Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
713
Views
0
Helpful
9
Replies

Help to configure pix firewall 507e for mail access

Go to solution
dennis-pelea
Level 1
Level 1

‎05-06-2005 01:38 AM - edited ‎02-21-2020 12:07 AM

Dear Expert,

I called our cisco vendor and ask for technical assistance regarding our current problem we are facing on our set-up,

She told me to forward my concern to Cisco TAC. My friends told me to post it here in Netpro discussion.

I am writing now to ask some question regarding my pix firewall 506 configuration.

To give the set-up details pls find below and the attached captured of show tech command.

We subscribed DSL service and Singtel give us 2 Valid Public IP addresses which is 203.125.100.246 255.255.255.252 .

I used 203.125.100.246 for my outside interface of my pix firewall and singtel assign 203.125.100.245 for the DSL router. In this case we can only use PAT for internet connection.

Currently it is working fine our Mail server is resided in Singtel Office having ip address of 165.21.111.22. Its working as well we can recieved and deliver email over the internet and we can also browse the internet.

Now we plan to put our mail server in our own Network because sometimes we encounter slowness on recieving and sending emails. Pls check on the IP addressing below

our LAN IP address is 192.168.1.X 255.255.255.0

default gateway which is the IP address of pix firewall inside interface is 192.168.1.1

The new mail server IP address is 192.168.1.4.

here's what I did so far.

I created a static mapping for my mail server here it is

static ( inside, outside) 203.125.100.246 192.168.1.4 netmask 255.255.255.255 0 0

and edit the access-list to permit smtp on our networks.

access-list ACL_OUT permit ip 192.168.2.0 255.255.255.0 any

access-list ACL_OUT permit icmp any host 203.125.100.246

access-list ACL_OUT permit tcp any host 203.125.100.246 eq smtp

access-list ACL_OUT permit tcp any host 203.125.100.246 eq pop3

access-list ACL_OUT permit udp any host 203.125.100.246 eq domain

access-group ACL_OUT in interface outside

after doing it.. I loss all the connection to internet including email is not working.. so I removed it immediately. because it cause network outage.

I edit it instead and create static mapping like this.

static (outside,inside) 203.125.100.246 192.168.1.4 netmask 255.255.255.255 0 0

and edit the access-list to permit smtp on our networks.

access-list ACL_OUT permit ip 192.168.2.0 255.255.255.0 any

access-list ACL_OUT permit icmp any host 203.125.100.246

access-list ACL_OUT permit tcp any host 203.125.100.246 eq smtp

access-list ACL_OUT permit tcp any host 203.125.100.246 eq pop3

access-list ACL_OUT permit udp any host 203.125.100.246 eq domain

access-group ACL_OUT in interface outside

Having this it did not cause any network outage neither interruption. I thought it will work already with the config, I keep it and its the current config right now.. But when I change the POP and SMTP settings to point it on 192.168.1.4 which is the new mail server on our LAN. its not working.

To date we are in a discussion with my boss whether or not its possible to create static mapping to our new mail server address 192.168.1.4 to 203.125.100.246 which is already assigned as outside IP address and is being used for PAT.

We are seeking your help to know how to set-up our internal mail server statically map to our public IP address which is already used for PAT.

Kindly check the show tech output attached herewith.

Thank you so much!

I will appreciate your prompt response.

Your's Truly,

Dennis Pelea

Preview file
13 KB
Preview file
13 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jmia
Level 7
Level 7
In response to dennis-pelea

‎05-10-2005 12:24 AM

Dennis,

Can you please forward to me your full pix configuration (take out any sensitive info) to jmia@ohgroup.co.uk

As I am puzzled why this configuration is not working for you. I have several customers who are using one public ip for outside intf plus several other services using this one ip.

Thanks / Jay

View solution in original post

0 Helpful
9 Replies 9

Go to solution
jmia
Level 7
Level 7

‎05-06-2005 02:38 AM

Dennis,

Firstly, have a read of the following document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml

Example:

If you've only got the two public IP address to play with and one of these is for the router and the other for your pix outside intf, you can do the following:

access-list smtp permit tcp any host 203.125.100.246 eq smtp

access-list smtp permit tcp any host 203.125.100.246 eq pop3

access-group smtp in interface outside

static (inside,outside) tcp interface smtp smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pop3 pop3 netmask 255.255.255.255 0 0

Note: That public IP (203.125.100.246) should correspond to your Mail MX record, i.e. your smtp mail MX record should point to this IP!

Make sure to save with write mem and also issue command: clear xlate.

I would suggest that (if you can), clear your current config and start fresh.

On your DSL router clear the ARP table too, if can't do this ask your ISP.

Let me know if this helps and if it does please rate post, if you need further help let me know.

Good luck / Jay

0 Helpful

Go to solution
dennis-pelea
Level 1
Level 1
In response to jmia

‎05-08-2005 04:56 PM

Dear Jay,

Thank you so much for spending time to my email. I really appreciate your help. however, after following all the procedure you attached in addition to the command you put here, It still not working.

I spend a lot of times on doing troubleshooting and it ends up the same which is it is still not working.

Am just wondering if its really possible to use 1 (one) IP address play static translation for mail server and at the same time it is being used for PAT (port address translation) for our internet applications. Which means we use 1 valid ip address for 2 different purposes, 1st for our mail server incoming and outgoing transaction and 2nd for our internet, vpn connection.

We dont have plan to subscribed another IP address so far, and my boss believed that it is possible.

Any help from you on how can I do it properly will greately appreciated.

If it is not possible please let me know so I will have somebody to prove to my boss that it is not possible unless we have subscribed another IP address.

Hope to hear from you at the soonest possible.

Thank you so much.

Dennis

0 Helpful

Go to solution
jmia
Level 7
Level 7
In response to dennis-pelea

‎05-09-2005 03:09 AM

Dennis,

It is possible to use one public IP for your pix outside intf and then use this address for other services i.e. smtp/pop3 etc.

Now I'm little confused from your post as what I said on my post should have worked for you! Can you post your config with the changes you made please.

Did you issue a clear xlate after the modifications? And also, did you make sure that the outside ip of the pix corresponds to the MX record for your smtp?

Post to me the configuration of the pix after the modifications from my post either here or to me at : jmia@ohgroup.co.uk and I'll take a look for you Dennis.

Jay

0 Helpful

Go to solution
dennis-pelea
Level 1
Level 1
In response to jmia

‎05-09-2005 04:41 PM

Dear Jay,

Thank you so much for your kind response, however it really doesnt work. you can find the config from my previous attachment.

can you pls verify it.

regards,

Dennis

0 Helpful

Go to solution
r.geronimo
Level 1
Level 1
In response to dennis-pelea

‎05-09-2005 10:06 PM

Dennis,

I have noticed this on your config..

no fixup protocol smtp 25

Could you enable this protocol by issuing the "fixup protocol smtp 25" command. This might help.

Regards,

Reggie

0 Helpful

Go to solution
dennis-pelea
Level 1
Level 1
In response to r.geronimo

‎05-09-2005 11:53 PM

Hi Reggie,

Thanks for participating and for your opinion. Even it its enable it is still not working, besides its cisco docs who told me to disable it.

What actually am trying to confirm here is.. Is it possible to use 1 valid public ip address to work in my pix firewall doing PAT and at the same time using it to statically map on my mail server inside our network.

PAT use to translate outgoing TCP traffic using my public ip address, while Static maps my public ip address to my mail server inside.. using the same public ip address will it worked ?

your input is greately appreciated.

Thanks,

Dennis

PS. pls give my regards to Mhon & Wendy.

0 Helpful

Go to solution
jmia
Level 7
Level 7
In response to dennis-pelea

‎05-10-2005 12:24 AM

Dennis,

Can you please forward to me your full pix configuration (take out any sensitive info) to jmia@ohgroup.co.uk

As I am puzzled why this configuration is not working for you. I have several customers who are using one public ip for outside intf plus several other services using this one ip.

Thanks / Jay

0 Helpful

Go to solution
dennis-pelea
Level 1
Level 1
In response to jmia

‎05-10-2005 12:47 AM

Hi Jay,

I send it already.

hope to hear from you soon.

thanks,

Dennis

0 Helpful

Go to solution
dennis-pelea
Level 1
Level 1
In response to dennis-pelea

‎05-10-2005 06:28 PM

Dear Jay,

Thanks for your wonderfull assistance.. My problem is already resolved after following your suggested configuration for my pix firewall.

we are now using it and we already transfer our mail server on our LAn.

Thanks so much for your assistance.

Best Regards,

Dennis

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card