Solved: Re: Pat is giving me static

n1fcc · ‎03-19-2010

I am trying to route mail thru my pix

and do not see any traffic passing thru the pix am I missing something?

commands Ive added.

access-list inbound extended permit tcp any host 192.168.3.5 eq smtp

static (inside,outside) tcp 70.70.70.70 smtp 192.168.3.5 smtp netmask 255.255.255.255

I thought I read something that I needed to play with the fixup command, but dont know.

as you can tell the 70 interface is the outside of my pix and the 3.5 is the mail server.

I also cannot figure out the proper debug commands to watch traffic

Thanks

Dave

Collin Clark · ‎03-19-2010

Dave-

Your config looks good. Turn your logging to debug~

logging buffered debug

logging enable

then try it. From an outside device you can telnet to 70.70.70.70 on port 25

Then check your logs. You should see the TCP connection being built. If there is a problem it should state that too. Feel free to post the results of the log and we'll see if we can help. Also a

show access-list | i 70.70.70.70

will show hit counts on the ACL. They should be incrementing as you test.

Hope it helps.

View solution in original post

John Blakley · ‎03-19-2010

Dave,

If this is in fact a PIX, then you should run "clear xlate" and that will force the xlate table to be rebuilt. Other than that, your config looks fine.

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

Collin Clark · ‎03-19-2010

Dave-

Your config looks good. Turn your logging to debug~

logging buffered debug

logging enable

then try it. From an outside device you can telnet to 70.70.70.70 on port 25

Then check your logs. You should see the TCP connection being built. If there is a problem it should state that too. Feel free to post the results of the log and we'll see if we can help. Also a

show access-list | i 70.70.70.70

will show hit counts on the ACL. They should be incrementing as you test.

Hope it helps.

John Blakley · ‎03-19-2010

Dave,

If this is in fact a PIX, then you should run "clear xlate" and that will force the xlate table to be rebuilt. Other than that, your config looks fine.

HTH,

John

HTH, John *** Please rate all useful posts ***

n1fcc · ‎03-19-2010

My pix is running 7.2 the logging commands didnt work or do

I submit them from config T.

Ive tried the clear xlate, im now waiting for some mail to pass

n1fcc · ‎04-02-2010

Im still not seeing any traffic.

Do i need an access group statement or anything else to make this work

When i show access-list i see no hits.

Dave

n1fcc · ‎04-02-2010

here is a copy of my config to demonstrate my lack of skill, and what i will call for lack of a better term configuration creep.

Jon Marshall · ‎04-03-2010

Dave

I can't read your attachment but based on your comment about access-group have you applied the access-list to the outside interface ie.

access-group inbound in interface outside

Jon

n1fcc · ‎04-04-2010

wr t
: Saved
:
PIX Version 7.2(2)
!
hostname eastpix
domain-name cisco.com
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 70.70.70.70 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 4
ip address 192.168.200.1 255.255.255.0
!
<--- More --->

boot system flash:/pix722.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.com
access-list 100 extended permit ip 192.168.3.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 10.28.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.34.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.220.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list 101 extended permit ip 192.168.3.0 255.255.255.0 10.28.1.0 255.255.255.0
access-list 102 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 103 extended permit ip 192.168.3.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list 104 extended permit ip 192.168.3.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list 107 extended permit ip 192.168.3.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list 108 extended permit ip 192.168.3.0 255.255.255.0 192.168.34.0 255.255.255.0
access-list 111 extended permit ip 192.168.3.0 255.255.255.0 192.168.220.0 255.255.255.0
access-list x extended permit icmp any any
access-list 105 extended permit ip 192.168.3.0 255.255.255.0 192.168.110.0 255.255.255.0
<--- More --->

access-list inbound extended permit tcp any host 192.168.3.5 eq smtp
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 70.70.70.70 smtp 192.168.3.5 smtp netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 70.70.70.71 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
<--- More --->

group-policy vpn3000 internal
group-policy vpn3000 attributes
dns-server value 68.87.71.226
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 107
default-domain value moido.com
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 8 set transform-set myset
crypto dynamic-map dynmap 10 set transform-set strong
crypto map canton 10 match address 100
crypto map canton 10 set peer 1.1.1.1
crypto map canton 10 set transform-set strong
crypto map canton 20 match address 104
crypto map canton 20 set peer 2.2.2.2
crypto map canton 20 set transform-set strong
crypto map canton 30 match address 103
crypto map canton 30 set peer 3.3.3.3
crypto map canton 30 set transform-set strong
<--- More --->

crypto map canton 40 match address 101
crypto map canton 40 set peer 4.4.4.4
crypto map canton 40 set transform-set strong
crypto map canton 50 match address 105
crypto map canton 50 set peer 5.5.5.5
crypto map canton 50 set transform-set strong
crypto map canton 80 match address 111
crypto map canton 80 set peer 6.6.6.6
crypto map canton 80 set transform-set strong
crypto map canton 65500 ipsec-isakmp dynamic dynmap
crypto map canton interface outside
crypto map mymap 8 ipsec-isakmp dynamic dynmap
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 8
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
<--- More --->

group 2
lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication (outside) none
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 4.4.4.4 type ipsec-l2l
tunnel-group 4.4.4.4 ipsec-attributes
pre-shared-key *
tunnel-group 6.6.6.6 type ipsec-l2l
tunnel-group 7.7.7.7 ipsec-attributes
pre-shared-key *
tunnel-group 8.8.8.8 type ipsec-l2l
tunnel-group 8.8.8.8 ipsec-attributes
pre-shared-key *
tunnel-group 9.9.9.9 type ipsec-l2l
tunnel-group 9.9.9.9 ipsec-attributes
pre-shared-key *
<--- More --->

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication (outside) none
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
pre-shared-key *
tunnel-group 4.4.4.4 type ipsec-l2l
tunnel-group 4.4.4.4 ipsec-attributes
pre-shared-key *
tunnel-group 5.5.5.5 type ipsec-l2l
tunnel-group 5.5.5.5 ipsec-attributes
<--- More --->

pre-shared-key *
isakmp keepalive threshold 10 retry 3
tunnel-group 6.6.6.6 type ipsec-l2l
tunnel-group 6.6.6.6 ipsec-attributes
pre-shared-key *
telnet 192.168.3.0 255.255.255.0 inside
telnet 192.168.200.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 1
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
<--- More --->

inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
prompt hostname context
Cryptochecksum:7ce604f250b00ade16927c4c44d02ff9
: end
[OK]

John Blakley · ‎04-05-2010

David,

This line:

access-list inbound extended permit tcp any host 192.168.3.5 eq smtp

needs to be changed to your public address that you're mapping to:

access-list inbound extended permit tcp any host 70.70.70.70 eq smtp

That should get you fixed up....

HTH,

John

HTH, John *** Please rate all useful posts ***