12-29-2004 04:55 AM - edited 02-20-2020 11:49 PM
Hi,
My setup goes like this...Internal(100.x.x.101)---proxy---firewall---router---Internet---ISP (MAIL Server - 212.xxx.xxx.40). If i want to access my e-mails located at ISP. What are the protocols i should allow apart from SMTP, POP3? If anybody has got the same setup, help me out.
12-29-2004 06:02 AM
I do not have excatly the same setup as you, but you need to let pass the protocol smtp to send messages and pop3 to get them depends on your ISP.
Check on your providers web site, thay might also support pops with SSL (encrypted pop3 traffic) = TCP/995 or imap or imaps = TCP/993.
Be sure that your workstations that are using mail have a default gateway. Only proxy config does not need a gateway for browsing the internet. Which really good for the security point of view.
I suppose that the proxy server is on the same network as your clients !
Example:
PIX(config)# access-list acl-inside permit tcp host ProxyServer any eq http
PIX(config)# access-list acl-inside permit tcp host ProxyServer any eq https
PIX(config)# access-list acl-inside permit tcp host ProxyServer any eq ftp
PIX(config)# access-list acl-inside permit tcp InternalNetwork IntenalSubnetMask host 212.xxx.xxx.40 eq pop3
PIX(config)# access-list acl-inside permit tcp InternalNetwork IntenalSubnetMask host 212.xxx.xxx.40 eq smtp
PIX(config)# access-group acl-inside in interface inside
Does your proxy server supports other protocols than http. https or ftp ???
sincerely
Patrick
12-30-2004 12:05 AM
Dear Patrick,
PIX(config)# access-list acl-inside permit tcp host ProxyServer any eq http
PIX(config)# access-list acl-inside permit tcp host ProxyServer any eq https
PIX(config)# access-list acl-inside permit tcp host ProxyServer any eq ftp
PIX(config)# access-list acl-inside permit tcp InternalNetwork IntenalSubnetMask host 212.xxx.xxx.40 eq pop3
PIX(config)# access-list acl-inside permit tcp InternalNetwork IntenalSubnetMask host 212.xxx.xxx.40 eq smtp
I think by default everything is allowed from inside and my default route shows to the internet router. Apart from this do u think i need to add the above lines?
12-30-2004 08:29 AM
You are absolutly right, but how do you want to enforce that just hosts that use the Proxy Server can use http and https..?
I supposed that you were enforcing that kind of policy.
Anyway, If you do not have an access-list on the inside interface then everybody can access anything from the inside to the outside and so you do not need to defined or change the access-list.
sincerely
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide