11-27-2003 01:47 AM - edited 03-09-2019 05:40 AM
We have an internet connection from a pix 515e via a leased line router.
the users can access the internet no problem and also we can get people accessing our web server but we have no outbound or inbound email.
we have our own internal email server.
out internal email server is set to 192.168.1.3 and we have a static command in the pix to say
static (inside,outside) 1.1.1.1 192.168.1.3
(1.1.1.1 has been changed for security purposes)
so the real world address for out mail server is 1.1.1.1 and this is translated to 192.168.1.3 this does not work, no email at all.
but, we have a web server 1.1.1.2 real world address which gets translated to 192.168.1.11 and this works without any problems.
outbound internet is also working perfectly.
please see our config below.
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password xxxxx
passwd xxxxx
hostname TheWall
domain-name xxx.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit tcp any host 1.1.1.1 eq smtp
access-list 101 permit tcp any host 1.1.1.2 eq www
access-list 101 permit tcp any host 1.1.1.2 eq login
access-list 101 permit icmp any any
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 1.1.1.10 255.255.255.0
ip address inside 192.168.1.10 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface
access-group 101 in interface outside
conduit permit icmp any any
conduit permit udp any any
route outside 0.0.0.0 0.0.0.0 1.1.1.100
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxxxxxx
: end
12-10-2003 08:20 PM
unfortunately there is a bug with os 6.3(1). please try to ungrade the os.
12-11-2003 12:53 AM
Thanks for the info,
I have version 6.2(3).
are you aware of any bugs in this
12-14-2003 06:32 PM
It appears to me that you dont have an ACL set for the inside address of 192.168.1.3. I only see them set for .2 and .1
12-15-2003 06:32 AM
Hi,
I can see in the config that you are mixing conduits and ACL's. This is not recommended! Could you try removing the conduit command (and do a 'clear xlate') for a moment and see what happens?
Regards,
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide