09-08-2008 05:58 AM - edited 03-03-2019 11:27 PM
Dear Team,
my port forwarding in pix 506 E just failed. it has been working but not any more. I had done smtp forwarding as below:
access-list outside_in permit tcp any host xxx.xxx.xxx.250 eq pop3
access-list outside_in permit tcp any host xxx.xxx.xxx.250 eq smtp
access-list outside_in permit tcp any host xxx.xxx.xxx.250 eq imap4
access-list outside_in permit tcp any host xxx.xxx.xxx.250 eq www
access-list outside_in permit udp any host xxx.xxx.xxx.250 eq 143
access-list outside_in permit tcp any any
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
pager lines 24
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.250 255.255.255.0
ip address inside 192.168.21.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.xxx.250 smtp 192.168.21.2 smtp netmask 255.2
5.255.255 0 0
access-group 101 in interface outside
Please assist.
Thanks,
Elias
09-08-2008 06:23 AM
The previous configs had some typo error. These are the configs on the PIX:
access-list 101permit tcp any host xxx.xxx.xxx.250 eq pop3
access-list 101permit tcp any host xxx.xxx.xxx.250 eq smtp
access-list 101permit tcp any host xxx.xxx.xxx.250 eq imap4
access-list 101permit tcp any host xxx.xxx.xxx.250 eq www
access-list 101permit udp any host xxx.xxx.xxx.250 eq 143
access-list 101permit tcp any any
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
pager lines 24
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.250 255.255.255.0
ip address inside 192.168.21.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.xxx.250 smtp 192.168.21.2 smtp netmask 255.2
5.255.255 0 0
access-group 101 in interface outside
Thanks
09-08-2008 08:07 AM
Do you have "fixup protocol smtp 25" enabled on PIX ?
09-08-2008 10:30 PM
these are the configs on my PIX:
User Access Verification
Password:
Type help or '?' for a list of available commands.
regdev> en
Password: *************
regdev# show run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname regdev
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit icmp any any time-exceeded
access-list 101 permit tcp any host xxx.xxx.xxx.250 eq pop3
access-list 101 permit tcp any host xxx.xxx.xxx.250 eq smtp
access-list 101 permit tcp any host xxx.xxx.xxx.250 eq imap4
access-list 101 permit tcp any host xxx.xxx.xxx.250 eq www
access-list 101 permit udp any host xxx.xxx.xxx.250 eq 143
access-list 101 permit tcp any any
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
pager lines 24
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.250 255.255.255.0
ip address inside 192.168.21.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.xxx.250 smtp 192.168.21.2 smtp netmask 255.25
5.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.11 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host outside 213.147.70.243
no snmp-server location
no snmp-server contact
snmp-server community nbnetnms
no snmp-server enable traps
floodguard enable
telnet 192.168.21.0 255.255.255.0 inside
telnet timeout 50
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum:xxx
: end
regdev#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide