09-06-2006 07:45 PM - edited 02-21-2020 01:09 AM
Hi all,
I have a pix 501 and I need to let Exchange traffic through. I had done this before and it worked for me, but this time its not working. I cannot telnet to port 25.
Please help. See below for my configuration. I am sure its something easy, but I cannot see it.
kidscampus# sh config
: Saved
: Written by enable_15 at 16:59:07.852 UTC Mon Sep 4 2006
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname kidscampus
domain-name kcycenter.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.
access-list 90 permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list 90 permit tcp any host 60.32.25.34 eq smtp
access-list 90 permit tcp any host 60.32.25.34 eq www
access-list 90 permit tcp any host 60.32.25.35 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 60.32.25.33 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool kids 10.10.10.20-10.10.10.40
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 60.32.25.35 192.168.1.2 netmask 255.255.255.255 0 0
access-group 90 in interface outside
route outside 0.0.0.0 0.0.0.0 60.32.25.38 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map toOSC 20 ipsec-isakmp
crypto map toOSC 20 match address 90
crypto map toOSC 20 set peer 69.224.215.122
crypto map toOSC 20 set transform-set strong
crypto map toOSC interface outside
isakmp enable outside
isakmp key ******** address 69.224.215.122 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
vpngroup kcyc address-pool kids
vpngroup kcyc dns-server 192.168.1.2
vpngroup kcyc wins-server 192.168.1.2
vpngroup kcyc default-domain kcycenter.org
vpngroup kcyc split-tunnel nonat
vpngroup kcyc split-dns 192.168.1.2 206.13.29.12
vpngroup kcyc idle-time 1800
vpngroup kcyc password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 600
dhcpd auto_config outside
terminal width 80
Cryptochecksum:xxxx
kidscampus#
09-06-2006 08:38 PM
Hi,
1) You need to have a static nat for your mail server. I guess the public ip of the mail server is 60.32.25.34. Create a static nat for the private ip of the mail server to get natted to 60.32.25.34. using "static( inside, outside)..." statement.
static (inside, outside) 60.32.25.34
2) Kindly remove the following lines.
nat (inside) 0 access-list 90
the ACL 90 needs to be corrected suitably.
The access-list that you apply to the outside interface should look like.
access-list 90 permit tcp any host 60.32.25.34 eq smtp
access-list 90 permit tcp any host 60.32.25.34 eq www
access-list 90 permit tcp any host 60.32.25.35 eq 3389
I could see that you have also included the following lines in the ACL 90 to match for the crypto map.
access-list 90 permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0
Remove those lines from ACL 90 and Create a separate ACL to match for the crypto map.
access-list 91 permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0
Now include nat 0 for this ACL.
nat (inside) 0 access-list 91
And call this ACL in your crypto map.
crypto map toOSC 20 match address 91
If this is not inline with your requirement, let us know what you would like to achieve and we will help you out.
Hope this helps. Please rate the post if it helps.
-VJ
09-08-2006 03:36 PM
VJ,
thanks for much for your reply.
I tried all your solutions and my exchange server still does not work.
the actual ip address is 75.32.25.34
when I tried to send an e-mail, it does not go through and when I do telnet 75.32.25.34 25,
it failed too.
Please respond as soon as you can,
Thanks again,
Paul Hong
09-08-2006 04:22 PM
Hi,
You need port redirection with statics as you have one outside address mapped to two inside servers - www and smtp.
Remove this static:
static (inside, outside) 60.32.25.34
Add these two static statements:
static (inside, outside) tcp 60.32.25.34 smtp
static (inside, outside) tcp 60.32.25.34 www
Hope this helps!
Sundar
09-09-2006 09:04 AM
Hi Paul,
Thanks for the update.
Kindly post the current config ( excluding any sensitive details). We would like to have a look at the current configuration to see if any further corrections are needed to it.
-VJ
09-09-2006 11:35 AM
Here is the current config,
Thanks
: Written by enable_15 at 12:23:54.429 UTC Sat Sep 9 2006
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname kidscampus
domain-name kcycenter.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list 90 permit tcp any host 75.32.25.34 eq smtp
access-list 90 permit tcp any host 75.32.25.34 eq www
access-list 90 permit tcp any host 75.32.25.35 eq 3389
access-list 91 permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 75.32.25.33 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool kids 10.10.10.20-10.10.10.40
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 91
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 75.32.25.34 www 192.168.1.2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 75.32.25.34 smtp 192.168.1.2 smtp netmask 255.255.255.255 0 0
access-group 90 in interface outside
route outside 0.0.0.0 0.0.0.0 75.32.25.38 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map toOSC 20 ipsec-isakmp
crypto map toOSC 20 match address 91
crypto map toOSC 20 set peer 69.224.215.122
crypto map toOSC 20 set transform-set strong
crypto map toOSC interface outside
isakmp enable outside
isakmp key ******** address 69.224.215.122 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
vpngroup kcyc address-pool kids
vpngroup kcyc dns-server 192.168.1.2
vpngroup kcyc wins-server 192.168.1.2
vpngroup kcyc default-domain kcycenter.org
vpngroup kcyc split-tunnel nonat
vpngroup kcyc split-dns 192.168.1.2 206.13.29.12
vpngroup kcyc idle-time 1800
vpngroup kcyc password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:xxxx
kidscampus(config)#
09-09-2006 02:00 PM
Hi .. the config seems Ok. Is the SMTP service OK ..? have you tested telnet 192.168.1.2 25 from an inside host ..? if it works then check its default gateway .. because you need to make sure that the return traffic from the internet goes out by 192.168.1.1 ( PIX inside interface) .. also make sure the mail server is not blocking anything .. coming on smtp nor www.
I hope it helps .. please rate it if it does !!!
09-09-2006 03:24 PM
Yes,
everything is ok on the inside.
I can send e-mails internally and receive internally.
Telnet 192.168.1.2 25 works good inside.
Thanks,
Paul
09-09-2006 11:37 PM
mmm ... Can you do a ..
clear xlate and then post
show access-list 90 and
show local-host 192.168.1.2 while performing telnet attempts on port 25 to the mail server from the internet ..
09-10-2006 01:12 PM
As your PAT configuration is working, can you replace the existing static translations with these two and let us know how it goes.
static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
Hope this helps!
Sundar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide