Re: Inbound traffic problems...

e3consulting · ‎09-22-2005

Well, it all seems pretty straight forward. I must be missing something, but I cannot for the life of me see it. Traffic is flowing out just fine, but no OWA or Remote Desktop Web Connection (does this use port 3389??). Exchange mail does flow in and out just fine!

Here is my config, is there a problem?

prompt(config)# show conf

: Saved

: Written by enable_15 at 04:51:04.796 UTC Fri Sep 23 2005

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password

passwd

hostname xxxxxxxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list email permit tcp any host x.x.x.x eq smtp

access-list email permit tcp any host x.x.x.x eq www

access-list email permit icmp any any echo-reply

access-list email permit icmp any any time-exceeded

access-list email permit icmp any any unreachable

access-list email permit tcp any host x.x.x.x eq https

pager lines 21

logging monitor debugging

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x x.x.x.x

ip address inside 10.0.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

static (inside,outside) tcp interface smtp 10.0.0.11 smtp netmask 255.255.255.25

5 0 0

static (inside,outside) tcp interface https 10.0.0.11 https netmask 255.255.255.

255 0 0

static (inside,outside) tcp interface www 10.0.0.8 www netmask 255.255.255.255 0

0

access-group email in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 25

dhcpd address 10.0.0.30-10.0.0.100 inside

dhcpd dns 10.0.0.8

dhcpd wins 10.0.0.8

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

prompt(config)#

subaa · ‎09-23-2005

Hi,

You wrote: 'but no OWA or Remote Desktop Web Connection (does this use port 3389??).'

Where from or where to?

If from the outside to 10.0.0.11 or .8, then you should change the access-list email and let it out. Also modify the static for 3389.

If it does not work from the othe internal host to the outside, it is more simple> there is no network address translation configured.

Add this:

nat (inside) 1 10.0.0.0 255.255.255.0

global (outside) 1 int outside

Bests,

Attila Suba

e3consulting · ‎09-23-2005

This is for the outside Internet into my network.

The Exchange server is IP .11 and the Remote Desktop Web Connection (Terminal Services Web) is on .8.

e3consulting · ‎09-25-2005

It still is not working... Easy to get working? Well, not if you want any traffic to be allowed in.

I'm at the end of my ropes here folks...

From what I know (which is admittedly very little), my access lists should be all that I need. port 80 needs to be routed to the exchange server for Outlook web access (along with https).

I currently have a Sonicwall POS that allows the proper traffic in and out, but is very inadaqueate for how the company has grown...

jackko · ‎09-25-2005

just wondering if you have done "sh xlate | in 10.0.0.11" to verify the static statements.

also try to do "clear xlate" every time you modified the nat/global/static.

e3consulting · ‎09-26-2005

I've done the clear xlate (and do it every time I make changes). Also I ran the show xlate to verify them and they looked good.

Thanks for your reply. I think I'm going back to zero and rebuilding the thing from scratch again.

jackko · ‎09-26-2005

do "telnet 3389" from a pc located from the internet or outside the pix. then do "sh access-l" on the pix to see whether the acl has been hitted or not.

if yes, then there maybe sth wrong with the server. try the same command "telnet 3389" from a lan pc to verify.

e3consulting · ‎09-27-2005

Thanks for the suggestion. I will try these things shortly and report back!

Thanks!

Mike

jackko · ‎10-05-2005

just wondering how you go.

e3consulting · ‎10-06-2005

Thank you for your interest. I haven't been able to test it yet, as the company is in the middle of some large projects... Plan is to work on it tonight. I really appreciate your help on this!

Mike

e3consulting · ‎10-18-2005

I am working on it and am not having much luck. Did a 'clear xlate' as recommended. I cannot connect using 'telnet 3389' and am not getting a hit count using 'show access-l'

I am able to connect using telnet .

Same goes for 80, 25. Exchange IS sending and receiving email through the PIX though.

Also, the server CANNOT be misconfigured because the Sonicwall works perfectly on all necessary tasks (tsweb, OWA, etc).

What the heck am I doing wrong??????

jackko · ‎10-18-2005

"I cannot connect using 'telnet 3389' and am not getting a hit count using 'show access-l'"

that means the pix has not received any rdp request. just wondering if you were testing outside the pix such as from the internet.

also please post the latest part of static and acl email.

e3consulting · ‎10-18-2005

At this moment I am testing inside the firewall. Is that a problem? I should be able to hit OWA using the public IP from inside my network, right?

Static:

static (inside,outside) tcp interface smtp 10.0.0.11 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https 10.0.0.11 https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 10.0.0.11 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 10.0.0.8 3389 netmask 255.255.255.255 0 0

show access-l

alert-interval 300

access-list email; 7 elements

access-list email line 1 permit tcp any host x.x.x.x eq smtp (hitcnt=138)

access-list email line 2 permit tcp any host x.x.x.x eq www (hitcnt=34)

access-list email line 3 permit icmp any any echo-reply (hitcnt=4)

access-list email line 4 permit icmp any any time-exceeded (hitcnt=0)

access-list email line 5 permit icmp any any unreachable (hitcnt=6)

access-list email line 6 permit tcp any host x.x.x.x eq https (hitcnt=0)

access-list email line 7 permit tcp any host x.x.x.x eq 3389 (hitcnt=0)

jackko · ‎10-18-2005

At this moment I am testing inside the firewall. Is that a problem? I should be able to hit OWA using the public IP from inside my network, right?

no, the public ip is mapped on the pix outside interface. you need to test it from outside world, such as from home or you can use a dial-up connection.

e3consulting · ‎10-18-2005

Ouch, I was afraid of that! Well, I'll see what I can come up with since going home is out of the question! I'll try dial up now. Thanks!