02-21-2005 07:46 AM - edited 02-20-2020 11:58 PM
Currently I can send mail but cannot receive mail from the Internet, if I remove the Pix and connect directly to the Modem/Router then I can SMTP in on port 25 and SMTP mail works fine both in & out.
All we want this Pix to allow at present is:
a) Internet access to all internal network clients
b) Allow clients to pop mail from web mail accounts
c) We wish to use Exchange & Outlook and host our own e-mail using SMTP
Please find attached two documents: -
1. A current edited running config of my 501 Pix
2. A PowerPoint diagram of my network.
I very much appreciate any help.
Vinny.
Solved! Go to Solution.
03-04-2005 09:18 AM
Hi Patrick,
Please find attached a copy of the latest config & word document which contains the settings used on the dg814 Netgear router. (1,2 & 4)
I have been using hyper terminal not the PDM, I just happened to look at the PDM the one occasion when I noticed it highlighted unparsed commands. (3)
Rgds
Vinny
03-07-2005 08:09 AM
Hi,
Everything looks good but I guess it is still not working. At this point the only way to get it working is to troubleshoot the traffic with a packet sniffer and follow the traffic to see where it blocks. Then debugg that equipement that does not forward it.
On ethereal you can for example filter smtp using:
tcp port 25
Remove all name, service and MAC resolution in ethereal.
Might be the time to get someone onboard that can help you troubleshoot the problem ONSITE.
sincererly
Patrick
03-07-2005 11:14 AM
Patrick,
I noticed I do not have the following access group statements: -
access-group smtpcap in interface outside
access-group acl_out in interface outside
Problem is which ever order I enter them in the config only keeps the last access-group entered.
Plus I am a bit confused as I expected to have some kind of static statement like: -
static (inside,outside) 192.168.2.3 192.168.1.2 netmask 255.255.255.255 0 0
and then map my global Ip to 192.168.2.3
Thanks Vinny.
03-07-2005 12:04 PM
access-list smtpcap was there to sniff the traffic and will never be used with the access-group.
access-group acl_out in interface outside
This will be the access-list for the outside interface.
You do not need a static, because we have DISABLED NAT and the PIX is just forwarding the traffic without NAT.
DISABLE THAT static:
no static (inside,outside) 192.168.2.3 192.168.1.2 netmask 255.255.255.255 0 0
You have to do all NAT and PAT on the ADSL Router !
sincerely
Patrick
03-08-2005 12:07 PM
Thanks Patrick,
for clearing that up, I have the following config please let me know if you can see anything else wrong.
I will try and test the router to see if it is forwarding incoming requests to the pix.
If the Router is forwarding, how likly is it that my pix is faulty?
Thanks very much for your help
Kind Regards
Vinny
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname SFUKfirewall
domain-name superfoodsuk.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list acl_out permit tcp any host 192.168.1.2 eq smtp
access-list acl_out permit tcp any host 192.168.1.2 eq www
access-list acl_out permit tcp any host 192.168.1.2 eq pop3
pager lines 24
logging on
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
route inside 192.168.0.0 255.255.255.0 192.168.1.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.2-192.168.1.3 inside
dhcpd dns 158.152.1.58 158.152.1.43
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end
[OK]
03-08-2005 05:23 PM
This line is missing:
nat (inside) 0 access-list NONAT
The rest of the PIX config is OK.
The following config lines are good, but you can also deal without it:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
As you have disabled NAT "nat(inside)0"the traffic will be forwarded from your internal clients without NAT if you remove that lines. If you let them there than all internal clients will be port translated (PAT). All NAT and PAT has to be done on the ADSL Router.
After adding the nat (inside) 0 ... dont forget to do a: clear xlate
sincerely
Patrick
03-09-2005 07:43 AM
Hi Patrick,
Ok, I've added: - nat (inside) 0 access-list NONAT
Done clear xlate & write m
Internet ok here
I've removed: - global (outside) 1 interface
Done clear xlate & write m
Internet ok here
When I remove: - nat (inside) 1 0.0.0.0 0.0.0.0 0 0
clear xlate & write m
I loose internet!
Rgds Vinny
03-09-2005 05:05 PM
OK Vinny give me some time, I will do a test on my PIX to see how to setup that with NONAT.
Let for the moment nat and the global 1.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sincerely
Patrick
03-10-2005 09:22 AM
I have been following this string...How do you have DNS set up for your mail? Example..if I want to send you a message..it must be vinny@somehthing..etc. So are you broadcasting your mail location with the public address of the ADSL router?? If you had a public address from the ISP to translate your mail server to then I'll bet your mail will work okay.
03-10-2005 10:52 AM
Hi,
I'm not sure if I understand you correctly!
I have setup a domain say sfuk.com.
I have something like mail.sfuk.com to point to my Global IP 80.xxx.xxx.225
Plus if I remove the Pix everything works fine.
Thanks
Vinny
03-10-2005 12:27 PM
Hi Patrick Iseli,
You are a STAR, you code was spot on, and it works!
I went back to your code prior to using NONAT 24.02.2005 and changed the Router to port forward to Ext Interface of Pix (192.168.2.2) instead of Ext Interface of Mail server (192.168.1.2) and mail started coming in.
Thanks Very Much Patrick, couldnt have done it without you. This thread went on a long time with a huge number of replies but you stuck in there with me buddy.
Very Much Appreciated and Kind Regards
Vinny
p.s. Now we have this working, I need to setup a VPN. Can you suggest the best way of setting up a VPN with the Pix 501 servicing the request?
p.s. Below is a copy of my working config, in case anyone has been following this thread and has a similar issue.
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname SFUKfirewall
domain-name xxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_out permit tcp any host 192.168.2.2 eq pop3
access-list acl_out permit tcp any host 192.168.2.2 eq smtp
access-list acl_out permit tcp any host 192.168.2.2 eq www
pager lines 24
logging on
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 192.168.2.2 www 192.168.1.2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.2.2 pop3 192.168.1.2 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.2.2 smtp 192.168.1.2 smtp netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
route inside 192.168.0.0 255.255.255.0 192.168.1.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.2-192.168.1.2 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:faf8de435ff871cdf39eb5af1fce4f55
: end
[OK]
03-10-2005 12:45 PM
What kind of VPN do you want to setup ?
a.) Site to Site
b.) VPN Client
Be sure that the ADSL Router is forwarding IPSEC:
UDP 500 = ISAMP
Protocol ESP
Site 2 Site example:
PIX Firewall configuration version 6.3.x
PIX> enable
PIX# configure terminal
PIX(config)# sysopt connection permit-ipsec
STEP 1 - Configure IKE
PIX(config)# isakmp enable outside
PIX(config)# isakmp policy 10 authentication pre-share
PIX(config)# isakmp policy 10 encryption 3des
PIX(config)# isakmp policy 10 hash md5
PIX(config)# isakmp policy 10 group 2
PIX(config)# isakmp policy 10 lifetime 86400
PIX(config)# Isakmp identity address
PIX(config)# isakmp key your-vpn-password address PEER-IP netmask 255.255.255.255
STEP 2 - Configure IPSEC
PIX(config)# access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet
PIX(config)# global (outside) 1 interface
PIX(config)# nat (inside) 0 access-list NONAT
PIX(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet
PIX(config)# crypto ipsec transform-set TRANS esp-des esp-md5-hmac
PIX(config)# crypto map REMOTE 10 ipsec-isakmp
PIX(config)# crypto map REMOTE 10 match address VPN
PIX(config)# crypto map REMOTE 10 set peer PEER-IP
PIX(config)# crypto map REMOTE 10 set transform-set TRANS
PIX(config)# crypto map REMOTE interface outside
Example for VPN Client:
PIX(config)# aaa-server LOCAL protocol local
PIX(config)# aaa authentication secure-http-client
STEP 1 - Configure IKE
PIX(config)# isakmp enable outside
PIX(config)# isakmp policy 10 authentication pre-share
PIX(config)# isakmp policy 10 encryption 3des
PIX(config)# isakmp policy 10 hash md5
PIX(config)# isakmp policy 10 group 2
PIX(config)# isakmp policy 10 lifetime 86400
PIX(config)# isakmp nat-traversal 20
PIX(config)# Isakmp identity address
PIX(config)# isakmp key your-vpn-password address PEER-IP netmask 255.255.255.255
STEP 2 - Configure IPSEC
PIX(config)# access-list NONAT permit ip Internalnet ISubnet VPN-Pool 255.255.255.0
PIX(config)# access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet
PIX(config)# global (outside) 1 interface
PIX(config)# nat (inside) 0 access-list NONAT
PIX(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet
PIX(config)# access-list DYN-VPN-ACL permit ip Internalnet ISubnet VPN-Pool 255.255.255.0
PIX(config)# crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
PIX(config)# crypto dynamic-map outside_dyn_map 20 match address DYN-VPN-ACL
PIX(config)# crypto dynamic-map outside_dyn_map 20 set transform-set TRANS
PIX(config)# crypto map REMOTE 65535 ipsec-isakmp dynamic outside_dyn_map
PIX(config)# crypto map REMOTE client authentication LOCAL
PIX(config)# crypto map REMOTE interface outside
PIX(config)# crypto map REMOTE 10 ipsec-isakmp
PIX(config)# crypto map REMOTE 10 match address VPN
PIX(config)# crypto map REMOTE 10 set peer PEER-IP
PIX(config)# crypto map REMOTE 10 set transform-set TRANS
PIX(config)# crypto map REMOTE interface outside
Step 3 VPN Group config
PIX(config)# ip local pool VPNPool x.y.z.1-x.y.z.254
PIX(config)# vpngroup VPNGroup address-pool VPNPool
PIX(config)# vpngroup VPNGroup dns-server dns2 dns1
PIX(config)# vpngroup VPNGroup default-domain localdomain
PIX(config)# vpngroup VPNGroup idle-time 1800
PIX(config)# vpngroup VPNGroup password grouppassword
PIX(config)# username vpnclient password vpnclient-password
sincerely
Patrick
03-11-2005 05:52 AM
Hi Patrick,
What are the pros & cons of the two types mentioned?
What additional hardware etc would be required?
We have 2 salesmen that need access to our server.
One of them works from a fixed location and the other can be any where in the world.
All they would need to access is an application (Microsoft Navision), Plus e-mail via OWA.
Thanks
Vinny.
03-11-2005 07:55 AM
Hi Vinny,
VPN Client is used to connect from a host (PC) to a VPN Server as your PIX 501. Usually travelling people use that kind of VPN to connect to Mail and other network ressources. Works with Dynamic IPs.
= Host to Network VPN.
VPN Site 2 Site is usually used for remote office of teleworkers. To have a VPN Site 2 Site you need another device (hardware) that can establish the VPN Tunnel.
= Network to Network VPN.
I think for your purpose the VPN Client setup will be much easyer, just be sure that the ADSL Router will let pass IPSEC and ESP. Not all devices let this through.
sincerely
Patrick
03-18-2005 07:06 AM
Hi Patrick,
I did'nt get a chance to tinkering with the VPN client code till now. I have included the following line of code with the error output for each: -
1.
SFUKfirewall(config)# aaa authentication secure-http-client
Usage: [no] aaa authentication|authorization|accounting include|exclude
[no] aaa authentication serial|telnet|ssh|http|enable console
g>
[no] aaa authentication|authorization|accounting match
>
[no] aaa authorization command {LOCAL | tacacs_server_tag}
aaa proxy-limit
SFUKfirewall(config)#
2.
SFUKfirewall(config)# isakmp nat-traversal 20
Usage: isakmp policy
isakmp policy
isakmp policy
isakmp policy
isakmp policy
isakmp key
fig-mode]
isakmp enable
isakmp identity
[ isakmp keepalive
isakmp client configuration address-pool local
isakmp peer fqdn|ip
3.
SFUKfirewall(config)# isakmp policy nat-traversal 20
Priority must be between 1 and 65000
SFUKfirewall(config)#
4.
SFUKfirewall(config)# isakmp key your-vpn-password address PEER-IP netmask 255$
Invalid IP address.
SFUKfirewall(config)#
Kind Regards
Vinny.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide