11-27-2003 10:48 AM - edited 03-09-2019 05:41 AM
I have just put the PIX 501 firewall on this is the first time i have played with one.
I set up PAT for one external address x.x.x.3, where firewalls external IP is x.x.x.2. This works fine browsing downloading ETC for all internal clients. But i have an Exchange server (5.5) so i want a static route in and out of the firewall for mail and eventually OWA. I can't get the ports open. From the outside i can't ping, telnet(on port 25) to the server, but it does resolve name to address and from the inside i can't ping anything but can resolve. I have tried a static mapping from the external Ip to the exchange server but this does not work. I have i opened a TAC case but all their tips have not help. Mail NDR's come back internally - host unknown and from the outside i can't make the connection.
Any help would be great
Cheers
Chris
11-27-2003 12:46 PM
A PIX will not allow anything in unless you specifically allow it to. To get SMTP type traffic in you should apply an access control list to the outside interface that allows SMTP traffic to the specific IP address that the inside exchange server is network address translated to.
11-27-2003 12:56 PM
access-list outside_access_in permit tcp any interface outside object-group mail
this service group has DNS smtp and WWW
static (inside,outside) tcp interface www dtr-xchnge www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp dtr-xchnge smtp netmask 255.255.255.255 0 0
I was thinking that this should allow the mail to go through but it doesn;t work
11-28-2003 05:43 AM
listed below is a simplified version of how I usually configure a pix to allow incoming smtp traffic only and be a vpn server. I hope that this helps.
mgw-pix# wr t
Building configuration...
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password bigsecret
passwd littlesecret
hostname mgw-pix
domain-name steve.co.uk
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name xxx.xxx.xxx.y default-gateway
name 192.168.0.0 inside-network
name 192.168.0.1 mail-server
access-list 100 permit tcp any host xxx.xxx.xxx.z eq smtp
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.x 255.255.255.248
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location mail-server 255.255.255.255 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xxx.xxx.xxx.z mail-server netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 default-gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http mail-server 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set steve esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set steve
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup pix506 address-pool home
vpngroup pix506 dns-server mail-server
vpngroup pix506 wins-server mail-server
vpngroup pix506 default-domain mgw.co.uk
vpngroup pix506 split-tunnel 110
vpngroup pix506 idle-time 1800
vpngroup pix506 password 1steve2
telnet 172.16.1.21 255.255.255.255 outside
telnet mail-server 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Steve
11-28-2003 05:50 AM
spent a couple of hours on the phone to cisco i can recive mail and can send mail to a couple of hosts but can't figure out why it come's back NDR from most. Thansk for the config
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide