Solved

PIX Version 6.1(4) Question regarding config - 500pnts

Posted on 2014-04-28
5
434 Views
Last Modified: 2014-04-29
Ok I think,

77.x.x.55 is the global outside IP address
77.x.x.52 is use to send port 80,443 and 25 to the internal network
192.168.2.220 is my internal address (Our exchange server)

Nat outside to inside is 77.x.x.52 - 192.168.2.220

A problem has arose because i've just installed a new exchange server and we can't access from the outside world upon investigation I have found.

77.x.x.55 - can't not be reached via ping
77.x.x.52 - can be reached via ping
77.x.x.52 - will not connect via telnet on port 80,443,25

I am looking for someone to double check the config, also is it possible that the Cisco Firewall is going wrong or has got corrupted?

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd  encrypted
hostname
domain-name
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
no fixup protocol h323 1720
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sqlnet 1521
no fixup protocol sip 5060
no fixup protocol skinny 2000
names
access-list mail permit tcp any host 77.x.x.52 eq smtp
access-list mail permit tcp any host 77.x.x.52 eq www
access-list mail permit tcp any host 77.x.x.52 eq 443
pager lines 24
logging on
logging buffered errors
logging trap notifications
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 77.x.x.52 255.255.255.240
ip address inside 192.168.6.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pool2 10.44.0.181-10.44.0.187
no pdm history enable
arp timeout 14400
global (outside) 1 77.x.x.55
nat (inside) 1 172.18.0.0 255.255.255.0 0 0
nat (inside) 1 172.18.5.0 255.255.255.0 0 0
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
nat (inside) 1 192.168.6.0 255.255.255.0 0 0
nat (inside) 1 192.168.216.0 255.255.255.0 0 0
static (inside,outside) 77.x.x.52 192.168.2.220 netmask 255.255.255.255 0 0
access-group mail in interface outside
route outside 0.0.0.0 0.0.0.0 77.x.x.51 1
route inside 172.18.0.0 255.255.255.0 192.168.6.2 1
route inside 172.18.5.0 255.255.255.0 192.168.6.2 1
route inside 192.168.0.0 255.255.255.0 192.168.6.2 1
route inside 192.168.2.0 255.255.255.0 192.168.6.2 1
route inside 192.168.3.0 255.255.255.0 192.168.6.2 1
route inside 192.168.5.0 255.255.255.0 192.168.6.2 1
route inside 192.168.216.0 255.255.255.0 192.168.6.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
telnet 192.168.6.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.3.0 255.255.255.0 inside
telnet 192.168.5.0 255.255.255.0 inside
telnet timeout 5
ssh 205.243.102.0 255.255.255.0 inside
ssh timeout 5
terminal width 80
Cryptochecksum:
0
Comment
Question by:ise438
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 40028905
Your outside IP address is wrong:
ip address outside 77.x.x.52 255.255.255.240

You might want to change that back to:
ip address outside 77.x.x.55 255.255.255.240
And use:
global (outside) 1 interface
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 40028918
That is, if I read this correct:
77.x.x.55 is the global outside IP address
So 77.x.x.55 is not only the IP address use in the nat-global setup but also the outside IP address of the PIX.

So, am I reading this correct?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 40028945
I also took the liberty of sanitizing your posted configuration, you don't want to show too much ;)
0
 

Author Closing Comment

by:ise438
ID: 40028973
Thank you
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 40028981
My pleasure. Thx 4 the points.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question