Re: PIX 515E

tdalago911 · ‎03-31-2008

My goal is :- we want port 25 from specific outside addresses ( 208.75.194.0/21) to be allowed to: my1.cbc.com (notes) and mys.cbc.com (notes1)

This is my partial config

name 10.101.91.14 Notes1

name 10.101.91.13 notes

name 208.75.194.0 Mx_logic

object-group network Mx_Logic_Notes

description MxLogic networks to Notes

network-object 208.75.194.0 255.255.248.0

access-list outside_acl permit tcp object-group Mx_Logic_Notes host 69.191.66.229 eq smtp

access-list outside_acl permit tcp object-group Mx_Logic_Notes host 69.191.66.230 eq smtp

static (inside,outside) 69.191.66.230 10.101.91.14 netmask 255.255.255.255 0 0

static (inside,outside) 67.109.66.231 10.101.91.13 netmask 255.255.255.255 0 0

access-group outside_acl in interface outside

When I issued Pix1# sh access-list both access-list has (hitcnt=0)

What am I doing wrong.

do I need to specify port eq 25 on the source also ?.

help

dhouser · ‎03-31-2008

I think you might want to look at the public IP's. They dont all match between your static's and your ACL

tdalago911 · ‎03-31-2008

it was just a typo

static (inside,outside) 69.109.66.230 10.101.91.14 netmask 255.255.255.255 0 0

static (inside,outside) 67.109.66.231 10.101.91.13 netmask 255.255.255.255 0 0

sureshkum · ‎03-31-2008

Hi,

Your config seems to be fine.checkout the typo errors once again.Make sure the routing and make sure the outside public ip not a porxy ip of their end.

dongdongliu · ‎04-01-2008

hi,

I am not sure but pls check out about communication between 208.75.194.x and 10.101.91.x that only need port 25, how about 1352 ?

regards

dongdong