Link to home
Start Free TrialLog in
Avatar of Wilf
WilfFlag for Canada

asked on

Access e-mail behind a Cisco Pix 501 appliance

The network consists of a server running Windows 2000 server that also hosts Merak 8.1 mail server.  One can VPN in and use remote desktop on any work station.  The e-amil sends fine, and all accounts can be accessed behind the Pix 501 [inside of network].  The mail server can be ping from the outside and the static IP of the PIX501 outside responds.  When the mail is attempted to be retreived from outside the server, the server is not found.  Should there be a statement to allow POP3 access to the server?  If so, how would it be added?
sh run
 
: Saved
 
:
 
PIX Version 6.3(5)
 
interface ethernet0 auto
 
interface ethernet1 100full
 
nameif ethernet0 outside security0
 
nameif ethernet1 inside security100
 
enable password 8Ry2YjIyt7RRXU24 encrypted
 
passwd 2KFQnbNIdI.2KYOU encrypted
 
hostname pixfirewall
 
domain-name ciscopix.com
 
fixup protocol dns maximum-length 512
 
fixup protocol ftp 21
 
fixup protocol h323 h225 1720
 
fixup protocol h323 ras 1718-1719
 
fixup protocol http 80
 
fixup protocol pptp 1723
 
fixup protocol rsh 514
 
fixup protocol rtsp 554
 
fixup protocol sip 5060
 
fixup protocol sip udp 5060
 
fixup protocol skinny 2000
 
no fixup protocol smtp 25
 
fixup protocol sqlnet 1521
 
<--- More --->
              
fixup protocol tftp 69
 
names
 
access-list outside_access_in permit tcp any host 24.109.136.247 eq pptp 
 
access-list outside_access_in permit gre any host 24.109.136.247 
 
access-list outside_access_in permit tcp any host 24.109.136.247 eq smtp 
 
access-list 100 permit icmp any any 
 
access-list outside_in permit gre any host 24.109.136.247 
 
access-list outside_in permit tcp any host 24.109.136.247 eq pptp 
 
pager lines 24
 
logging buffered debugging
 
mtu outside 1500
 
mtu inside 1500
 
ip address outside 24.109.136.247 255.255.254.0
 
ip address inside 192.168.99.1 255.255.255.0
 
ip audit info action alarm
 
ip audit attack action alarm
 
pdm location 192.168.99.0 255.255.255.0 inside
 
pdm logging informational 100
 
pdm history enable
 
arp timeout 14400
 
global (outside) 1 interface
 
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
 
static (inside,outside) tcp interface pptp 192.168.99.250 pptp netmask 255.255.255.255 0 0 
 
static (inside,outside) tcp interface smtp 192.168.99.250 smtp netmask 255.255.255.255 0 0 
 
<--- More --->
              
access-group outside_access_in in interface outside
 
route outside 0.0.0.0 0.0.0.0 24.109.136.1 1
 
timeout xlate 0:05:00
 
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
 
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
 
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
 
timeout uauth 0:05:00 absolute
 
aaa-server TACACS+ protocol tacacs+ 
 
aaa-server TACACS+ max-failed-attempts 3 
 
aaa-server TACACS+ deadtime 10 
 
aaa-server RADIUS protocol radius 
 
aaa-server RADIUS max-failed-attempts 3 
 
aaa-server RADIUS deadtime 10 
 
aaa-server LOCAL protocol local 
 
http server enable
 
http 192.168.99.0 255.255.255.0 inside
 
no snmp-server location
 
no snmp-server contact
 
snmp-server community public
 
no snmp-server enable traps
 
floodguard enable
 
telnet timeout 5
 
ssh 0.0.0.0 0.0.0.0 outside
 
ssh timeout 5
 
<--- More --->
              
console timeout 0
 
dhcpd address 192.168.99.2-192.168.99.129 inside
 
dhcpd lease 3600
 
dhcpd ping_timeout 750
 
dhcpd auto_config outside
 
terminal width 80
 
Cryptochecksum:06244c87aa015e97648956d0c4fbe096
 
: end
 
 
pixfirewall#

Open in new window

Avatar of batry_boy
batry_boy
Flag of United States of America image
Yes, if your external e-mail clients are using POP3 as their mail download protocol, then you will need to open up POP3 for the public translated address of your internal e-mail server.  Here's how:

static (inside,outside) tcp interface pop3 192.168.99.250 pop3 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq pop3

When using port forwarding with a single public IP address attached to the outside interface, you really should use the syntax I gave above in your access list statements, i.e. "interface outside" instead of "host <outside_ip_address>", but as I always say, if it's not broken, don't fix it!

Give those commands a try and see if that helps...
Avatar of Wilf
Wilf
Flag of Canada image

ASKER

One more question - how do I edit the run file?  I can access the console, enter enable to get to the area that I can issue the sh run commands, etc.  I think I have to edit the run and then copy it to the start.  Could you provide the commands to complete the edit.  It has been a while since I was assisted with the original set up.

thanks
ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boy
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Wilf
Wilf
Flag of Canada image

ASKER

Thanks for your prompt responce.  It works perfect.