https://community.cisco.com/t5/network-security/pix-501-does-not-allow-2nd-static-ip-through/m-p/301061#M568451 <P>Can anyone tell me why I can not access my mail server?</P><P></P><P>Ok here is my setup:</P><P></P><P>I have 5 useable static addresses, 217 is the pix, 218 is my mail server. I have complete internet access from any of the workstations that I am using DHCP (from the PIX) and access with the static IP of 192.168.1.3 that is assigened to my mail server. What I can not seem to do is access my mail server from the internet (SMTP, HTTP). The mail server will not receive any traffic (that it did not initiate) while it is behind the firewall. I seriously need to have it accept SMTP and HTTP for my mail to be deliverable and to access the account over the internet. Oh yes, I can transmit email from behind the pix, just not receive.</P><P></P><P>I have tried multiple configs and nothing works.</P><P>when I tried pinging from inside the pix to the 218 address, I received nothing and the sh arp gave nothing.</P><P></P><P>Here is my config (very standard from the net):</P><P>PIX Version 6.1(4)</P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>enable password XXXXXXXXXX encrypted</P><P>passwd XXXXXXXXX encrypted</P><P>hostname pixfirewall</P><P></P><P>fixup protocol ftp 21</P><P>fixup protocol http 80</P><P>fixup protocol h323 1720</P><P>fixup protocol rsh 514</P><P>fixup protocol rtsp 554</P><P>fixup protocol smtp 25</P><P>fixup protocol sqlnet 1521</P><P>fixup protocol sip 5060</P><P>fixup protocol skinny 2000</P><P></P><P>names</P><P>name XX.XXX.XX.218 MAIL</P><P>name XX.XXX.XX.219 WEB</P><P></P><P>pager lines 24</P><P>interface ethernet0 10baset</P><P>interface ethernet1 10full</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P></P><P>ip address outside XX.XXX.XX.217 255.255.255.248</P><P>ip address inside 192.168.1.1 255.255.255.0</P><P></P><P>ip audit info action alarm</P><P>ip audit attack action alarm</P><P>pdm history enable</P><P>arp timeout 14400</P><P></P><P>global (outside) 1 interface</P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0</P><P>static (inside,outside) MAIL 192.168.1.3 netmask 255.255.255.255 0 0</P><P>conduit permit tcp any host 192.168.1.3 eq smtp</P><P>conduit permit tcp any host 192.168.1.3 eq www</P><P>conduit permit tcp any host 192.168.1.3 eq 32000</P><P>route outside 0.0.0.0 0.0.0.0 64.216.83.222 1</P><P></P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P>aaa-server TACACS+ protocol tacacs+</P><P>aaa-server RADIUS protocol radius</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community public</P><P>no snmp-server enable traps</P><P>floodguard enable</P><P>no sysopt route dnat</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>dhcpd address 192.168.1.20-192.168.1.50 inside</P><P>dhcpd dns 151.164.11.201 151.164.1.8</P><P>dhcpd lease 3600</P><P>dhcpd ping_timeout 750</P><P>dhcpd auto_config outside</P><P>dhcpd enable inside</P><P>terminal width 80</P><P></P><P>Thank you all in advance!!!!</P><P></P><P>Terry N.</P> Fri, 21 Feb 2020 07:15:23 GMT EBWservices 2020-02-21T07:15:23Z https://community.cisco.com/t5/network-security/pix-501-does-not-allow-2nd-static-ip-through/m-p/301061#M568451 <P>Can anyone tell me why I can not access my mail server?</P><P></P><P>Ok here is my setup:</P><P></P><P>I have 5 useable static addresses, 217 is the pix, 218 is my mail server. I have complete internet access from any of the workstations that I am using DHCP (from the PIX) and access with the static IP of 192.168.1.3 that is assigened to my mail server. What I can not seem to do is access my mail server from the internet (SMTP, HTTP). The mail server will not receive any traffic (that it did not initiate) while it is behind the firewall. I seriously need to have it accept SMTP and HTTP for my mail to be deliverable and to access the account over the internet. Oh yes, I can transmit email from behind the pix, just not receive.</P><P></P><P>I have tried multiple configs and nothing works.</P><P>when I tried pinging from inside the pix to the 218 address, I received nothing and the sh arp gave nothing.</P><P></P><P>Here is my config (very standard from the net):</P><P>PIX Version 6.1(4)</P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>enable password XXXXXXXXXX encrypted</P><P>passwd XXXXXXXXX encrypted</P><P>hostname pixfirewall</P><P></P><P>fixup protocol ftp 21</P><P>fixup protocol http 80</P><P>fixup protocol h323 1720</P><P>fixup protocol rsh 514</P><P>fixup protocol rtsp 554</P><P>fixup protocol smtp 25</P><P>fixup protocol sqlnet 1521</P><P>fixup protocol sip 5060</P><P>fixup protocol skinny 2000</P><P></P><P>names</P><P>name XX.XXX.XX.218 MAIL</P><P>name XX.XXX.XX.219 WEB</P><P></P><P>pager lines 24</P><P>interface ethernet0 10baset</P><P>interface ethernet1 10full</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P></P><P>ip address outside XX.XXX.XX.217 255.255.255.248</P><P>ip address inside 192.168.1.1 255.255.255.0</P><P></P><P>ip audit info action alarm</P><P>ip audit attack action alarm</P><P>pdm history enable</P><P>arp timeout 14400</P><P></P><P>global (outside) 1 interface</P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0</P><P>static (inside,outside) MAIL 192.168.1.3 netmask 255.255.255.255 0 0</P><P>conduit permit tcp any host 192.168.1.3 eq smtp</P><P>conduit permit tcp any host 192.168.1.3 eq www</P><P>conduit permit tcp any host 192.168.1.3 eq 32000</P><P>route outside 0.0.0.0 0.0.0.0 64.216.83.222 1</P><P></P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P>aaa-server TACACS+ protocol tacacs+</P><P>aaa-server RADIUS protocol radius</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community public</P><P>no snmp-server enable traps</P><P>floodguard enable</P><P>no sysopt route dnat</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>dhcpd address 192.168.1.20-192.168.1.50 inside</P><P>dhcpd dns 151.164.11.201 151.164.1.8</P><P>dhcpd lease 3600</P><P>dhcpd ping_timeout 750</P><P>dhcpd auto_config outside</P><P>dhcpd enable inside</P><P>terminal width 80</P><P></P><P>Thank you all in advance!!!!</P><P></P><P>Terry N.</P> Fri, 21 Feb 2020 07:15:23 GMT https://community.cisco.com/t5/network-security/pix-501-does-not-allow-2nd-static-ip-through/m-p/301061#M568451 EBWservices 2020-02-21T07:15:23Z https://community.cisco.com/t5/network-security/pix-501-does-not-allow-2nd-static-ip-through/m-p/301062#M568452 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Your conduit statements are incorrect, they should be</P><P></P><P>conduit permit tcp any host MAIL eq smtp </P><P>conduit permit tcp any host MAIL eq www </P><P>conduit permit tcp any host MAIL eq 32000 </P><P></P></BODY></HTML> Sat, 21 Feb 2004 16:34:08 GMT https://community.cisco.com/t5/network-security/pix-501-does-not-allow-2nd-static-ip-through/m-p/301062#M568452 nkhawaja 2004-02-21T16:34:08Z https://community.cisco.com/t5/network-security/pix-501-does-not-allow-2nd-static-ip-through/m-p/301063#M568453 <HTML><HEAD></HEAD><BODY><P>Thank you for pointing that out. After I looked at your suggestion, I did realize they were incorrect. I made the changes, but I still can not get through!</P><P></P><P>Do you have any other suggestions?</P><P></P><P></P></BODY></HTML> Sun, 22 Feb 2004 01:24:12 GMT https://community.cisco.com/t5/network-security/pix-501-does-not-allow-2nd-static-ip-through/m-p/301063#M568453 EBWservices 2004-02-22T01:24:12Z https://community.cisco.com/t5/network-security/pix-501-does-not-allow-2nd-static-ip-through/m-p/301064#M568454 <HTML><HEAD></HEAD><BODY><P>still backwards - conduit commands go destination then source</P><P></P><P>conduit permit tcp host mailserver.ip.address.here eq smtp any</P><P></P><P>will allow any to access the smtp port of mailserver.</P><P></P><P>you might want to just use access lists, as conduits will no be supported in the future</P></BODY></HTML> Sun, 22 Feb 2004 13:06:01 GMT https://community.cisco.com/t5/network-security/pix-501-does-not-allow-2nd-static-ip-through/m-p/301064#M568454 mostiguy 2004-02-22T13:06:01Z https://community.cisco.com/t5/network-security/pix-501-does-not-allow-2nd-static-ip-through/m-p/301065#M568455 <HTML><HEAD></HEAD><BODY><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a6.html#1026209" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a6.html#1026209</A></P></BODY></HTML> Sun, 22 Feb 2004 13:07:26 GMT https://community.cisco.com/t5/network-security/pix-501-does-not-allow-2nd-static-ip-through/m-p/301065#M568455 mostiguy 2004-02-22T13:07:26Z https://community.cisco.com/t5/network-security/pix-501-does-not-allow-2nd-static-ip-through/m-p/301066#M568456 <HTML><HEAD></HEAD><BODY><P>Hi Mostiguy,</P><P></P><P>Thanks for the correction, you are absolutely right.</P><P></P><P>Thanks</P><P>Nadeem</P></BODY></HTML> Sun, 22 Feb 2004 13:23:59 GMT https://community.cisco.com/t5/network-security/pix-501-does-not-allow-2nd-static-ip-through/m-p/301066#M568456 nkhawaja 2004-02-22T13:23:59Z https://community.cisco.com/t5/network-security/pix-501-does-not-allow-2nd-static-ip-through/m-p/301067#M568457 <HTML><HEAD></HEAD><BODY><P>Thanks, that the access list solved my problem. I reformatted the conduit commands as you suggested, but still got nothing. Once I did the access list, everything started working. </P><P></P><P>Thank both of you for your help!</P><P></P><P>Terry N.</P></BODY></HTML> Sun, 22 Feb 2004 16:41:04 GMT https://community.cisco.com/t5/network-security/pix-501-does-not-allow-2nd-static-ip-through/m-p/301067#M568457 EBWservices 2004-02-22T16:41:04Z