Access list to allow smtp inbound on pix 501 to exchange server

I have a pix 501, i can access the internet, I can send mail through exchange outbound , I am using command line.
 If i paste a config can someone point out to me what is stopping inbound smtp ,
 IIf I pasted the below access list  into the running config , would this allow access in? The setup is linksys router, then pix firewall, the pix receiving dhcp from the router. dhcp enabled on the inside for hosts, exchange server on the inside lan with the hosts.  192.168.0.0/24 lan             192.168.1.0/24 Router/Pix ..wonder if it the linksys is causing problems? naa..?  
 exchange server 192.168.0.5

name 192.168.0.5 (changed)
access-list inbound permit tcp any interface outside eq 25
access-list inbound permit tcp any interface outside eq 443
access-list inbound permit tcp any interface outside eq 444
access-list inbound permit tcp any interface outside eq 1723
access-list inbound permit tcp any interface outside eq 4125
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any traceroute
access-list inbound permit icmp any any time-exceeded
static (inside, outside) tcp interface 25 (changed) 25 netmask 255.255.255.255 0 0
static (inside, outside) tcp interface 443 (changed) 443 netmask 255.255.255.255 0 0
static (inside, outside) tcp interface 444 (changed) 444 netmask 255.255.255.255 0 0
static (inside, outside) tcp interface 1723 (changed)1723 netmask 255.255.255.255 0 0
static (inside, outside) tcp interface 4125 (changed) 4125 netmask 255.255.255.255 0 0
access-group inbound in interface outside

this is my config that lets me have basic internet access
PIX Version 6.3(5)                  
interface ethernet0 auto                        
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password 8Ry2YjIyt7RRXU24 encrypted                                          
passwd 2KFQnbNIdI.2KYOU encrypted                                
hostname pixfirewall                    
domain-name ciscopix.com                        
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside dhcp setroute                                
ip address inside 192.168.0.4 255.255.255.0                                          
ip audit info action alarm                          
ip audit attack action alarm                            
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 1 192.168.0.0 255.255.255.0 0 0                                            
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
timeout xlate 0:05:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout sip-disconnect 0:02:00 sip-invite 0:03:00                                                
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.30-192.168.0.50 inside
dhcpd dns 192.168.0.5 192.168.0.4
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

Any help would be appreciated .
           Mike
mphil2007Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
KutyiConnect With a Mentor Commented:
Well since you have a staic IP then no you just set you PiX to use that IP address and just set your route.  Don't forget to have your ISP add a Reverse DNS though if you don't have one.

Just laugh about it and don't stress as it is just another day.
0
 
KutyiCommented:
Do you have to have the Linksys router in here?  If yes then make a static IP for the outside interface of the PiX and add a route from the PiX to the Linksys router and port forward port 25 to the IP outside interface of the PiX from the Linksys.
0
 
batry_boyConnect With a Mentor Commented:
You need to get rid of the Linksys router...will only cause you headaches when trying to allow inbound traffic.  Why is it there?  What function is it performing?  Chances are the PIX can do whatever it is that you have the Linksys doing, except for maybe Dynamic DNS.

And yes, your access list and static statements at the top of your post should allow inbound SMTP just fine...just make sure your MX record is pointing to the PIX outside interface IP address.
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
mphil2007Author Commented:
Kutyi,
 thank you for your reply , would this be  right ?
static (inside,outside) 192.168.0.4 192.168.1.2 netmask 255.255.255.255
 with 192.168.0.4 the inside interface (ethernet1)  and 192.168.1.2 being the outside interface on the pix  (ethernet0)
 I have the pix here at home as I need to figure this out, lol, man I had my network down for half the day today trying to figure this out .. not good... to say the least .
 .. I really appreciate the help btw . what an awful feeling being stuck and trying over and over to no avail.
   Mike
0
 
mphil2007Author Commented:
batry boy,
 thank you for the help. its really appreciated
 I really dont want the linksys to be honest.. right now i have crossover between linksys and pix,, eliminate the linksys and the crossover, run a regular ethernet cable instead , and change the ip on the outside interface  from dchp to my static ip address , dns etc from ISP ?
  then create new mx record on my exchange server pointing to the outside pix ,, which would be my static ip given from ISP?
 i have the pix home, i loaded the above access list with
static (inside,outside) 192.168.0.4 192.168.1.2 netmask 255.255.255.255
need to change that to reflect the removal of the linksys
static (inside,outside) 192.168.0.4 (static IP from ISP) netmask 255.255.255.255
lol i hope this works, what a Day i have had.. I still havent even started on getting blackberry through, hoping it will also go, maybe have to add one mroe line to the access list for that port,, hmm one bridge at a time i suppose
again thanks for the help, Will definatly remove the  linksys
Mike
 
0
 
KutyiCommented:
batry_boy is right in that your config looks fine the way it is.  If you not getting SMTP traffic then check the following:  telnet to port 25 on the IP address of your MX record, which by the way needs to match the outside IP of your Linksys and see if you get a response.  Make sure your outside interface of you PiX is being forwarded port 25 traffic from the Linksys.  And third why is there a Linksys in the mix, batry_boy is right in that the PiX is really all you need with the exception of Dynamic DNS and I would opt for a Static IP address and remove the Linksys from the equation as you will forever have issue.  A Linksys throughput is no where near that of a PiX, and as for security and firewall quality and ability, not anywhere near the same league.  If you can remove the PiX, get a Staic IP for the outside interface of your Pix and set it, add a route to your PiX to the ISPs default gateway/up stream router and  setup your server inside to do DHCP pointing the default gateway to the PiX and turn off DHCP on the PiX.  Have you domain DNS provider set the MX record for your domain to the outside IP of your PiX and then have your ISP setup a Reverse DNS entry for the IP address of the outside interface of your PiX to resolve to the name you gave to the exchange server under the SMTP protocol's advanced properties in Exchange System Manager.  Reverse DNS is required as an anti-spam requirement, you will eventually get bounced if you don't have it.

I think I got everything, but batry_boy jump in if I missed anything.....
0
 
mphil2007Author Commented:
Kutyi and Batry_boy
  Do i need to change anything with the isp and domain name, as i already have static I.P setup?, and all the correct domain info, exchange is up and running fine , just adding the pix ATM.
  So i may just need to create a new mx record on my exchange server then?
   I will move dhcp off the pix later, actually i had my SBS server doing dhcp, i just movedit to the pix today.
   hmm , wouldnt the mx record already have the Static IP since it was already on the linksys?
  i will have to check tomorrow,
  As if my head wasnt spinning enough :).
  I only have the pix here at home to work on, hopefully this config will be ok , and i will verify my mx in the A.M.
 Thank you again Guys,
 Mike
0
 
mphil2007Author Commented:
Heres to another Day :)                  (sometimes better to drop back and punt)
  (cheers)

 Gnite ,
 Mike

Btw i dont know how many times over the last few years i seen Expert exchange,, and was going to join,usually i figure the problems out eventually, but  Sure is nice to know people with more Experience then me are there ! :)
Thanks again Guys
Hopefully at some point i can help someone as well
0
 
mphil2007Author Commented:
Thanks Again ,
   Hopefully I wont be a nuisance !
0
 
KutyiCommented:
Glad to help!  I know how you feel about knowing there are others who are willing to help, thats why I joined.
0
 
mphil2007Author Commented:
Well,
  Thought I would post that it was the linksys, I simply -re-added the access list , took out that linksys ,
     changed the I.P.'s in the config  and everything is working fine, Except the VPN from a windows xp client.
  I am going to ask a new question I guess , I don't see anything obvious missing from the config, I can ping the Pix from home , but I get a error authenticating ...I believe.
  Pasted here is the running-config , edited I.P.'s  and such are marked as (changed)
  I am using just the windows xp vpn client and at the verifying username and password screen , i get a error:721 .. remote computer is not responding.
  if anyone sees this can they please look and see if anything is missing from the config, or If i have done something wrong :)  .

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.5 (changed)
access-list inbound permit tcp any interface outside eq smtp
access-list inbound permit tcp any interface outside eq https
access-list inbound permit tcp any interface outside eq 444
access-list inbound permit tcp any interface outside eq pptp
access-list inbound permit tcp any interface outside eq 4125
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any traceroute
access-list inbound permit icmp any any time-exceeded
access-list inside_outbound_nat0_acl permit ip any 192.168.40.0 255.255.255.248
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside (changed) 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool default 192.168.40.1-192.168.40.6
pdm location (changed) 255.255.255.255 inside
pdm location 192.168.40.0 255.255.255.248 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp (changed) smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https (changed) https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 444 (changed) 444 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp (changed) pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4125 (changed) 4125 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 (changed outside interface)
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP client configuration address local default
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.0.1 (changed)
vpdn group PPTP-VPDN-GROUP client configuration wins (changed)
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn username (changed) password (changed)
vpdn username (changed) password (changed)
vpdn username (changed) password (changed)
vpdn username (changed) password (changed)
vpdn enable outside
dhcpd address 192.168.0.30-192.168.0.50 inside
dhcpd dns (changed) (changed)
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
0
All Courses

From novice to tech pro — start learning today.