Solved

Access e-mail behind a Cisco Pix 501 appliance

Posted on 2007-12-06
4
196 Views
Last Modified: 2013-12-04
The network consists of a server running Windows 2000 server that also hosts Merak 8.1 mail server.  One can VPN in and use remote desktop on any work station.  The e-amil sends fine, and all accounts can be accessed behind the Pix 501 [inside of network].  The mail server can be ping from the outside and the static IP of the PIX501 outside responds.  When the mail is attempted to be retreived from outside the server, the server is not found.  Should there be a statement to allow POP3 access to the server?  If so, how would it be added?
sh run
 
: Saved
 
:
 
PIX Version 6.3(5)
 
interface ethernet0 auto
 
interface ethernet1 100full
 
nameif ethernet0 outside security0
 
nameif ethernet1 inside security100
 
enable password 8Ry2YjIyt7RRXU24 encrypted
 
passwd 2KFQnbNIdI.2KYOU encrypted
 
hostname pixfirewall
 
domain-name ciscopix.com
 
fixup protocol dns maximum-length 512
 
fixup protocol ftp 21
 
fixup protocol h323 h225 1720
 
fixup protocol h323 ras 1718-1719
 
fixup protocol http 80
 
fixup protocol pptp 1723
 
fixup protocol rsh 514
 
fixup protocol rtsp 554
 
fixup protocol sip 5060
 
fixup protocol sip udp 5060
 
fixup protocol skinny 2000
 
no fixup protocol smtp 25
 
fixup protocol sqlnet 1521
 
<--- More --->
              
fixup protocol tftp 69
 
names
 
access-list outside_access_in permit tcp any host 24.109.136.247 eq pptp 
 
access-list outside_access_in permit gre any host 24.109.136.247 
 
access-list outside_access_in permit tcp any host 24.109.136.247 eq smtp 
 
access-list 100 permit icmp any any 
 
access-list outside_in permit gre any host 24.109.136.247 
 
access-list outside_in permit tcp any host 24.109.136.247 eq pptp 
 
pager lines 24
 
logging buffered debugging
 
mtu outside 1500
 
mtu inside 1500
 
ip address outside 24.109.136.247 255.255.254.0
 
ip address inside 192.168.99.1 255.255.255.0
 
ip audit info action alarm
 
ip audit attack action alarm
 
pdm location 192.168.99.0 255.255.255.0 inside
 
pdm logging informational 100
 
pdm history enable
 
arp timeout 14400
 
global (outside) 1 interface
 
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
 
static (inside,outside) tcp interface pptp 192.168.99.250 pptp netmask 255.255.255.255 0 0 
 
static (inside,outside) tcp interface smtp 192.168.99.250 smtp netmask 255.255.255.255 0 0 
 
<--- More --->
              
access-group outside_access_in in interface outside
 
route outside 0.0.0.0 0.0.0.0 24.109.136.1 1
 
timeout xlate 0:05:00
 
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
 
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
 
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
 
timeout uauth 0:05:00 absolute
 
aaa-server TACACS+ protocol tacacs+ 
 
aaa-server TACACS+ max-failed-attempts 3 
 
aaa-server TACACS+ deadtime 10 
 
aaa-server RADIUS protocol radius 
 
aaa-server RADIUS max-failed-attempts 3 
 
aaa-server RADIUS deadtime 10 
 
aaa-server LOCAL protocol local 
 
http server enable
 
http 192.168.99.0 255.255.255.0 inside
 
no snmp-server location
 
no snmp-server contact
 
snmp-server community public
 
no snmp-server enable traps
 
floodguard enable
 
telnet timeout 5
 
ssh 0.0.0.0 0.0.0.0 outside
 
ssh timeout 5
 
<--- More --->
              
console timeout 0
 
dhcpd address 192.168.99.2-192.168.99.129 inside
 
dhcpd lease 3600
 
dhcpd ping_timeout 750
 
dhcpd auto_config outside
 
terminal width 80
 
Cryptochecksum:06244c87aa015e97648956d0c4fbe096
 
: end
 
 
pixfirewall#

Open in new window

0
Comment
Question by:wilf_thorburn
  • 2
  • 2
4 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 20425347
Yes, if your external e-mail clients are using POP3 as their mail download protocol, then you will need to open up POP3 for the public translated address of your internal e-mail server.  Here's how:

static (inside,outside) tcp interface pop3 192.168.99.250 pop3 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq pop3

When using port forwarding with a single public IP address attached to the outside interface, you really should use the syntax I gave above in your access list statements, i.e. "interface outside" instead of "host <outside_ip_address>", but as I always say, if it's not broken, don't fix it!

Give those commands a try and see if that helps...
0
 

Author Comment

by:wilf_thorburn
ID: 20425462
One more question - how do I edit the run file?  I can access the console, enter enable to get to the area that I can issue the sh run commands, etc.  I think I have to edit the run and then copy it to the start.  Could you provide the commands to complete the edit.  It has been a while since I was assisted with the original set up.

thanks
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 20425482
Sure, no problem.

Once you're in enable mode, issue the command:

conf t

to enter configuration mode.  Your prompt will change from:

pixfirewall#

to

pixfirewall(config)#

Once you're in configuration mode, you can enter the commands from my previous post.  To save the running configuration to the startup configuration (as you alluded to in your post), type in the following command:

wr mem

Good luck!
0
 

Author Closing Comment

by:wilf_thorburn
ID: 31413333
Thanks for your prompt responce.  It works perfect.  
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco WAP POE power 28 77
Soundcloud.com 4 24
Info tab in iTune 9 21
If an email is deleted from inbox and deleted items, is there a way to restore on Exchange? 3 12
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question