PIX 506e Static Route issue

For the ASA:

static (inside,outside) tcp interface 443 <ip address of exchange server> 443 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq 443
access-group ouside_access_in in interface outside

Whoever holds your domain public primary DNS records needs to make sure they have a MX / A record for mail.example.com to resolve to the public IP of the outside interface on your ASA.

Hi Quori,

Regarding your statements above, can I use:-

static (inside,outside) tcp 91.84.158.60 443 exchange 443 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq 443
access-group ouside_access_in in interface outside

Can I then add the follow statements if I wished to add PPTP, and FTP:-

static (inside,outside) tcp 91.84.158.60 pptp exchange pptp netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq 1723

static (inside,outside) tcp 91.84.158.60 ftp exchange ftp netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq 21

Please advise?  As I've been struggling with this for over a week.  Note Outgoing (Internet) for NAT'd clients if fine, just really struggling with "inbound" connections

Many thanks!

Should be able to.

OK thanks, will test this on Monday evening (GMT) and will let you know if this works

Hi

<<static (inside,outside) tcp 91.84.158.60 443 exchange 443 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq 443
access-group ouside_access_in in interface outside>>

That won't work as you are translating the exchange server to .60 and then allowing https through to the PX outside interface of .59.

What you have in place should work already - do you need to open www for OWA also or is it just set to run on https?

To test if the traffic is going through correctly.
sh access-list outside
Then from outside your firewall, open a https connection to the public ip of the exchange server
Again, run
sh access-list outside

Post the output of both and we can see if its incrementing hits on the access-list.  
Is your nat to outside internet browsing working ok?

OK I think I have an issue possibly outside of the PIX here, as when using the ping statement I'm unable to ping 192.168.1.4, the DG on 192.168.1.4 is 192.168.1.1

However I can port forward to 192.168.1.4 from my WAG200G DSL router, so I suspect it could be a routing issue?  Cabling is exactly the same as the WAG200G, in that all CAT5 terminates into a single (non vlan'd) 10/100 Linksys managed switch, as does the inside interface connection from the PIX, but I cannot ping 192.168.1.4 from the PIX, but I can from any PC when the PIX is removed and the Linksys is the DG

Any thoughts around this?

Can you post your full config?  Do you have an access-list applied to your inside interface?

Current running config:-

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password SX/Y7cXtfgcNOcz9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix506e
domain-name dt3limited.local
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.4 Exchange
name 192.168.1.245 test_lab
access-list outside permit tcp any host 91.84.158.60 eq smtp
access-list outside permit tcp any host 91.84.158.60 eq ftp
access-list outside permit tcp any host 91.84.158.60 eq pptp
access-list outside permit ip any host 91.84.158.61
access-list outside permit tcp any host 91.84.158.60 eq https
access-list inside permit tcp any any eq ftp
access-list inside permit tcp any any eq www
access-list inside permit udp any any eq domain
access-list inside permit tcp any any eq domain
access-list inside permit tcp any any eq https
access-list inside permit tcp any any eq pptp
pager lines 24
icmp deny any outside
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside 91.84.158.59 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.1 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 0.0.0.0 255.255.255.0 outside
pdm location Exchange 255.255.255.255 inside
pdm location 91.84.158.60 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 91.84.158.60 ftp Exchange ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.60 pptp Exchange pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.86.158.60 https Exchange https netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
static (inside,outside) 91.84.158.61 test_lab netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 91.84.158.58 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
banner login ** Disconnect immediately if not authorised **
banner motd DT3 LTD Firewall
Cryptochecksum:bd4ba9d5097faf11db9a0de51811582e
: end
pix506e(config)#

whoa - PIX Version 6.3(1)!!

Can you upgrade to 6.3(5)?  I haven't seen 6.3(1) in years...it has heaps of bugs in it.

You need valid CCO to download from Cisco if you don't have it already

OH!

Unfortunately I don't have access to the Cisco support portal, is this something I can sign up for for "free"?  Or is there a subscription cost involved?

Afraid not.  You can get Cisco Smartnet support from a Cisco reseller.  This gives you technical support and a CCO logon to download software images.  I think this is the cheapest way to download new software releases but you would need to confirm this with your local Cisco reseller.

To be honest, I wouldn't spend a lot of time trying to fix this on dodgy code.

One thing I am curious about though

When your test_lab machine goes on the internet do you get public ip 91.84.158.61 (test it by going to whatismyip.com)

Your access-list and static are correct - are you able to ftp/smtp/pptp to 91.84.158.60?  When you try (from outside the PIX) can you post the output of
sh access-list outside

Sorry I don't believe in this case the issue is around the IOS, a colleague who had this PIX before me had it fully operational in exactly the same scenario I'm trying to acheive, the issue is the PIX cannot see the Exchange host (192.168.1.4) see output from my PC below:-

C:\Users\user>ping 192.168.1.4

Pinging 192.168.1.4 with 32 bytes of data:

Reply from 192.168.1.4: bytes=32 time<1ms TTL=128
Reply from 192.168.1.4: bytes=32 time<1ms TTL=128
Reply from 192.168.1.4: bytes=32 time<1ms TTL=128
Reply from 192.168.1.4: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.1.4:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

now running a ping test from the PIX:-

pix506e# conf t
pix506e(config)# ping 192.168.1.4
        Exchange NO response received -- 1000ms
        Exchange NO response received -- 1000ms
        Exchange NO response received -- 1000ms

Please advise why the PIX cannot see the above host?

Can your exchange box ping the PIX?  Can it go on the internet via the PIX?

Pls advise:
When your test_lab machine goes on the internet do you get public ip 91.84.158.61 (test it by going to whatismyip.com)

Your access-list and static are correct - are you able to ftp/smtp/pptp to 91.84.158.60?  When you try (from outside the PIX) can you post the output of
sh access-list outside

Hi nodisco:,

I've dug out an IOS CD, and via TFTP I have upgraded the IOS on the 506E from 6.3(1) to 6.3(5) hopefully this will resolve the issues!  Out of interest what's the most recent IOS for the 506e?

Now I'm on 6.3(5)  do you think my issues will be resolved?

6.3(5) is the latest.

It may or may not resolve it but to be honest, I wouldn't spend a lot of time testing on 6.3(1) as you can get skewed results.

Let me know on the above tests when you are ready

cheers

nodisco,

OK I'm now getting close!  I''ve swapped out the Linksys router for a Zxytel 600 serries running as before in a NO NAT configuration, and I;m getting close!!

Below is a couple of working statement from the current running config:-

access-list outside permit tcp any host 91.84.158.59 eq https
access-list outside permit tcp any host 91.84.158.59 eq smtp
static (inside,outside) tcp 91.84.158.59 smtp Exchange smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.59 https Exchange https netmask 255.255.255..255 0 0

Going to Shields UP both ports are now showing as open!

However I cannot get the following to work:-

access-list outside permit tcp any host 91.84.158.60 eq https
access-list outside permit tcp any host 91.84.158.60 eq smtp
static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.255..255 0 0

Is this an ISP routing issue?  Or am I looking again at a PIX issue?

Look forward to hearing from you

I wonder have you got an arp issue on your outside router or is this range definitely being routed by your ISP?

A quick way to tell would be remove these 2 lines;
no static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.255..255 0 0

and add a 1:1 static for your exchange box
static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255.255

then go on the internet and go to whatismyip.com.

See if you are getting 91.84.158.60 as your ip address.

I've undertaken he following:-

no static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 91.84.158.60 https Exchange https netmask 255.255.255..255 0 0

static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255.255

And this works!

My final question is, why:-

access-list outside permit tcp any host 91.84.158.59 eq smtp works!
but
static (inside,outside) tcp 91.84.158.60 smtp Exchange smtp netmask 255.255.255.255 0 0 Doesn't?

I have not encountered a situation where a 1:1 static works ok but a port redirected static using the same addresses doesn't.

If you have the 1:1 static in the config now:
static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255.255

You should be able to access this address over https/smtp by :
access-list outside permit tcp any host 91.84.158.60 eq smtp
access-list outside permit tcp any host 91.84.158.60 eq https


Just to clarify - what is the ip address that your ISP has your MX record sent to deliver mail to?

It's my understanding that you can have "either":-

access-list outside permit tcp interface  91.84.158.60 any
static (inside,outside) tcp https exchange smtp netmask 255.255.255.255 0 0

"Or" the inverse (port redirect) which is:-

access-list outside permit tcp any host 91.84.158.60 eq https
static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255..255 0 0

Now I have the firewall correctly routing the desired ports to the correct hosts, I will be changing the resolving I.P for our MX records over the weekend.

I was advised I had to use the following statement on the 506E:-

static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255..255 0 0

Due to a "bug" in 6.3(5), however I have a PIX 501 running the same IOS, and I know it uses port redirect statements for PAT which thinking back works fine

Given my understanding of the above, I donlt belieave the bug statement to be correct, and this is the command line usage "by design" please correct me if I'm wrong?

Hi,

Thanks for clarifying, I did notice the error in the following statement, unfortunately after I hit the submit button:-

access-list outside permit tcp interface 91.84.158.60 any
This thould have been:-
access-list outside permit tcp any 91.84.158.60 any

As mentioned in my last post,  was advised I had to use the following statement on the 506E:-

access-list outside permit tcp any host 91.84.158.60 eq https
static (inside,outside) 91.84.158.60 Exchange netmask 255.255.255.255 0 0

Due to a "bug" in 6.3(5)

Thanks again, I'm still relatively new to the PIX, but I think I'm getting there!

No worries mate - you'll get there!

I'm still at a loss as to what this bug is that you were advised about.  6.3(5) is pretty stable.  

cheers