topic Re: Cisco PIX 501 problems in Network Security

Cisco PIX 501 problems

bin_asc_adrian — Mon, 11 Mar 2019 10:58:59 GMT

I`m a very new to cisco management, so here are my issues.

1. I`ve been trying to open port 2086 inbound and outbound and I don`t know how to do it.

2. For some reason the firewall is not letting smpt connect outside.

Here is my firewall configuration :

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

domain-name linux.secureserver.net

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_access_in permit tcp any any eq ftp-data

access-list outside_access_in permit tcp any any eq ftp

access-list outside_access_in permit tcp any any eq ssh

access-list outside_access_in permit tcp any any eq 42

access-list outside_access_in permit udp any any eq nameserver

access-list outside_access_in permit tcp any any eq domain

access-list outside_access_in permit udp any any eq domain

access-list outside_access_in permit tcp any any eq www

access-list outside_access_in permit tcp any any eq pop3

access-list outside_access_in permit tcp any any eq https

access-list outside_access_in permit tcp any any eq 465

access-list outside_access_in permit tcp any any eq 587

access-list outside_access_in permit tcp any any eq 995

access-list outside_access_in permit tcp any any eq 993

access-list outside_access_in permit tcp any any eq 3389

access-list outside_access_in permit tcp any any eq 8443

access-list outside_access_in permit tcp any any eq 9999

access-list outside_access_in permit tcp any any eq 2086

access-list outside_access_in permit tcp any any eq 2087

access-list outside_access_in permit tcp any any eq 2082

access-list outside_access_in permit tcp any any eq 2083

access-list outside_access_in permit tcp any any eq 2096

access-list outside_access_in permit tcp any any eq 2095

access-list outside_access_in deny tcp any any eq telnet

Re: Cisco PIX 501 problems

bin_asc_adrian — Thu, 16 Aug 2007 21:29:12 GMT

access-list outside_access_in permit tcp any any eq smtp

access-list outside_access_in deny tcp any any eq imap4

access-list outside_access_in deny tcp any any eq 1433

access-list outside_access_in deny tcp any any eq 3306

access-list outside_access_in deny tcp any any eq 9080

access-list outside_access_in deny tcp any any eq 9090

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any source-quench

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

access-list outside_access_in permit tcp any any eq 7080

access-list outside_access_in permit tcp any any eq 2080

access-list outside_access_in permit tcp any any eq 55555

access-list outside_access_in permit tcp any any eq 125

access-list in_access_outside permit tcp any any eq smtp

access-list smtp permit tcp any host outsideip1 eq smtp

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

ip address outside cisco.pix.ip 255.255.255.0

ip address inside 10.0.0.254 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.1 255.255.255.255 inside

pdm location outside.ip1 255.255.255.255 outside

pdm location 10.0.0.1 255.255.255.255 outside

pdm location 10.0.0.2 255.255.255.255 inside

pdm location outside.ip2 255.255.255.255 outside

pdm location my.home.ip 255.255.255.255 outside

pdm history enable

arp timeout 14400

static (outside,inside) 10.0.0.1 outside.ip1 dns netmask 255.255.255.255 0 0

static (inside,outside) outside.ip1 10.0.0.1 dns netmask 255.255.255.255 0 0

static (outside,inside) 10.0.0.2 outside.ip2 dns netmask 255.255.255.255 0 0

static (inside,outside) outside.ip2 10.0.0.2 dns netmask 255.255.255.255 0 0

access-group smtp in interface outside

route outside 0.0.0.0 0.0.0.0 208.109.90.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

management-access outside

console timeout 0

terminal width 80

Please guide me through to fixing these issues. I also don`t know how to connect to the pix ssh...

Re: Cisco PIX 501 problems

me19562 — Thu, 16 Aug 2007 22:24:17 GMT

Well, right now after looking at your config you are nousing any of the access-list outside_access_in. The only acl apply right now is access-list smtp and it's apply to the outside interface. If what you want it's allow traffic to port 25 in host outsideip1 from anywhere, then modify the acl that already exist

access-list outside_access_in permit tcp any any eq smtp

to this

access-list outside_access_in permit tcp any host outsideip1 eq smtp

Then apply the ACL's outside_access_in to the ouside interface

access-group outside_access_in in interface outside

For the NAT, you should be good with only these static entries unless you are trying to do something else.

static (inside,outside) outside.ip1 10.0.0.1 dns netmask 255.255.255.255 0 0

static (inside,outside) outside.ip2 10.0.0.2 dns netmask 255.255.255.255 0 0

HTH

Re: Cisco PIX 501 problems

purohit_810 — Thu, 16 Aug 2007 23:23:57 GMT

access-list outside_access_in permit tcp any any eq 2084

Regards,

Dharmesh Purohit

Re: Cisco PIX 501 problems

me19562 — Thu, 16 Aug 2007 23:32:00 GMT

BTW port 2086 it's already in access-list outside_acces_in

access-list outside_access_in permit tcp any any eq 2086