https://community.cisco.com/t5/network-security/pix-501/m-p/476529#M532308 <HTML><HEAD></HEAD><BODY><P>from you last post:</P><P></P><P>access-list 101 permit icmp any any echo-reply</P><P>access-list 101 permit tcp host 6.1.5.ext host ext.ext.ext.2 eq smtp</P><P>access-list 101 permit tcp any host ext.ext.ext.3 eq https</P><P>access-list nonat permit ip 172.16.0.0 255.255.255.0 192.168.1.0 255.255.255.0</P><P>ip address outside ext.ext.ext.1 subnet.subnet.subnet.subnet</P><P>ip address inside 172.16.0.1 255.255.255.0</P><P>ip audit info action alarm</P><P>ip audit attack action alarm</P><P>ip local pool uk 192.168.1.1-192.168.1.100</P><P>arp timeout 14400</P><P>global (outside) 1 interface</P><P>nat (inside) 0 access-list nonat</P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0</P><P>static (inside,outside) tcp ext.ext.ext.2 25 172.16.0.10 25 netmask 255.255.255.255</P><P>static (inside,outside) tcp ext.ext.ext.2 443 172.16.0.11 443 netmask 255.255.255.255</P><P>access-group 101 in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 ext.ext.ext.4 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00</P><P>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P>floodguard enable</P><P></P><P>telnet 0.0.0.0 0.0.0.0 inside</P><P>telnet timeout 5</P><P>console timeout 0</P><P>terminal width 80 </P><P></P><P>access-list 101 permit tcp any host ext.ext.ext.3 eq https</P><P>should be</P><P>access-list 101 permit tcp any host ext.ext.ext.2 eq https </P></BODY></HTML> Thu, 06 Oct 2005 12:42:25 GMT jackko 2005-10-06T12:42:25Z https://community.cisco.com/t5/network-security/pix-501/m-p/476524#M532292 <P>I need some help configuring SSL packets forwarded to a webserver. The problem is that the pix is live and is already forwarding SMTP to mail. but we need to use the same ip which the mail server utilizes for SSL web.</P><P>The xternal pool available is</P><P></P><P>ext.ext.ext.1 ( outside ip )</P><P>ext.ext.ext.2 ( want to use SMTP and SSL)</P><P>ext.ext.ext.3 ( Should not be used )</P><P></P><P>internal range</P><P></P><P>172.16.0.1</P><P></P><P>*********************************</P><P>access-list 101 permit icmp any any echo-reply</P><P>access-list 101 permit tcp host 6.1.5.ext host ext.ext.ext.2 eq smtp</P><P>access-list 101 permit tcp any host ext.ext.ext.3 eq https</P><P>access-list nonat permit ip 172.16.0.0 255.255.255.0 192.168.1.0 255.255.255.0</P><P>ip address outside ext.ext.ext.1 subnet.subnet.subnet.subnet</P><P>ip address inside 172.16.0.1 255.255.255.0</P><P>ip audit info action alarm</P><P>ip audit attack action alarm</P><P>ip local pool uk 192.168.1.1-192.168.1.100</P><P>arp timeout 14400</P><P>global (outside) 1 interface</P><P>nat (inside) 0 access-list nonat</P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0</P><P>static (inside,outside) ext.ext.ext.2 172.16.0.10 netmask 255.255.255.255 0 0</P><P>static (inside,outside) ext.ext.ext.3 172.16.0.11 netmask 255.255.255.255 0 0</P><P>access-group 101 in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 ext.ext.ext.4 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00</P><P>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P>floodguard enable</P><P></P><P>telnet 0.0.0.0 0.0.0.0 inside</P><P>telnet timeout 5</P><P>console timeout 0</P><P>terminal width 80</P><P></P><P></P><P></P><P></P><P></P> Fri, 21 Feb 2020 08:26:41 GMT https://community.cisco.com/t5/network-security/pix-501/m-p/476524#M532292 ramesys12 2020-02-21T08:26:41Z https://community.cisco.com/t5/network-security/pix-501/m-p/476525#M532296 <HTML><HEAD></HEAD><BODY><P>Just to clarify further We want to use</P><P>ext.ext.ext.2 ( want to use SMTP and SSL) to forward ext.ext.ext.2 smtp to 172.16.0.10 </P><P>ext.ext.ext.2 SSL to 172.16.0.11</P><P></P><P>usign the same external ip I am not sure hwo I should change the config without breaking anything.</P><P></P><P>Note : I have been asked not use the ext.ext.ext.3 ( Should not be used ) so this command</P><P></P><P>access-list 101 permit tcp any host ext.ext.ext.3 eq https </P><P></P><P>will need to be removed.</P><P></P><P></P><P>Please advise.</P><P></P><P>Any help will be greatly appreciated.</P><P></P></BODY></HTML> Thu, 06 Oct 2005 10:29:53 GMT https://community.cisco.com/t5/network-security/pix-501/m-p/476525#M532296 ramesys12 2005-10-06T10:29:53Z https://community.cisco.com/t5/network-security/pix-501/m-p/476526#M532299 <HTML><HEAD></HEAD><BODY><P>no static (inside,outside) ext.ext.ext.2 172.16.0.10 netmask 255.255.255.255 0 0</P><P></P><P>static (inside,outside) tcp ext.ext.ext.2 25 172.16.0.10 25 netmask 255.255.255.255</P><P>static (inside,outside) tcp ext.ext.ext.2 443 172.16.0.11 443 netmask 255.255.255.255</P><P></P><P>access-list 101 permit tcp any ext.ext.ext.2 eq 25</P><P>access-list 101 permit tcp any ext.ext.ext.2 eq 443</P><P>access-group 101 in interface outside</P><P></P><P>clear xlate</P><P></P><P></P><P>you need to fresh the ip address translation i.e. "clear xlate". it will drop all the existing connections, however, it will reconnect straight away. unfortunately this few seconds interruption is not aviodable.</P></BODY></HTML> Thu, 06 Oct 2005 11:09:47 GMT https://community.cisco.com/t5/network-security/pix-501/m-p/476526#M532299 jackko 2005-10-06T11:09:47Z https://community.cisco.com/t5/network-security/pix-501/m-p/476527#M532302 <HTML><HEAD></HEAD><BODY><P>access-list 101 permit icmp any any echo-reply </P><P>access-list 101 permit tcp host 6.1.5.ext host ext.ext.ext.2 eq smtp </P><P>access-list 101 permit tcp any host ext.ext.ext.3 eq https </P><P>access-list nonat permit ip 172.16.0.0 255.255.255.0 192.168.1.0 255.255.255.0 </P><P>ip address outside ext.ext.ext.1 subnet.subnet.subnet.subnet </P><P>ip address inside 172.16.0.1 255.255.255.0 </P><P>ip audit info action alarm </P><P>ip audit attack action alarm </P><P>ip local pool uk 192.168.1.1-192.168.1.100 </P><P>arp timeout 14400 </P><P>global (outside) 1 interface </P><P>nat (inside) 0 access-list nonat </P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0 </P><P>static (inside,outside) tcp ext.ext.ext.2 25 172.16.0.10 25 netmask 255.255.255.255 </P><P>static (inside,outside) tcp ext.ext.ext.2 443 172.16.0.11 443 netmask 255.255.255.255 </P><P>access-group 101 in interface outside </P><P>route outside 0.0.0.0 0.0.0.0 ext.ext.ext.4 1 </P><P>timeout xlate 3:00:00 </P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 </P><P>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 </P><P>timeout uauth 0:05:00 absolute </P><P>floodguard enable </P><P></P><P>telnet 0.0.0.0 0.0.0.0 inside </P><P>telnet timeout 5 </P><P>console timeout 0 </P><P>terminal width 80 </P><P></P><P></P><P></P><P>The access-list is a bit different as they receive emails from only one server (ISP).</P><P></P><P>So the above config looks ok does it if any of the lines go missing while I am doing this that means something has gone wrong.</P><P></P><P>As I did try making a simialr config change yesterday and all internal traffic stopped going out...so simply taking a clear picture.</P><P></P><P>To get that to work last night I had to add these two lines back again manually </P><P></P><P>nat (inside) 0 access-list nonat </P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0 </P><P></P><P>not sure why they disappeared</P><P></P><P></P></BODY></HTML> Thu, 06 Oct 2005 11:31:30 GMT https://community.cisco.com/t5/network-security/pix-501/m-p/476527#M532302 ramesys12 2005-10-06T11:31:30Z https://community.cisco.com/t5/network-security/pix-501/m-p/476528#M532306 <HTML><HEAD></HEAD><BODY><P>it's fine if you are going to restrict the smtp access from the isp only.</P><P></P><P>without the command "nat (inside) 1 0.0.0.0 0.0.0.0 0 0 ", no internal user will be able to access the internet since the pix will not perform pat anymore.</P></BODY></HTML> Thu, 06 Oct 2005 12:32:09 GMT https://community.cisco.com/t5/network-security/pix-501/m-p/476528#M532306 jackko 2005-10-06T12:32:09Z https://community.cisco.com/t5/network-security/pix-501/m-p/476529#M532308 <HTML><HEAD></HEAD><BODY><P>from you last post:</P><P></P><P>access-list 101 permit icmp any any echo-reply</P><P>access-list 101 permit tcp host 6.1.5.ext host ext.ext.ext.2 eq smtp</P><P>access-list 101 permit tcp any host ext.ext.ext.3 eq https</P><P>access-list nonat permit ip 172.16.0.0 255.255.255.0 192.168.1.0 255.255.255.0</P><P>ip address outside ext.ext.ext.1 subnet.subnet.subnet.subnet</P><P>ip address inside 172.16.0.1 255.255.255.0</P><P>ip audit info action alarm</P><P>ip audit attack action alarm</P><P>ip local pool uk 192.168.1.1-192.168.1.100</P><P>arp timeout 14400</P><P>global (outside) 1 interface</P><P>nat (inside) 0 access-list nonat</P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0</P><P>static (inside,outside) tcp ext.ext.ext.2 25 172.16.0.10 25 netmask 255.255.255.255</P><P>static (inside,outside) tcp ext.ext.ext.2 443 172.16.0.11 443 netmask 255.255.255.255</P><P>access-group 101 in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 ext.ext.ext.4 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00</P><P>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P>floodguard enable</P><P></P><P>telnet 0.0.0.0 0.0.0.0 inside</P><P>telnet timeout 5</P><P>console timeout 0</P><P>terminal width 80 </P><P></P><P>access-list 101 permit tcp any host ext.ext.ext.3 eq https</P><P>should be</P><P>access-list 101 permit tcp any host ext.ext.ext.2 eq https </P></BODY></HTML> Thu, 06 Oct 2005 12:42:25 GMT https://community.cisco.com/t5/network-security/pix-501/m-p/476529#M532308 jackko 2005-10-06T12:42:25Z