Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Access e-mail behind a Cisco Pix 501 appliance

Posted on 2007-12-06
4
Medium Priority
?
201 Views
Last Modified: 2013-12-04
The network consists of a server running Windows 2000 server that also hosts Merak 8.1 mail server.  One can VPN in and use remote desktop on any work station.  The e-amil sends fine, and all accounts can be accessed behind the Pix 501 [inside of network].  The mail server can be ping from the outside and the static IP of the PIX501 outside responds.  When the mail is attempted to be retreived from outside the server, the server is not found.  Should there be a statement to allow POP3 access to the server?  If so, how would it be added?
sh run
 
: Saved
 
:
 
PIX Version 6.3(5)
 
interface ethernet0 auto
 
interface ethernet1 100full
 
nameif ethernet0 outside security0
 
nameif ethernet1 inside security100
 
enable password 8Ry2YjIyt7RRXU24 encrypted
 
passwd 2KFQnbNIdI.2KYOU encrypted
 
hostname pixfirewall
 
domain-name ciscopix.com
 
fixup protocol dns maximum-length 512
 
fixup protocol ftp 21
 
fixup protocol h323 h225 1720
 
fixup protocol h323 ras 1718-1719
 
fixup protocol http 80
 
fixup protocol pptp 1723
 
fixup protocol rsh 514
 
fixup protocol rtsp 554
 
fixup protocol sip 5060
 
fixup protocol sip udp 5060
 
fixup protocol skinny 2000
 
no fixup protocol smtp 25
 
fixup protocol sqlnet 1521
 
<--- More --->
              
fixup protocol tftp 69
 
names
 
access-list outside_access_in permit tcp any host 24.109.136.247 eq pptp 
 
access-list outside_access_in permit gre any host 24.109.136.247 
 
access-list outside_access_in permit tcp any host 24.109.136.247 eq smtp 
 
access-list 100 permit icmp any any 
 
access-list outside_in permit gre any host 24.109.136.247 
 
access-list outside_in permit tcp any host 24.109.136.247 eq pptp 
 
pager lines 24
 
logging buffered debugging
 
mtu outside 1500
 
mtu inside 1500
 
ip address outside 24.109.136.247 255.255.254.0
 
ip address inside 192.168.99.1 255.255.255.0
 
ip audit info action alarm
 
ip audit attack action alarm
 
pdm location 192.168.99.0 255.255.255.0 inside
 
pdm logging informational 100
 
pdm history enable
 
arp timeout 14400
 
global (outside) 1 interface
 
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
 
static (inside,outside) tcp interface pptp 192.168.99.250 pptp netmask 255.255.255.255 0 0 
 
static (inside,outside) tcp interface smtp 192.168.99.250 smtp netmask 255.255.255.255 0 0 
 
<--- More --->
              
access-group outside_access_in in interface outside
 
route outside 0.0.0.0 0.0.0.0 24.109.136.1 1
 
timeout xlate 0:05:00
 
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
 
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
 
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
 
timeout uauth 0:05:00 absolute
 
aaa-server TACACS+ protocol tacacs+ 
 
aaa-server TACACS+ max-failed-attempts 3 
 
aaa-server TACACS+ deadtime 10 
 
aaa-server RADIUS protocol radius 
 
aaa-server RADIUS max-failed-attempts 3 
 
aaa-server RADIUS deadtime 10 
 
aaa-server LOCAL protocol local 
 
http server enable
 
http 192.168.99.0 255.255.255.0 inside
 
no snmp-server location
 
no snmp-server contact
 
snmp-server community public
 
no snmp-server enable traps
 
floodguard enable
 
telnet timeout 5
 
ssh 0.0.0.0 0.0.0.0 outside
 
ssh timeout 5
 
<--- More --->
              
console timeout 0
 
dhcpd address 192.168.99.2-192.168.99.129 inside
 
dhcpd lease 3600
 
dhcpd ping_timeout 750
 
dhcpd auto_config outside
 
terminal width 80
 
Cryptochecksum:06244c87aa015e97648956d0c4fbe096
 
: end
 
 
pixfirewall#

Open in new window

0
Comment
Question by:wilf_thorburn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 20425347
Yes, if your external e-mail clients are using POP3 as their mail download protocol, then you will need to open up POP3 for the public translated address of your internal e-mail server.  Here's how:

static (inside,outside) tcp interface pop3 192.168.99.250 pop3 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq pop3

When using port forwarding with a single public IP address attached to the outside interface, you really should use the syntax I gave above in your access list statements, i.e. "interface outside" instead of "host <outside_ip_address>", but as I always say, if it's not broken, don't fix it!

Give those commands a try and see if that helps...
0
 

Author Comment

by:wilf_thorburn
ID: 20425462
One more question - how do I edit the run file?  I can access the console, enter enable to get to the area that I can issue the sh run commands, etc.  I think I have to edit the run and then copy it to the start.  Could you provide the commands to complete the edit.  It has been a while since I was assisted with the original set up.

thanks
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 2000 total points
ID: 20425482
Sure, no problem.

Once you're in enable mode, issue the command:

conf t

to enter configuration mode.  Your prompt will change from:

pixfirewall#

to

pixfirewall(config)#

Once you're in configuration mode, you can enter the commands from my previous post.  To save the running configuration to the startup configuration (as you alluded to in your post), type in the following command:

wr mem

Good luck!
0
 

Author Closing Comment

by:wilf_thorburn
ID: 31413333
Thanks for your prompt responce.  It works perfect.  
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question