,outside) 64.72.93.135 10.43.251.19 netmask 255.255.255.255 0 0
static (inside,outside) 64.72.93.136 10.43.248.11 netmask 255.255.255.255 0 0
access-group External_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.72.93.129 1
route inside 10.0.0.0 255.0.0.0 10.43.248.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
ntp authenticate
ntp server 192.5.41.41 source outside
ntp server 18.72.0.3 source outside prefer
ntp server 10.42.196.1 source inside prefer
ntp server 18.26.4.105 source outside
ntp server 128.9.176.30 source outside
ntp server 129.6.15.28 source outside
http server enable
http 10.0.0.0 255.0.0.0 inside
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
access-list External_in permit tcp any host 64.72.93.136 eq smtp
static (inside,outside) 64.72.93.136 10.43.248.11 netmask 255.255.255.255 0 0

 If 10.43.248.11 is your exchange server, then your config is OK. As I previosuly mentioned, you should cal lyour ISP and request mx record mail.city.com for 64.72.93.136
PS: access-list Internal_out is useless since traffic from higher sec interface to lower sec interface is permitted by default
Regards
0
 

Author Comment

by:eli290
Comment Utility
the exchange server is 10.43.248.12, the barracuda is 10.43.248.11, the mx record is correct though, our mail.cityofpoughkeepsie.com is set to 64.72.93.136
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>I am unable to connect to my exchange server via the outside mail address
>the exchange server is 10.43.248.12
You do not have any static xlates giving this IP and outside address, or matching access-list entry.

If mail is flowing both ways, what is the issue?

0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
 Hi eli290        
      In this case, if you do the following
      no static (inside,outside) 64.72.93.136 10.43.248.11 netmask 255.255.255.255 0 0
      static (inside,outside) 64.72.93.136 10.43.248.12 netmask 255.255.255.255 0 0

Your exchange will work, but this will bypass barracuda. Your PIX config is OK, and also checked your mx for mail.cityofpoughkeepsie.com it is OK too. It is about your Barracuda config.

Regards
0
 

Author Comment

by:eli290
Comment Utility
the issue is that i cant connect from outside my network. I should be able to setup a mail client anywhere to connect via pop3.
0
 

Author Comment

by:eli290
Comment Utility
The barracuda config appears to be correct as well. It asks what ip the exchange is setup on and i entered that as well.

Could this be an internal DNS issue? I dont have any MX records in house setup
0
 

Author Comment

by:eli290
Comment Utility
That is one thing that I dont want to do, I dont want to bypass the barracuda.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
  Hi eli290
         "Could this be an internal DNS issue? I dont have any MX records in house setup"
            Your internal DNS has nothing to do with MX records since you dont host your own global DNS server.

"the issue is that i cant connect from outside my network"
           I know. But the trace ends at barracuda.
 MX record correctly points 64.72.93.136 > Pix allows smtp traffic to 64.72.93.136 and translates 64.72.93.136 to 10.43.248.11
    Now I   telnet mail.cityofpoughkeepsie.com 25 and I get the following
220 *****************************************02*20*2*************2******2****
     This must be your barracuda. That means everything outside the barracuda works fine.
     Following is an output from my mail server, the output for Outlook mail client to work correctly.
    telnet mail.xxx.com 25

220 yyy.xxxxx.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.39
59 ready at  Sun, 18 Nov 2007 16:57:09 +0200
    I dont know how barracuda works at this point, how does it process the smtp traffic.

Regards
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>access-list External_in permit tcp any host 64.72.93.136 eq pop3
You are only allowing pop3 to your Barracuda, not directly to the exchange.

static (inside,outside) tcp 64.72.93.138 pop3 10.43.248.12 pop3 netmask 255.255.255.255
access-list External_in permit tcp any host 64.72.93.138 eq pop3

0
 

Author Comment

by:eli290
Comment Utility
lrmoore - That will allow mail to go through the Barracuda and to the exchange? Or will that bypass the barracuda?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
inbound email will still come through the barracuda. And  you will be able to connect directly to Exchange using pop3.
0
 

Author Comment

by:eli290
Comment Utility
Ok we entered those lines of code and still have a problem. I still cant figure out why we cant connect. Also what line of code do I need to enter in order for us to connect to our webmail? I know it is port 443.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
static (inside,outside) tcp 64.72.93.138 https 10.43.248.12 https netmask 255.255.255.255
access-list External_in permit tcp any host 64.72.93.138 eq https

Enter those and then post a complete "new" config
0
 

Author Comment

by:eli290
Comment Utility
Ok we are having all sorts of issues now, well the main one is this, our barracuda has stopped working. I am able to access it but it isnt scanning any mail. Here is my current config. The mail server is 10.43.248.12 and the barracuda is 10.43.248.11

fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list External_in remark "External packets allowed in"
access-list External_in permit icmp any any echo-reply
access-list External_in permit icmp any any source-quench
access-list External_in permit icmp any any unreachable
access-list External_in permit icmp any any time-exceeded
access-list External_in permit tcp host 204.89.170.141 host 64.72.93.135 eq ftp
access-list External_in permit tcp host 204.89.170.141 host 64.72.93.135 range 2
000 5000
access-list External_in permit icmp host 204.89.170.141 host 64.72.93.135 echo
access-list External_in permit gre 166.241.242.192 255.255.255.192 host 64.72.93
.135
access-list External_in permit gre 166.241.240.128 255.255.255.192 host 64.72.93
.135
access-list External_in permit tcp 166.241.242.192 255.255.255.192 host 64.72.93
.135 eq pptp
access-list External_in permit tcp 166.241.240.128 255.255.255.192 host 64.72.93
.135 eq pptp
access-list External_in permit udp 166.241.242.192 255.255.255.192 host 64.72.93
.135 eq 5008
access-list External_in permit udp 166.241.240.128 255.255.255.192 host 64.72.93
.135 eq 5008
access-list External_in permit gre 166.161.213.40 255.255.255.248 host 64.72.93.
135
access-list External_in permit tcp 166.161.213.40 255.255.255.248 host 64.72.93.
135 eq pptp
access-list External_in permit udp 166.161.213.40 255.255.255.248 host 64.72.93.
135 eq 5008
access-list External_in permit udp any host 64.72.93.136 eq 110
access-list External_in permit udp any host 64.72.93.136 eq 25
access-list External_in permit tcp any host 64.72.93.136 eq smtp
access-list External_in permit tcp any host 64.72.93.136 eq pop3
access-list External_in permit icmp any host 64.72.93.136 echo
access-list Internal_out remark "Allow outbound traffic"
access-list Internal_out permit udp any any eq biff
access-list Internal_out permit tcp any any eq pop3
access-list Internal_out permit tcp any any eq smtp
access-list Internal_out permit tcp any any eq https
access-list Internal_out permit tcp any any eq www
access-list Internal_out permit tcp any any eq domain
access-list Internal_out permit udp any any eq domain
access-list Internal_out permit tcp any any eq ftp
access-list Internal_out permit tcp any any eq ftp-data
access-list Internal_out permit tcp any any eq telnet
access-list Internal_out permit icmp any any
access-list Internal_out permit tcp any any gt 1024
access-list Internal_out permit udp any any gt 1024
access-list Internal_out permit tcp any any eq 465
access-list Internal_out permit tcp any any eq 993
access-list Internal_out permit tcp any any eq 995
access-list Internal_out permit tcp any any eq imap4
access-list Internal_out permit tcp any any eq ssh
access-list Internal_out permit udp any any eq isakmp
access-list Internal_out permit udp host 64.72.93.136 any eq ntp
pager lines 24
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered emergencies
logging trap emergencies
logging history informational
logging facility 21
logging host inside 10.42.196.138
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any echo outside
mtu outside 1500
mtu inside 1500
ip address outside 64.72.93.133 255.255.255.224
ip address inside 10.43.248.3 255.255.254.0
ip verify reverse-path interface outside
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.43.249.251 255.255.255.255 inside
pdm location 10.43.250.0 255.255.255.0 inside
pdm location 10.43.251.0 255.255.255.0 inside
pdm location 10.43.251.19 255.255.255.255 inside
pdm location 10.43.248.0 255.255.248.0 inside
pdm location 166.241.240.128 255.255.255.192 outside
pdm location 166.241.242.192 255.255.255.192 outside
pdm location 204.89.170.141 255.255.255.255 outside
pdm location 10.42.196.138 255.255.255.255 inside
pdm location 166.161.213.40 255.255.255.248 outside
pdm location 10.43.248.11 255.255.255.255 inside
pdm location 10.43.248.12 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 64.72.93.134 netmask 255.255.255.224
nat (inside) 1 10.43.248.0 255.255.248.0 0 0
static (inside,outside) tcp 64.72.93.136 pop3 10.43.248.12 pop3 netmask 255.255.
255.255 0 0
static (inside,outside) tcp 64.72.93.136 smtp 10.43.248.12 smtp netmask 255.255.
255.255 0 0
static (inside,outside) 64.72.93.135 10.43.251.19 netmask 255.255.255.255 0 0
access-group External_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.72.93.129 1
route inside 10.0.0.0 255.0.0.0 10.43.248.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
ntp authenticate
ntp server 192.5.41.41 source outside
ntp server 18.72.0.3 source outside prefer
ntp server 10.42.196.1 source inside prefer
ntp server 18.26.4.105 source outside
ntp server 128.9.176.30 source outside
ntp server 129.6.15.28 source outside
http server enable
http 10.0.0.0 255.0.0.0 inside
floodguard enable
telnet 10.0.0.0 255.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
management-access inside
console timeout 30




0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You don't want inbound smtp going to Exchange, but rather to Barracuda..

no static (inside,outside) tcp 64.72.93.136 smtp 10.43.248.12 smtp netmask 255.255.255.255 0 0
clear xlate
static (inside,outside) tcp 64.72.93.136 smtp 10.43.248.11 smtp netmask 255.255.255.255 0 0

Everything else can stay the same.
0
 

Author Comment

by:eli290
Comment Utility
So  should replace

static (inside,outside) tcp 64.72.93.136 pop3 10.43.248.12 pop3 netmask 255.255.
255.255 0 0
static (inside,outside) tcp 64.72.93.136 smtp 10.43.248.12 smtp netmask 255.255.
255.255 0 0

with
no static (inside,outside) tcp 64.72.93.136 smtp 10.43.248.12 smtp netmask 255.255.255.255 0 0
clear xlate
static (inside,outside) tcp 64.72.93.136 smtp 10.43.248.11 smtp netmask 255.255.255.255 0 0
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
Keep the pop3 entry, change only the smtp entry

It will look like this in the end with pop3 directed to Exchange and smtp directed to Barracuda

static (inside,outside) tcp 64.72.93.136 pop3 10.43.248.12 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp 64.72.93.136 smtp 10.43.248.11 smtp netmask 255.255.255.255 0 0
0
 

Author Comment

by:eli290
Comment Utility
trying it ....
0
 

Author Comment

by:eli290
Comment Utility
Awesome that worked
0
 

Author Closing Comment

by:eli290
Comment Utility
Thanks for your help, it worked great!!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now