Re: PIX 501 does not allow 2nd Static IP through

EBWservices · ‎02-20-2004

Can anyone tell me why I can not access my mail server?

Ok here is my setup:

I have 5 useable static addresses, 217 is the pix, 218 is my mail server. I have complete internet access from any of the workstations that I am using DHCP (from the PIX) and access with the static IP of 192.168.1.3 that is assigened to my mail server. What I can not seem to do is access my mail server from the internet (SMTP, HTTP). The mail server will not receive any traffic (that it did not initiate) while it is behind the firewall. I seriously need to have it accept SMTP and HTTP for my mail to be deliverable and to access the account over the internet. Oh yes, I can transmit email from behind the pix, just not receive.

I have tried multiple configs and nothing works.

when I tried pinging from inside the pix to the 218 address, I received nothing and the sh arp gave nothing.

Here is my config (very standard from the net):

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXXXXX encrypted

passwd XXXXXXXXX encrypted

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name XX.XXX.XX.218 MAIL

name XX.XXX.XX.219 WEB

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside XX.XXX.XX.217 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) MAIL 192.168.1.3 netmask 255.255.255.255 0 0

conduit permit tcp any host 192.168.1.3 eq smtp

conduit permit tcp any host 192.168.1.3 eq www

conduit permit tcp any host 192.168.1.3 eq 32000

route outside 0.0.0.0 0.0.0.0 64.216.83.222 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.20-192.168.1.50 inside

dhcpd dns 151.164.11.201 151.164.1.8

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Thank you all in advance!!!!

Terry N.

nkhawaja · ‎02-21-2004

Hi,

Your conduit statements are incorrect, they should be

conduit permit tcp any host MAIL eq smtp

conduit permit tcp any host MAIL eq www

conduit permit tcp any host MAIL eq 32000

EBWservices · ‎02-21-2004

Thank you for pointing that out. After I looked at your suggestion, I did realize they were incorrect. I made the changes, but I still can not get through!

Do you have any other suggestions?

mostiguy · ‎02-22-2004

still backwards - conduit commands go destination then source

conduit permit tcp host mailserver.ip.address.here eq smtp any

will allow any to access the smtp port of mailserver.

you might want to just use access lists, as conduits will no be supported in the future

mostiguy · ‎02-22-2004

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a6.html#1026209

nkhawaja · ‎02-22-2004

Hi Mostiguy,

Thanks for the correction, you are absolutely right.

Thanks

Nadeem

EBWservices · ‎02-22-2004

Thanks, that the access list solved my problem. I reformatted the conduit commands as you suggested, but still got nothing. Once I did the access list, everything started working.

Thank both of you for your help!

Terry N.