cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
378
Views
0
Helpful
2
Replies

Forwarding SSL 443 PIX

owlhousing
Level 1
Level 1

Hi all,

I'm a bit confused as to why this config doesn't work.

I have an internal Front End Exchange server which I'm trying to forward https clients to.

I already have smtp forwarding to my main Exchange server and this works fine.

Hers my config, any help greatly apprecated:

Building configuration...

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

hostname PIX515E

domain-name owl-housing.local

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.1.3 OWL-W2KS-MAIL

name 192.168.1.4 OWL-WS-MERCURY

access-list inside_access_in permit tcp any any

access-list inside_access_in permit udp any any

access-list smtp permit tcp any host xxx.xxx.xxx.xxx eq smtp

access-list smtp permit tcp any host xxx.xxx.xxx.xxx eq https

pager lines 24

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside xxx.xxx.xxx.xxx 255.255.255.xxx

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location OWL-W2KS-MAIL 255.255.255.255 inside

pdm location OWL-WS-MERCURY 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp OWL-W2KS-MAIL smtp dns netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https OWL-WS-MERCURY https dns netmask 255.255.255.255 0 0

access-group smtp in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.1.50 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:6ece57a17322081f649bbb6636c5adf3

: end

[OK]

2 Replies 2

jmia
Level 7
Level 7

Did you issue clear xlate after the modifications on your statics and ACLs ? Also can you provide any syslog messages.

Jay

Everything looks good,

but I would remove the PIX PDM https server as both of them uses https port 443:

no http server enable

And as Jay told you do a:

clear xlate

But be aware that you flush your translation table which will deconnect some sesssion for examples ftp sessions ...

sincerly

Patrick

Review Cisco Networking for a $25 gift card