Hi,

Everything looks good but I guess it is still not working. At this point the only way to get it working is to troubleshoot the traffic with a packet sniffer and follow the traffic to see where it blocks. Then debugg that equipement that does not forward it.

On ethereal you can for example filter smtp using:

tcp port 25

Remove all name, service and MAC resolution in ethereal.

Might be the time to get someone onboard that can help you troubleshoot the problem ONSITE.

sincererly

Patrick

Patrick,

I noticed I do not have the following access group statements: -

access-group smtpcap in interface outside

access-group acl_out in interface outside

Problem is which ever order I enter them in the config only keeps the last access-group entered.

Plus I am a bit confused as I expected to have some kind of static statement like: -

static (inside,outside) 192.168.2.3 192.168.1.2 netmask 255.255.255.255 0 0

and then map my global Ip to 192.168.2.3

Thanks Vinny.

access-list smtpcap was there to sniff the traffic and will never be used with the access-group.

access-group acl_out in interface outside

This will be the access-list for the outside interface.

You do not need a static, because we have DISABLED NAT and the PIX is just forwarding the traffic without NAT.

DISABLE THAT static:

no static (inside,outside) 192.168.2.3 192.168.1.2 netmask 255.255.255.255 0 0

You have to do all NAT and PAT on the ADSL Router !

sincerely

Patrick

Thanks Patrick,

for clearing that up, I have the following config please let me know if you can see anything else wrong.

I will try and test the router to see if it is forwarding incoming requests to the pix.

If the Router is forwarding, how likly is it that my pix is faulty?

Thanks very much for your help

Kind Regards

Vinny

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname SFUKfirewall

domain-name superfoodsuk.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

names

access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list acl_out permit tcp any host 192.168.1.2 eq smtp

access-list acl_out permit tcp any host 192.168.1.2 eq www

access-list acl_out permit tcp any host 192.168.1.2 eq pop3

pager lines 24

logging on

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 192.168.2.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

route inside 192.168.0.0 255.255.255.0 192.168.1.2 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.3 inside

dhcpd dns 158.152.1.58 158.152.1.43

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

: end

[OK]

This line is missing:

nat (inside) 0 access-list NONAT

The rest of the PIX config is OK.

The following config lines are good, but you can also deal without it:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

As you have disabled NAT "nat(inside)0"the traffic will be forwarded from your internal clients without NAT if you remove that lines. If you let them there than all internal clients will be port translated (PAT). All NAT and PAT has to be done on the ADSL Router.

After adding the nat (inside) 0 ... dont forget to do a: clear xlate

sincerely

Patrick

Hi Patrick,

Ok, I've added: - nat (inside) 0 access-list NONAT

Done clear xlate & write m

Internet ok here

I've removed: - global (outside) 1 interface

Done clear xlate & write m

Internet ok here

When I remove: - nat (inside) 1 0.0.0.0 0.0.0.0 0 0

clear xlate & write m

I loose internet!

Rgds Vinny

OK Vinny give me some time, I will do a test on my PIX to see how to setup that with NONAT.

Let for the moment nat and the global 1.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sincerely

Patrick

I have been following this string...How do you have DNS set up for your mail? Example..if I want to send you a message..it must be vinny@somehthing..etc. So are you broadcasting your mail location with the public address of the ADSL router?? If you had a public address from the ISP to translate your mail server to then I'll bet your mail will work okay.

Hi,

I'm not sure if I understand you correctly!

I have setup a domain say sfuk.com.

I have something like mail.sfuk.com to point to my Global IP 80.xxx.xxx.225

Plus if I remove the Pix everything works fine.

Thanks

Vinny

Hi Patrick Iseli,

You are a STAR, you code was spot on, and it works!

I went back to your code prior to using NONAT 24.02.2005 and changed the Router to port forward to Ext Interface of Pix (192.168.2.2) instead of Ext Interface of Mail server (192.168.1.2) and mail started coming in.

Thanks Very Much Patrick, couldn’t have done it without you. This thread went on a long time with a huge number of replies but you stuck in there with me buddy.

Very Much Appreciated and Kind Regards

Vinny

p.s. Now we have this working, I need to setup a VPN. Can you suggest the best way of setting up a VPN with the Pix 501 servicing the request?

p.s. Below is a copy of my working config, in case anyone has been following this thread and has a similar issue.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname SFUKfirewall

domain-name xxx.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

names

access-list acl_out permit tcp any host 192.168.2.2 eq pop3

access-list acl_out permit tcp any host 192.168.2.2 eq smtp

access-list acl_out permit tcp any host 192.168.2.2 eq www

pager lines 24

logging on

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 192.168.2.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 192.168.2.2 www 192.168.1.2 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.2.2 pop3 192.168.1.2 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.2.2 smtp 192.168.1.2 smtp netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

route inside 192.168.0.0 255.255.255.0 192.168.1.2 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.2 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:faf8de435ff871cdf39eb5af1fce4f55

: end

[OK]

What kind of VPN do you want to setup ?

a.) Site to Site

b.) VPN Client

Be sure that the ADSL Router is forwarding IPSEC:

UDP 500 = ISAMP

Protocol ESP

Site 2 Site example:

PIX Firewall configuration version 6.3.x

PIX> enable

PIX# configure terminal

PIX(config)# sysopt connection permit-ipsec

STEP 1 - Configure IKE

PIX(config)# isakmp enable outside

PIX(config)# isakmp policy 10 authentication pre-share

PIX(config)# isakmp policy 10 encryption 3des

PIX(config)# isakmp policy 10 hash md5

PIX(config)# isakmp policy 10 group 2

PIX(config)# isakmp policy 10 lifetime 86400

PIX(config)# Isakmp identity address

PIX(config)# isakmp key your-vpn-password address PEER-IP netmask 255.255.255.255

STEP 2 - Configure IPSEC

PIX(config)# access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet

PIX(config)# global (outside) 1 interface

PIX(config)# nat (inside) 0 access-list NONAT

PIX(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0

PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet

PIX(config)# crypto ipsec transform-set TRANS esp-des esp-md5-hmac

PIX(config)# crypto map REMOTE 10 ipsec-isakmp

PIX(config)# crypto map REMOTE 10 match address VPN

PIX(config)# crypto map REMOTE 10 set peer PEER-IP

PIX(config)# crypto map REMOTE 10 set transform-set TRANS

PIX(config)# crypto map REMOTE interface outside

Example for VPN Client:

PIX(config)# aaa-server LOCAL protocol local

PIX(config)# aaa authentication secure-http-client

STEP 1 - Configure IKE

PIX(config)# isakmp enable outside

PIX(config)# isakmp policy 10 authentication pre-share

PIX(config)# isakmp policy 10 encryption 3des

PIX(config)# isakmp policy 10 hash md5

PIX(config)# isakmp policy 10 group 2

PIX(config)# isakmp policy 10 lifetime 86400

PIX(config)# isakmp nat-traversal 20

PIX(config)# Isakmp identity address

PIX(config)# isakmp key your-vpn-password address PEER-IP netmask 255.255.255.255

STEP 2 - Configure IPSEC

PIX(config)# access-list NONAT permit ip Internalnet ISubnet VPN-Pool 255.255.255.0

PIX(config)# access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet

PIX(config)# global (outside) 1 interface

PIX(config)# nat (inside) 0 access-list NONAT

PIX(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0

PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet

PIX(config)# access-list DYN-VPN-ACL permit ip Internalnet ISubnet VPN-Pool 255.255.255.0

PIX(config)# crypto ipsec transform-set TRANS esp-3des esp-md5-hmac

PIX(config)# crypto dynamic-map outside_dyn_map 20 match address DYN-VPN-ACL

PIX(config)# crypto dynamic-map outside_dyn_map 20 set transform-set TRANS

PIX(config)# crypto map REMOTE 65535 ipsec-isakmp dynamic outside_dyn_map

PIX(config)# crypto map REMOTE client authentication LOCAL

PIX(config)# crypto map REMOTE interface outside

PIX(config)# crypto map REMOTE 10 ipsec-isakmp

PIX(config)# crypto map REMOTE 10 match address VPN

PIX(config)# crypto map REMOTE 10 set peer PEER-IP

PIX(config)# crypto map REMOTE 10 set transform-set TRANS

PIX(config)# crypto map REMOTE interface outside

Step 3 VPN Group config

PIX(config)# ip local pool VPNPool x.y.z.1-x.y.z.254

PIX(config)# vpngroup VPNGroup address-pool VPNPool

PIX(config)# vpngroup VPNGroup dns-server dns2 dns1

PIX(config)# vpngroup VPNGroup default-domain localdomain

PIX(config)# vpngroup VPNGroup idle-time 1800

PIX(config)# vpngroup VPNGroup password grouppassword

PIX(config)# username vpnclient password vpnclient-password

sincerely

Patrick

Hi Patrick,

What are the pros & cons of the two types mentioned?

What additional hardware etc would be required?

We have 2 salesmen that need access to our server.

One of them works from a fixed location and the other can be any where in the world.

All they would need to access is an application (Microsoft Navision), Plus e-mail via OWA.

Thanks

Vinny.

Hi Vinny,

VPN Client is used to connect from a host (PC) to a VPN Server as your PIX 501. Usually travelling people use that kind of VPN to connect to Mail and other network ressources. Works with Dynamic IPs.

= Host to Network VPN.

VPN Site 2 Site is usually used for remote office of teleworkers. To have a VPN Site 2 Site you need another device (hardware) that can establish the VPN Tunnel.

= Network to Network VPN.

I think for your purpose the VPN Client setup will be much easyer, just be sure that the ADSL Router will let pass IPSEC and ESP. Not all devices let this through.

sincerely

Patrick

Hi Patrick,

I did'nt get a chance to tinkering with the VPN client code till now. I have included the following line of code with the error output for each: -

1.

SFUKfirewall(config)# aaa authentication secure-http-client

Usage: [no] aaa authentication|authorization|accounting include|exclude

[ ]

[no] aaa authentication serial|telnet|ssh|http|enable console

g>

[no] aaa authentication|authorization|accounting match

>

[no] aaa authorization command {LOCAL | tacacs_server_tag}

aaa proxy-limit | disable

SFUKfirewall(config)#

2.

SFUKfirewall(config)# isakmp nat-traversal 20

Usage: isakmp policy authen

isakmp policy encrypt

isakmp policy hash

isakmp policy group <1|2>

isakmp policy lifetime

isakmp key address [netmask ] [no-xauth] [no-con

fig-mode]

isakmp enable

isakmp identity

isakmp keepalive []

isakmp client configuration address-pool local []

isakmp peer fqdn|ip [no-xauth] [no-config-mode]

3.

SFUKfirewall(config)# isakmp policy nat-traversal 20

Priority must be between 1 and 65000

SFUKfirewall(config)#

4.

SFUKfirewall(config)# isakmp key your-vpn-password address PEER-IP netmask 255$

Invalid IP address.

SFUKfirewall(config)#

Kind Regards

Vinny.