topic Cisco Pix 501 in Network Security

Cisco Pix 501

ciscopaul — Fri, 21 Feb 2020 09:09:36 GMT

Hi all,

I have a pix 501 and I need to let Exchange traffic through. I had done this before and it worked for me, but this time its not working. I cannot telnet to port 25.

Please help. See below for my configuration. I am sure its something easy, but I cannot see it.

kidscampus# sh config

: Saved

: Written by enable_15 at 16:59:07.852 UTC Mon Sep 4 2006

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname kidscampus

domain-name kcycenter.org

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.

access-list 90 permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list 90 permit tcp any host 60.32.25.34 eq smtp

access-list 90 permit tcp any host 60.32.25.34 eq www

access-list 90 permit tcp any host 60.32.25.35 eq 3389

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 60.32.25.33 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool kids 10.10.10.20-10.10.10.40

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 90

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 60.32.25.35 192.168.1.2 netmask 255.255.255.255 0 0

access-group 90 in interface outside

route outside 0.0.0.0 0.0.0.0 60.32.25.38 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto map toOSC 20 ipsec-isakmp

crypto map toOSC 20 match address 90

crypto map toOSC 20 set peer 69.224.215.122

crypto map toOSC 20 set transform-set strong

crypto map toOSC interface outside

isakmp enable outside

isakmp key ******** address 69.224.215.122 netmask 255.255.255.255

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption 3des

isakmp policy 9 hash sha

isakmp policy 9 group 1

isakmp policy 9 lifetime 86400

vpngroup kcyc address-pool kids

vpngroup kcyc dns-server 192.168.1.2

vpngroup kcyc wins-server 192.168.1.2

vpngroup kcyc default-domain kcycenter.org

vpngroup kcyc split-tunnel nonat

vpngroup kcyc split-dns 192.168.1.2 206.13.29.12

vpngroup kcyc idle-time 1800

vpngroup kcyc password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 600

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxxx

kidscampus#

Re: Cisco Pix 501

vijayasankar — Thu, 07 Sep 2006 03:38:58 GMT

Hi,

1) You need to have a static nat for your mail server. I guess the public ip of the mail server is 60.32.25.34. Create a static nat for the private ip of the mail server to get natted to 60.32.25.34. using "static( inside, outside)..." statement.

static (inside, outside) 60.32.25.34 netmask 255.255.255.255 0 0

2) Kindly remove the following lines.

nat (inside) 0 access-list 90

the ACL 90 needs to be corrected suitably.

The access-list that you apply to the outside interface should look like.

access-list 90 permit tcp any host 60.32.25.34 eq smtp

access-list 90 permit tcp any host 60.32.25.34 eq www

access-list 90 permit tcp any host 60.32.25.35 eq 3389

I could see that you have also included the following lines in the ACL 90 to match for the crypto map.

access-list 90 permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

Remove those lines from ACL 90 and Create a separate ACL to match for the crypto map.

access-list 91 permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

Now include nat 0 for this ACL.

nat (inside) 0 access-list 91

And call this ACL in your crypto map.

crypto map toOSC 20 match address 91

If this is not inline with your requirement, let us know what you would like to achieve and we will help you out.

Hope this helps. Please rate the post if it helps.

-VJ

Re: Cisco Pix 501

ciscopaul — Fri, 08 Sep 2006 22:36:01 GMT

VJ,

thanks for much for your reply.

I tried all your solutions and my exchange server still does not work.

the actual ip address is 75.32.25.34

when I tried to send an e-mail, it does not go through and when I do telnet 75.32.25.34 25,

it failed too.

Please respond as soon as you can,

Thanks again,

Paul Hong

Re: Cisco Pix 501

sundar.palaniappan — Fri, 08 Sep 2006 23:22:37 GMT

Hi,

You need port redirection with statics as you have one outside address mapped to two inside servers - www and smtp.

Remove this static:

static (inside, outside) 60.32.25.34 netmask 255.255.255.255 0 0

Add these two static statements:

static (inside, outside) tcp 60.32.25.34 smtp smtp netmask 255.255.255.255

static (inside, outside) tcp 60.32.25.34 www www netmask 255.255.255.255

Hope this helps!

Sundar

Re: Cisco Pix 501

vijayasankar — Sat, 09 Sep 2006 16:04:23 GMT

Hi Paul,

Thanks for the update.

Kindly post the current config ( excluding any sensitive details). We would like to have a look at the current configuration to see if any further corrections are needed to it.

-VJ

Re: Cisco Pix 501

ciscopaul — Sat, 09 Sep 2006 18:35:06 GMT

Here is the current config,

Thanks

: Written by enable_15 at 12:23:54.429 UTC Sat Sep 9 2006

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname kidscampus

domain-name kcycenter.org

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list 90 permit tcp any host 75.32.25.34 eq smtp

access-list 90 permit tcp any host 75.32.25.34 eq www

access-list 90 permit tcp any host 75.32.25.35 eq 3389

access-list 91 permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 75.32.25.33 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool kids 10.10.10.20-10.10.10.40

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 91

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 75.32.25.34 www 192.168.1.2 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 75.32.25.34 smtp 192.168.1.2 smtp netmask 255.255.255.255 0 0

access-group 90 in interface outside

route outside 0.0.0.0 0.0.0.0 75.32.25.38 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto map toOSC 20 ipsec-isakmp

crypto map toOSC 20 match address 91

crypto map toOSC 20 set peer 69.224.215.122

crypto map toOSC 20 set transform-set strong

crypto map toOSC interface outside

isakmp enable outside

isakmp key ******** address 69.224.215.122 netmask 255.255.255.255

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption 3des

isakmp policy 9 hash sha

isakmp policy 9 group 1

isakmp policy 9 lifetime 86400

vpngroup kcyc address-pool kids

vpngroup kcyc dns-server 192.168.1.2

vpngroup kcyc wins-server 192.168.1.2

vpngroup kcyc default-domain kcycenter.org

vpngroup kcyc split-tunnel nonat

vpngroup kcyc split-dns 192.168.1.2 206.13.29.12

vpngroup kcyc idle-time 1800

vpngroup kcyc password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxxx

kidscampus(config)#

Re: Cisco Pix 501

Fernando_Meza — Sat, 09 Sep 2006 21:00:46 GMT

Hi .. the config seems Ok. Is the SMTP service OK ..? have you tested telnet 192.168.1.2 25 from an inside host ..? if it works then check its default gateway .. because you need to make sure that the return traffic from the internet goes out by 192.168.1.1 ( PIX inside interface) .. also make sure the mail server is not blocking anything .. coming on smtp nor www.

I hope it helps .. please rate it if it does !!!

Re: Cisco Pix 501

ciscopaul — Sat, 09 Sep 2006 22:24:53 GMT

Yes,

everything is ok on the inside.

I can send e-mails internally and receive internally.

Telnet 192.168.1.2 25 works good inside.

Thanks,

Paul

Re: Cisco Pix 501

Fernando_Meza — Sun, 10 Sep 2006 06:37:19 GMT

mmm ... Can you do a ..

clear xlate and then post

show access-list 90 and

show local-host 192.168.1.2 while performing telnet attempts on port 25 to the mail server from the internet ..

Re: Cisco Pix 501

sundar.palaniappan — Sun, 10 Sep 2006 20:12:29 GMT

As your PAT configuration is working, can you replace the existing static translations with these two and let us know how it goes.

static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255

Hope this helps!

Sundar