https://community.cisco.com/t5/network-security/totaly-lost-with-pix/m-p/683357#M1034912 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>The problem that you have is very simple. It's a port service problem, Microsoft outlook uses a RPC service ports (1025 - 65535) and the OWA (Outlook Web Access) uses http and https ports. The solution is open the follow ports:</P><P></P><P>TCP:</P><P>range 1024 65535</P><P>42,80,88,135,137,138,379,390,443,445,691,993,domain,i,imap4,ldap,ldaps,netbios-ssn,pop3,smtp</P><P></P><P>UDP:</P><P>88,389,3368,3369,3389,domain,netbios-dgm, netbios-ns,ntp,nameserver,445,636,135,139,1512</P><P></P><P>I hope it solve your problem, and excuseme for my bad english.</P></BODY></HTML> Mon, 22 Jan 2007 15:43:34 GMT darwintovar 2007-01-22T15:43:34Z https://community.cisco.com/t5/network-security/totaly-lost-with-pix/m-p/683353#M1034897 <P>Hi,</P><P></P><P></P><P>i have a pix 515e with the following config</P><P></P><P>DMZ Exhange server and a web server</P><P></P><P>Internal a lot of servers and workstation. When i try to browse the network i cannot see the server in the DMZ. People cannot connect to the exchange server with webmail and outlook.</P><P></P><P>I am total lost, can somebody help me out.</P><P></P><P></P><P> </P><P></P> Mon, 11 Mar 2019 09:06:49 GMT https://community.cisco.com/t5/network-security/totaly-lost-with-pix/m-p/683353#M1034897 jeftavaneijk 2019-03-11T09:06:49Z https://community.cisco.com/t5/network-security/totaly-lost-with-pix/m-p/683354#M1034901 <HTML><HEAD></HEAD><BODY><P>At the first sight config looks ok (statics and ACLs are configured)</P><P>Can you turn on logging</P><P>logging on</P><P>logging buffered informational</P><P></P><P>try to access DMZ servers</P><P>and than check logs with command</P><P>show logg</P><P>M.</P><P></P></BODY></HTML> Mon, 11 Dec 2006 09:04:28 GMT https://community.cisco.com/t5/network-security/totaly-lost-with-pix/m-p/683354#M1034901 m.sir 2006-12-11T09:04:28Z https://community.cisco.com/t5/network-security/totaly-lost-with-pix/m-p/683355#M1034904 <HTML><HEAD></HEAD><BODY><P>106023: Deny udp src DMZ:192.168.11.4/16941 dst inside:192.168.10.4/53 by access-group "dmz"</P><P>106023: Deny udp src DMZ:192.168.11.4/16941 dst inside:192.168.10.3/53 by access-group "dmz"</P><P>106023: Deny udp src DMZ:192.168.11.4/1025 dst inside:192.168.10.4/53 by access-group "dmz"</P><P>106023: Deny udp src DMZ:192.168.11.4/16941 dst inside:192.168.10.4/53 by access-group "dmz"</P><P>30.2/51740 (192.168.10.2/51740)</P><P>302013: Built outbound TCP connection 29362 for DMZ:192.168.11.4/2594 (192.168.11.4/2594) to inside:192.168.10.2/51741 (192.168.10.2/51741)</P><P>302013: Built outbound TCP connection 29363 for DMZ:192.168.11.4/2594 (192.168.11.4/2594) to inside:192.168.10.2/51742 (192.168.10.2/51742)</P><P>302013: Built outbound TCP connection 29364 for DMZ:192.168.11.4/2594 (192.168.11.4/2594) to inside:192.168.10.2/51744 (192.168.10.2/51744)</P><P>302013: Built outbound TCP connection 29365 for DMZ:192.168.11.4/2594 (192.168.11.4/2594) to inside:192.168.10.2/51746 (192.168.10.2/51746)</P><P>302013: Built outbound TCP connection 29366 for DMZ:192.168.11.4/2594 (192.168.11.4/2594) to inside:192.168.10.2/51743 (192.168.10.2/51743</P><P>305005: No translation group found for tcp src inside:192.168.14.133/1949 dst outside:84.53.136.74/80</P><P>305005: No translation group found for tcp src inside:192.168.14.133/1950 dst outside:84.53.136.33/80</P><P>305005: No translation group found for tcp src inside:192.168.14.178/1048 dst outside:84.53.136.74/80</P><P></P><P>305005: No translation group found for tcp src inside:192.168.14.133/1949 dst outside:84.53.136.74/80</P><P>305005: No translation group found for tcp src inside:192.168.14.133/1950 dst outside:84.53.136.33/80</P><P>305005: No translation group found for tcp src inside:192.168.14.178/1048 dst outside:84.53.136.74/80</P><P></P></BODY></HTML> Mon, 11 Dec 2006 09:34:52 GMT https://community.cisco.com/t5/network-security/totaly-lost-with-pix/m-p/683355#M1034904 jeftavaneijk 2006-12-11T09:34:52Z https://community.cisco.com/t5/network-security/totaly-lost-with-pix/m-p/683356#M1034906 <HTML><HEAD></HEAD><BODY><P>Add:</P><P></P><P>static (inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0</P><P></P><P>This will allow your whole Inside segment to be able to access DMZ. If needed for access-control for specifici access, apply access-list on inside interface to strictly allow inside hosts to access your DMZ's email server via the allowed port, example TCP 25 (smtp), http &amp; https (tcp 80 &amp; 443) for webmail.</P><P></P><P></P><P>access-list inside permit tcp any host 192.168.11.4 eq smtp --&gt; permit smtp access. Assuming 192.168.11.4 is your email server in DMZ</P><P>access-list inside permit tcp any host 192.168.11.4 eq www --&gt; allow webmail (via port 80) to pass through</P><P>access-list inside permit tcp any host 192.168.11.4 eq https --&gt; allow secure http (https) to pass throuh</P><P>access-list inside deny ip any 192.168.11.0 255.255.255.0 --&gt; deny other inside hosts from connecting to other DMZ's hosts, except for the 3 services above</P><P>access-list inside permit ip any any --&gt; allow inside hosts to connect to other segment, i.e internet/outside segment</P><P></P><P>access-group inside in interface inside --&gt; bind acl to inside interface</P><P></P><P></P><P>You should also modify the following acl on DMZ to rectify the first 4 deny logs</P><P></P><P>existing : access-list dmz permit udp any eq domain any eq domain </P><P>change to: access-list dmz permit udp any any eq domain --&gt; to allow DMZ's 192.168.11.4 to talk to DNS server on inside segment. </P><P>The source port on DMZ server can be anything,as long as the destination port is correctly pointing to UDP 53.</P><P></P><P></P><P>HTH</P><P>AK</P></BODY></HTML> Mon, 11 Dec 2006 10:13:04 GMT https://community.cisco.com/t5/network-security/totaly-lost-with-pix/m-p/683356#M1034906 a.kiprawih 2006-12-11T10:13:04Z https://community.cisco.com/t5/network-security/totaly-lost-with-pix/m-p/683357#M1034912 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>The problem that you have is very simple. It's a port service problem, Microsoft outlook uses a RPC service ports (1025 - 65535) and the OWA (Outlook Web Access) uses http and https ports. The solution is open the follow ports:</P><P></P><P>TCP:</P><P>range 1024 65535</P><P>42,80,88,135,137,138,379,390,443,445,691,993,domain,i,imap4,ldap,ldaps,netbios-ssn,pop3,smtp</P><P></P><P>UDP:</P><P>88,389,3368,3369,3389,domain,netbios-dgm, netbios-ns,ntp,nameserver,445,636,135,139,1512</P><P></P><P>I hope it solve your problem, and excuseme for my bad english.</P></BODY></HTML> Mon, 22 Jan 2007 15:43:34 GMT https://community.cisco.com/t5/network-security/totaly-lost-with-pix/m-p/683357#M1034912 darwintovar 2007-01-22T15:43:34Z