Solved

Access e-mail behind a Cisco Pix 501 appliance

Posted on 2007-12-06
4
194 Views
Last Modified: 2013-12-04
The network consists of a server running Windows 2000 server that also hosts Merak 8.1 mail server.  One can VPN in and use remote desktop on any work station.  The e-amil sends fine, and all accounts can be accessed behind the Pix 501 [inside of network].  The mail server can be ping from the outside and the static IP of the PIX501 outside responds.  When the mail is attempted to be retreived from outside the server, the server is not found.  Should there be a statement to allow POP3 access to the server?  If so, how would it be added?
sh run
 

: Saved
 

:
 

PIX Version 6.3(5)
 

interface ethernet0 auto
 

interface ethernet1 100full
 

nameif ethernet0 outside security0
 

nameif ethernet1 inside security100
 

enable password 8Ry2YjIyt7RRXU24 encrypted
 

passwd 2KFQnbNIdI.2KYOU encrypted
 

hostname pixfirewall
 

domain-name ciscopix.com
 

fixup protocol dns maximum-length 512
 

fixup protocol ftp 21
 

fixup protocol h323 h225 1720
 

fixup protocol h323 ras 1718-1719
 

fixup protocol http 80
 

fixup protocol pptp 1723
 

fixup protocol rsh 514
 

fixup protocol rtsp 554
 

fixup protocol sip 5060
 

fixup protocol sip udp 5060
 

fixup protocol skinny 2000
 

no fixup protocol smtp 25
 

fixup protocol sqlnet 1521
 

<--- More --->

              

fixup protocol tftp 69
 

names
 

access-list outside_access_in permit tcp any host 24.109.136.247 eq pptp 
 

access-list outside_access_in permit gre any host 24.109.136.247 
 

access-list outside_access_in permit tcp any host 24.109.136.247 eq smtp 
 

access-list 100 permit icmp any any 
 

access-list outside_in permit gre any host 24.109.136.247 
 

access-list outside_in permit tcp any host 24.109.136.247 eq pptp 
 

pager lines 24
 

logging buffered debugging
 

mtu outside 1500
 

mtu inside 1500
 

ip address outside 24.109.136.247 255.255.254.0
 

ip address inside 192.168.99.1 255.255.255.0
 

ip audit info action alarm
 

ip audit attack action alarm
 

pdm location 192.168.99.0 255.255.255.0 inside
 

pdm logging informational 100
 

pdm history enable
 

arp timeout 14400
 

global (outside) 1 interface
 

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
 

static (inside,outside) tcp interface pptp 192.168.99.250 pptp netmask 255.255.255.255 0 0 
 

static (inside,outside) tcp interface smtp 192.168.99.250 smtp netmask 255.255.255.255 0 0 
 

<--- More --->

              

access-group outside_access_in in interface outside
 

route outside 0.0.0.0 0.0.0.0 24.109.136.1 1
 

timeout xlate 0:05:00
 

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
 

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
 

timeout sip-disconnect 0:02:00 sip-invite 0:03:00
 

timeout uauth 0:05:00 absolute
 

aaa-server TACACS+ protocol tacacs+ 
 

aaa-server TACACS+ max-failed-attempts 3 
 

aaa-server TACACS+ deadtime 10 
 

aaa-server RADIUS protocol radius 
 

aaa-server RADIUS max-failed-attempts 3 
 

aaa-server RADIUS deadtime 10 
 

aaa-server LOCAL protocol local 
 

http server enable
 

http 192.168.99.0 255.255.255.0 inside
 

no snmp-server location
 

no snmp-server contact
 

snmp-server community public
 

no snmp-server enable traps
 

floodguard enable
 

telnet timeout 5
 

ssh 0.0.0.0 0.0.0.0 outside
 

ssh timeout 5
 

<--- More --->

              

console timeout 0
 

dhcpd address 192.168.99.2-192.168.99.129 inside
 

dhcpd lease 3600
 

dhcpd ping_timeout 750
 

dhcpd auto_config outside
 

terminal width 80
 

Cryptochecksum:06244c87aa015e97648956d0c4fbe096
 

: end
 
 

pixfirewall#

Open in new window

0
Comment
Question by:wilf_thorburn
  • 2
  • 2
4 Comments
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
Yes, if your external e-mail clients are using POP3 as their mail download protocol, then you will need to open up POP3 for the public translated address of your internal e-mail server.  Here's how:

static (inside,outside) tcp interface pop3 192.168.99.250 pop3 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq pop3

When using port forwarding with a single public IP address attached to the outside interface, you really should use the syntax I gave above in your access list statements, i.e. "interface outside" instead of "host <outside_ip_address>", but as I always say, if it's not broken, don't fix it!

Give those commands a try and see if that helps...
0
 

Author Comment

by:wilf_thorburn
Comment Utility
One more question - how do I edit the run file?  I can access the console, enter enable to get to the area that I can issue the sh run commands, etc.  I think I have to edit the run and then copy it to the start.  Could you provide the commands to complete the edit.  It has been a while since I was assisted with the original set up.

thanks
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
Comment Utility
Sure, no problem.

Once you're in enable mode, issue the command:

conf t

to enter configuration mode.  Your prompt will change from:

pixfirewall#

to

pixfirewall(config)#

Once you're in configuration mode, you can enter the commands from my previous post.  To save the running configuration to the startup configuration (as you alluded to in your post), type in the following command:

wr mem

Good luck!
0
 

Author Closing Comment

by:wilf_thorburn
Comment Utility
Thanks for your prompt responce.  It works perfect.  
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Use these top 10 tips to master the art of email signature design. Create an email signature design that will easily wow recipients, promote your brand and highlight your professionalism.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now