02-13-2003 07:41 AM - edited 03-09-2019 02:05 AM
Hello all,
I am in the process of setting up an email server, for the time being for reasons I'd rather not explain, I cannot put it on the DMZ. So it is sitting on the inside of the 515e firewall interface.
I have the internal IP of that server as 192.168.50.13, and from inside the network I can send , receive, etc email on that server. It is a new server so I recently setup my A and MX records. When pinging the Domain entry the proper IP is now assigned to the Domain name. However I cannot see my email server from the outside world. When running a DNS query on the MX record I get no response.
The problem is at the PIX level. My static statements dont seem to be working.
One of my 4 static statements works, (for our Terminal Services server) but the other 3 entries do not.
They are as follows:
static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp MainOffice smtp 192.168.50.13 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp MainOffice pop3 192.168.50.13 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp MainOffice telnet 192.168.50.201 telnet netmask
255.255.255.255 0 0
(the last entry is just to test and see if I could even host a win2k standard telnet server from my local desktop and see it through the firewall, the test was unsuccessful, I can telnet in via the local IP, .201, but not via the outside IP, MainOffice.)
Since often other places in the PIX config seem to affect the issues I have :), I am including a full running-config listing below for those who would like to reference it. Thank you for your time,
One other strange thing of note, with this current config, I cannot ping my outside interface IP from either external IP's, or from internal IP's. I have my ICMP entries set and thought I should be able to see it, but cant. This isnt as important of an issue as the above issue.
Dave
::
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
hostname YRPCI
domain-name yrpci.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol http 8080
fixup protocol ftp 22
names
name x.x.71.8 ConstOffice
name x.x.81.11 BftOffice
name x.x.71.7 MainOffice
access-list acl_outbound permit ip host 192.168.50.10 any
access-list acl_outbound permit ip host 192.168.50.75 any
access-list acl_outbound permit ip host 192.168.50.201 any
access-list acl_outbound permit ip host 192.168.50.202 any
access-list acl_outbound permit tcp host 192.168.50.203 any
access-list acl_outbound permit tcp host 192.168.50.204 any
access-list acl_outbound permit tcp host 192.168.50.205 any
access-list acl_outbound permit tcp host 192.168.50.206 any
access-list acl_outbound permit tcp host 192.168.50.207 any
access-list acl_outbound permit tcp host 192.168.50.208 any
access-list acl_outbound permit tcp host 192.168.50.209 any
access-list acl_outbound permit tcp host 192.168.50.210 any
access-list acl_outbound permit tcp host 192.168.50.211 any
access-list acl_outbound permit tcp host 192.168.50.212 any
access-list acl_outbound permit tcp host 192.168.50.213 any
access-list acl_outbound permit tcp host 192.168.50.214 any
access-list acl_outbound permit tcp host 192.168.50.215 any
access-list acl_outbound permit tcp host 192.168.50.216 any
access-list acl_outbound permit tcp host 192.168.50.217 any
access-list acl_outbound permit tcp host 192.168.50.218 any
access-list acl_outbound permit tcp host 192.168.50.219 any
access-list acl_outbound permit tcp host 192.168.50.220 any
access-list acl_outbound permit tcp host 192.168.50.221 any
access-list acl_outbound permit tcp host 192.168.50.222 any
access-list acl_outbound permit tcp host 192.168.50.223 any
access-list acl_outbound permit tcp host 192.168.50.224 any
access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq smtp
access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq pop3
access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.51.0
access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.52.0
access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.53.0
access-list acl_outbound permit ip host 192.168.50.51 any
access-list acl_outbound permit tcp host 192.168.50.11 any
access-list acl_outbound permit ip host 192.168.50.13 any
access-list acl_outbound permit tcp host 192.168.50.225 any
access-list acl_inbound permit tcp any host MainOffice eq 3389
access-list acl_inbound permit icmp any any echo-reply
access-list acl_inbound permit icmp any any time-exceeded
access-list acl_inbound permit icmp any any unreachable
access-list acl_inbound permit ip host MainOffice any
access-list acl_inbound permit tcp any any eq ssh
access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list 102 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list 103 permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging console debugging
logging buffered warnings
logging trap warnings
logging history warnings
logging host inside 192.168.50.201
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
icmp permit host MainOffice outside
icmp permit host ConstOffice outside
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside pppoe setroute
ip address inside 192.168.50.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no pdm history enable
arp timeout 14400
global (outside) 2 interface
nat (inside) 0 access-list 100
nat (inside) 2 192.168.50.0 255.255.255.0 0 0
static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp MainOffice smtp 192.168.50.13 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp MainOffice pop3 192.168.50.13 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp MainOffice telnet 192.168.50.201 telnet netmask 255.
255.255.255 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
timeout xlate 8:00:00
timeout conn 7:00:00 half-closed 6:00:00 udp 7:00:00 rpc 7:00:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 7:30:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 10 ipsec-isakmp
crypto map vpn1 10 match address 102
crypto map vpn1 10 set pfs group2
crypto map vpn1 10 set peer ConstOffice
crypto map vpn1 10 set transform-set myset
crypto map vpn1 20 ipsec-isakmp
crypto map vpn1 20 match address 101
crypto map vpn1 20 set pfs group2
crypto map vpn1 20 set peer BftOffice
crypto map vpn1 20 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address ConstOffice netmask 255.255.255.255
isakmp key ******** address BftOffice netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet ConstOffice 255.255.255.255 outside
telnet 192.168.51.0 255.255.255.0 outside
telnet 192.168.52.0 255.255.255.0 outside
telnet BftOffice 255.255.255.255 outside
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 20
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname xxxxxxxxx
vpdn group pppoex ppp authentication pap
vpdn username xxxxxxxxxx password *********
terminal width 80
: end
Solved! Go to Solution.
02-13-2003 01:12 PM
oh i see,
Ok, i tried that and still no go... sorry.
I even tried to set it to
access-list test permit ip any any
just to make sure, and i still couldnt get through.
02-13-2003 01:16 PM
can you paste the current config file. This really does not make sense.
02-13-2003 01:24 PM
certainly...
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
hostname YRPCI
domain-name yrpci.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol http 8080
fixup protocol ftp 22
fixup protocol smtp 25
names
name x.x.71.8 ConstOffice
name x.x.81.11 BftOffice
name x.x.71.7 MainOffice
access-list acl_outbound permit ip host 192.168.50.10 any
access-list acl_outbound permit ip host 192.168.50.75 any
access-list acl_outbound permit ip host 192.168.50.201 any
access-list acl_outbound permit ip host 192.168.50.202 any
access-list acl_outbound permit tcp host 192.168.50.203 any
access-list acl_outbound permit tcp host 192.168.50.204 any
...
access-list acl_outbound permit tcp host 192.168.50.225 any
access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq smtp
access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq pop3
access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.51.0
access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.52.0
access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.53.0
access-list acl_outbound permit ip host 192.168.50.51 any
access-list acl_outbound permit tcp host 192.168.50.11 any
access-list acl_outbound permit ip host 192.168.50.13 any
access-list acl_outbound permit tcp host 192.168.50.225 any
access-list acl_inbound permit tcp any host MainOffice eq 3389
access-list acl_inbound permit icmp any any echo-reply
access-list acl_inbound permit icmp any any time-exceeded
access-list acl_inbound permit icmp any any unreachable
access-list acl_inbound permit ip host MainOffice any
access-list acl_inbound permit tcp any any eq ssh
access-list acl_inbound permit tcp any host MainOffice eq pop3
access-list acl_inbound permit tcp any host MainOffice eq smtp
access-list acl_inbound permit tcp any host MainOffice eq telnet
access-list test permit ip any any
access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list 102 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list 103 permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging console debugging
logging buffered warnings
logging trap warnings
logging history warnings
logging host inside 192.168.50.201
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
icmp permit host MainOffice outside
icmp permit host ConstOffice outside
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside pppoe setroute
ip address inside 192.168.50.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no pdm history enable
arp timeout 14400
global (outside) 2 interface
nat (inside) 0 access-list 100
nat (inside) 2 192.168.50.0 255.255.255.0 0 0
static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp MainOffice pop3 192.168.50.13 pop3 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp MainOffice telnet 192.168.50.201 telnet netmask 255.
255.255.255 0 0
static (inside,outside) tcp MainOffice smtp 192.168.50.13 smtp netmask 255.255.2
55.255 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
timeout xlate 8:00:00
timeout conn 7:00:00 half-closed 6:00:00 udp 7:00:00 rpc 7:00:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 7:30:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 10 ipsec-isakmp
crypto map vpn1 10 match address 102
crypto map vpn1 10 set pfs group2
crypto map vpn1 10 set peer ConstOffice
crypto map vpn1 10 set transform-set myset
crypto map vpn1 20 ipsec-isakmp
crypto map vpn1 20 match address 101
crypto map vpn1 20 set pfs group2
crypto map vpn1 20 set peer BftOffice
crypto map vpn1 20 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address ConstOffice netmask 255.255.255.255
isakmp key ******** address BftOffice netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet ConstOffice 255.255.255.255 outside
telnet 192.168.51.0 255.255.255.0 outside
telnet 192.168.52.0 255.255.255.0 outside
telnet BftOffice 255.255.255.255 outside
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 20
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname xxxx
vpdn group pppoex ppp authentication pap
vpdn username xxxxx password *********
username cisco password BS/vQ9dzYT2I3rJy encrypted privilege 15
terminal width 80
: end
02-13-2003 01:43 PM
I noticed you are using PPPoE (ip address outside pppoe setroute). This is new, so I am going to look and see if there are any issues with the Static Mappings and PPPoE. I am going to see if there is any other protocols we need to allow with the ACL with PPPoE. The config looks good, except for on line in the access-list.
access-list acl_inbound permit ip host MainOffice any Should be
access-list acl_inbound permit ip any host MainOffice
Actually, you don't even need that line with the permit tcp statements later in the list.
02-13-2003 01:45 PM
it seems that you are using the same external ip address to translate into multiple internal addresses. i would ask, if any of the other translations work inbound? do you have any other external ip addresses in the block you have been given to translate one-to-one with your email server?
instead of having all these statics:
static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp MainOffice pop3 192.168.50.13 pop3 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp MainOffice telnet 192.168.50.201 telnet netmask 255.
255.255.255 0 0
static (inside,outside) tcp MainOffice smtp 192.168.50.13 smtp netmask 255.255.2
55.255 0 0
use the same external, i would suggest getting additional external ip addresses to translate with or to.
i hope this helps.
02-13-2003 04:54 PM
I wish I could get more external IP's, our dsl providers wont give us any more than one, they claim its some sort of hardware limitation on their part. :( (and living on Hilton Head Island limits my choices of ISP suppliers)
Yes as of 2 weeks ago the top static was working, port 3389, I dont have the stuff I need here at home to use it at the moment, but I will double check that it still is tomorrow.
According to what i've done in the past and seen done, (heck i even do it with my simple linksys router at home) is standard PAT and I could use as many computers as I want running through that one external as long as they all use different ports to jump through as that one IP.
Thanks,
Dave
02-13-2003 06:57 PM
OK, first of all, for your inability to ping the outside IP address of the firewall, do this:
> clear icmp
> icmp permit any echo outside
> icmp permit any unreachable outside
Note that you won't be able to ping the outside IP address from any inside host, the PIX doesn't allow that.
As for your port static's not working, try the following (keep the port static's in place):
> nat (inside) 10 192.168.50.13 255.255.255.255
> global (outside) 10 MainOffice
That should get your SMTP/POP3 connectivity going hopefully.
02-14-2003 05:06 AM
I have everything in except that last global line, it gives me
"Start and end addresses overlap with outside interface address"
I wasnt aware I could have that global statement in with my existing one
"global (outside) 2 interface"
Am I missing something here? Thanks.
Dave
02-14-2003 06:35 AM
i guess i misunderstood, i was under the impression that you were having difficulties with access your email server inbound, not outbound. with that being said, how are you able to PAT inbound to several different internal ip addresses. my assumption is that the only inbound translation that works is: static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0
if you are having trouble with what i have said above, i don't believe you can do what you are doing. you will need additional NIC addresses to translate into your many internal addresses. you need to be doing a one-to-one translation with these servers, however, you are trying to complete this with a one-to-many premise inbound. this (i don't believe) will work inbound like this. yes PAT will work outbound in this senario, but i believe the PAT inbound is your problem. Try my theory out if your works: static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0
Put your smtp or pop3 static at the top of the static statements and see what works then.
Unless i am not understanding (which is truly possible) i believe this is your problem.
Hope this helps explain a little more what i was saying before.
02-14-2003 08:46 AM
Oh my goodness...
Well that worked, which amazes me. Why would it only limit me to one static inbound traffic entry?
Heck, on my SOHO linksys router I can do multiple PAT inbounds with a single IP!
So for every device host I have I'll need a seperate public IP. Wow, its a good thing I dont plan on hosting more than 2-3 diff things. I just hope I can get my ISP to work out their issues with supplying more than one IP to us.
02-14-2003 09:59 AM
Well, I am glad it works. To be honest with you, I am not sure why it works at home. I don't know all, however, I truly thought that you could not do PAT like this inbound.
But, from what I know, yes, you will have to have one external address for every internal system you want to translate too.
Unless, someone else knows something I don't (that is absolutely possible) you will have to do this. And like you say, hopefully you can get yourself some more addresses.
Good luck, and I am glad at least this part of the issue is kind of resolved!
02-14-2003 10:25 AM
I am glad that it is working. I really thought you could configure it the way you were doing it also. I have not tried it that way before, but the configuration options are there, so I don't know why it wouldn't work.
02-14-2003 10:30 AM
Thanks guys, I appreciate your help.
Until I get more IP's I can only host one service at a time, but thats the way the cookie crumbles...
Thanks again.
02-14-2003 10:33 AM
You can create the static mapping without using the port mappings. This will send all traffic to the server so you can use SMTP and POP3 to the mail server. This way you only use your RDP access.
static (inside,outside) MainOffice 192.168.50.13 netmask 255.255.255.255 0 0
02-14-2003 10:38 AM
well, the PAT's are working as long as I direct it to the same IP, for example I have
static (inside,outside) MainOffice pop3 192.168.50.13 pop3 netmask 255.255.255.255 0 0
static (inside,outside) MainOffice smtp 192.168.50.13 smtp netmask 255.255.255.255 0 0
and both work, but when I add
static (inside,outside) MainOffice telnet 192.168.50.201 telnet netmask 255.255.255.255 0 0
that doesnt work...
just thought you'd like to know that for future reference :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: