10-10-2011 12:43 AM - edited 03-11-2019 02:35 PM
Hi Guys,
I have Pix 501 firewall and I'm just configuring the device for "Email Server" to allowing POP/SMTP but i have some questions please answer me to resolve the issue.
Inside Interface Address: 132.147.162.14/255.255.0.0
Outside Interface Address: ISP provided IP address
My question is can my traffic goes from inside interface to outside interface? (because the inside interface address not from 10.0/172./192.168 private address)
Also I'm allowing internet from this email server (132.147.162.14) so what my access list to be configured? and what my subnet mask shoud be there?
Pix(config)#access-list outbound permit tcp 132.147.162.14 255.255.0.0 any eq 80
Pix(config)#access-list outbound permit udp 132.147.162.14 255.255.0.0 any eq 53
Pix(config)#access-group outbound in interface inside
Waiting your quickly reply?
Regards,
Saeed
10-10-2011 01:53 AM
Hi,
from an ASA standpoint INSIDE to OUTSIDE will work even if INSIDE is not private address but from ISP standpoint , how are they gonna route return traffic and will they even accept it? I doubt it so you'll have to do NAT from INSIDE to OUTSIDE.
nat (inside) 1 0.0.0.0 0.0.0.0
global(outside) 1 interface outside
I don't understand question 2, first you gave the same IP as the inside interface of Pix?
second, if you want this machine to get out on the internet then you have nothing special to do but if you want people on the internet to access your mail-server then you must enter static PAT entry for SMPT /POP and create an ACL permitting traffic to this server and apply it inbound on outside interface.
Please clarify second question.
Regards.
Alain.
10-10-2011 02:05 AM
Hi,
Thanks for the reply but I'm asking about PIX FW.
Sorry the inside IP: 132.147.162.15/255.255.0.0
Email Server IP: 132.147.162.14/255.255.0.0
So what subnet mask will use for Access-list?
Pix(config)#access-list outbound permit tcp 132.147.162.14 255.255.0.0 OR 255.255.255.0 OR 255.255.255.255 any eq 80
Pix(config)#access-group outbound in interface inside
Is there any expert person to answer my 1st question properly.
Regards,
Saeed Khan
10-10-2011 02:45 AM
Hi,
It's the same way whether it is a Pix or ASA I just did a typo when answering.
and subnet mask is 255.255.0.0 as it is the one for your IPs.
Alain.
10-10-2011 03:01 AM
When applying Acl below is the error.
PIX501(config)# access-list outbound permit tcp 132.147.162.14 255.255.0.0 any eq 80
ERROR: Source address,mask <132.147.162.14,255.255.0.0> doesn't pair
Also please tell me if i allow this whole network then what subnet mask will use?
132.147.162.0 255.255.255.0 any eq 80 ??????
Tell me how can i use dhcp for this scenerio?
Regards,
Saeed
10-10-2011 03:25 AM
Saeed
If you just want to allow this server to access the internet -
access-list outbbound permit tcp host 132.147.162.14 any eq 80
Edit - note, as mentioned by Alain, traffic will be allowed by default from inside to outside (assuming your inside interface has a higher security level). But if you have an access-list applied to the inside interface then you will need the entry above.
Jon
10-10-2011 01:58 PM
Hi Jon,
I had answered a stupidity of course the subnet mask is 255.255.255.255 or equivalent to host keyword.
Thanks for correcting me.
Sorry for misleading the OP.
Regards.
Alain.
10-10-2011 03:31 PM
Hi Alain
No problem, we all do it and you've had to cover up my mistakes in the past
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide