Wilf
asked on
Access e-mail behind a Cisco Pix 501 appliance
The network consists of a server running Windows 2000 server that also hosts Merak 8.1 mail server. One can VPN in and use remote desktop on any work station. The e-amil sends fine, and all accounts can be accessed behind the Pix 501 [inside of network]. The mail server can be ping from the outside and the static IP of the PIX501 outside responds. When the mail is attempted to be retreived from outside the server, the server is not found. Should there be a statement to allow POP3 access to the server? If so, how would it be added?
sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
<--- More --->
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any host 24.109.136.247 eq pptp
access-list outside_access_in permit gre any host 24.109.136.247
access-list outside_access_in permit tcp any host 24.109.136.247 eq smtp
access-list 100 permit icmp any any
access-list outside_in permit gre any host 24.109.136.247
access-list outside_in permit tcp any host 24.109.136.247 eq pptp
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 24.109.136.247 255.255.254.0
ip address inside 192.168.99.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.99.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pptp 192.168.99.250 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.99.250 smtp netmask 255.255.255.255 0 0
<--- More --->
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 24.109.136.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.99.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
<--- More --->
console timeout 0
dhcpd address 192.168.99.2-192.168.99.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:06244c87aa015e97648956d0c4fbe096
: end
pixfirewall#
ASKER
One more question - how do I edit the run file? I can access the console, enter enable to get to the area that I can issue the sh run commands, etc. I think I have to edit the run and then copy it to the start. Could you provide the commands to complete the edit. It has been a while since I was assisted with the original set up.
thanks
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your prompt responce. It works perfect.
static (inside,outside) tcp interface pop3 192.168.99.250 pop3 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq pop3
When using port forwarding with a single public IP address attached to the outside interface, you really should use the syntax I gave above in your access list statements, i.e. "interface outside" instead of "host <outside_ip_address>", but as I always say, if it's not broken, don't fix it!
Give those commands a try and see if that helps...