08-25-2011 03:40 PM - edited 03-09-2019 11:39 PM
I am having a Cisco Pix 501 and using it for Internet access. It is configured to use PPPoE and is linked to an ADSL line. This is working fine, however I am trying to configure it in order to enable access to my internal mailserver. I read this previous post:
https://supportforums.cisco.com/thread/72060
I did follow all the instructions in it, however it still doesn't work. What am I doing wrong?
Here is my configuration:
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************** encrypted
passwd *************** encrypted
hostname somehost
domain-name abcd.ef
clock timezone EDT 0
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
no fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol tftp 69
names
name 10.1.1.19 mailserver
access-list out2in permit tcp any interface outside eq smtp
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 10.1.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp mailserver smtp netmask 255.255.255.255 0 0
access-group out2in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.1.1.17 255.255.255.255 inside
telnet timeout 5
ssh 10.1.1.17 255.255.255.255 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group mgrp request dialout pppoe
vpdn group mgrp localname buser@nopq.rstu.vw
vpdn group mgrp ppp authentication pap
vpdn username auser@fgh.ijk.lm password ********* store-local
dhcpd dns 10.1.1.18 10.1.1.8
dhcpd auto_config outside
username auser password ************ encrypted privilege 2
terminal width 80
Cryptochecksum:*****************************************
: end
Here are the lines of interest:
name 10.1.1.19 mailserver
access-list out2in permit tcp any interface outside eq smtp
static (inside,outside) tcp interface smtp mailserver smtp netmask 255.255.255.255 0 0
access-group out2in in interface outside
What am I doing wrong?
TIA
Solved! Go to Solution.
08-25-2011 08:44 PM
Daniel,
How are you testing the access to this server?
For example what happens if you just telnet from outside to your public IP on port 25? If you can telnet to it on port 25 then the PIX config is fine and you should start looking at the server config.
Now if that doesnt work what do you see if you do a "show xlate | inc 10.1.1.19"
Also, you can try enabling a capture and see if the packets are making it thru the PIX:
access-list 199 permit tcp any host 10.1.1.19 eq 25
access-list 199 permit tcp host 10.1.1.19 eq 25 any
capture emailserver access-list 199 interface inside packet-length 1300
Then try the connection again and check what the capture says:
show capture emailserver
Give it a try and let us know how it goes.
Raga
08-25-2011 08:44 PM
Daniel,
How are you testing the access to this server?
For example what happens if you just telnet from outside to your public IP on port 25? If you can telnet to it on port 25 then the PIX config is fine and you should start looking at the server config.
Now if that doesnt work what do you see if you do a "show xlate | inc 10.1.1.19"
Also, you can try enabling a capture and see if the packets are making it thru the PIX:
access-list 199 permit tcp any host 10.1.1.19 eq 25
access-list 199 permit tcp host 10.1.1.19 eq 25 any
capture emailserver access-list 199 interface inside packet-length 1300
Then try the connection again and check what the capture says:
show capture emailserver
Give it a try and let us know how it goes.
Raga
08-25-2011 08:46 PM
Here is the syntax of the capture command in case you want to play around with it:
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/c.html#wp1053548
08-26-2011 10:44 AM
Luis,
seems my configuration was right, the problem is my ISP is blocking port 25 which I discovered after trying to capture incoming connections at the PIX. Thanks for your help debugging this problem. I was trying to install my own email server just to move away from this ISP and remove dependencies on its mailserver before moving.
Regards,
Daniel
08-26-2011 11:48 AM
Hey Daniel. Good to hear that you got it working .
Have fun!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide