Additional Satic command stops email......

[hbalf1]

Hi All
I was trying to set up a VPN (which worked) but in the process knocked out my email via a PIX 506e.
I have lines for email as follows:

access-list acl permit tcp any host 1.2.3.4 eq smtp
access group acl in interface outside
static (inside,outside) 1.2.3.4 10.0.0.1 netmask 255.255.255.255 0 0

If I add similar lines for a VPN (including a static statement) then email stops getting delivered. I figure it is the static command getting overwritten by the vpn external ip address.

Do I really need the static command in there. If so how can I share with another static command?

Thanks

Lewej

 

[hbalf1]

Or should my static command be:

static (OUTSIDE,INSIDE)1.2.3.4 10.0.0.1 netmask 255.255.255.255 0 0

rather than (inside,outside)

Thanks

Lewej

 

[hbalf1]

Hi

My PIX config is:

PIX Version 6.3(4)\par
interface ethernet0 auto\par
interface ethernet1 auto\par
nameif ethernet0 outside security0\par
nameif ethernet1 inside security100\par
enable password 8Ry2YjIyt7RRXU24 encrypted\par
passwd 2KFQnbNIdI.2KYOU encrypted\par
hostname HistPIX\par
fixup protocol dns maximum-length 512\par
fixup protocol ftp 21\par
fixup protocol h323 h225 1720\par
fixup protocol h323 ras 1718-1719\par
fixup protocol http 80\par
fixup protocol rsh 514\par
fixup protocol rtsp 554\par
fixup protocol sip 5060\par
fixup protocol sip udp 5060\par
fixup protocol skinny 2000\par
no fixup protocol smtp 25\par
fixup protocol sqlnet 1521\par
fixup protocol tftp 69\par
names\par
access-list outside-in permit tcp any host x.x.x.51 eq smtp\par
pager lines 24\par
logging on\par
logging buffered debugging\par
logging trap warnings\par
logging host inside 172.16.0.2\par
mtu outside 1500\par
mtu inside 1500\par
ip address outside x.x.x.50 255.255.255.248\par
ip address inside 172.16.0.1 255.255.0.0\par
ip audit info action alarm\par
ip audit attack action alarm\par
pdm history enable\par
arp timeout 14400\par
global (outside) 1 x.x.x.52-x.x.x.60 netmask 255.255.255.248\par
global (outside) 1 x.x.x.61 netmask 255.255.255.248\par
nat (inside) 1 0.0.0.0 0.0.0.0 0 0\par
static (inside,outside) x.x.x.51 172.16.0.4 netmask 255.255.255.255 0 0\par
access-group outside-in in interface outside\par
route outside 0.0.0.0 0.0.0.0 x.x.x.49 1\par
timeout xlate 3:00:00\par
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00\par
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00\par
timeout uauth 0:05:00 absolute\par
aaa-server TACACS+ protocol tacacs+\par
aaa-server TACACS+ max-failed-attempts 3\par
aaa-server TACACS+ deadtime 10\par
aaa-server RADIUS protocol radius\par
aaa-server RADIUS max-failed-attempts 3\par
aaa-server RADIUS deadtime 10\par
aaa-server LOCAL protocol local\par
no snmp-server location\par
no snmp-server contact\par
snmp-server community public\par
no snmp-server enable traps\par
tftp-server inside 172.16.0.2 pix/config/viatest\par
floodguard enable\par
telnet timeout 5\par
ssh timeout 5\par
console timeout 0\par
terminal width 80\par
Cryptochecksum:4413a21042a76647eb15933d17ff9b0a\par
: end\par
[OK]\par
}


(Please ignore the \par)

I jsut want to add a VPN connection.

If I add

access-list vpn permit tcp any host x.x.x.62 eq 1723
access-list vpn permit gre any host x.x.x.62
access-group vpn in interface outside
static (inside,outside) x.x.x.62 172.16.0.4 netmask 255.255.255.255 0 0

then it all seems tow ork, but email stops flowing in.

Can anyone help on this

Thanks and Regards

Lewej

 

[hbalf1]

Hi

OK - if I add:

access-list outside-in permit tcp any host x.x.x.62 eq 1723
access-list outside-in permit gre any host x.x.x.62
fixup protocol pptp 1723
static (inside,outside) x.x.x.612 172.16.0.4 netmask 255.255.255.255 0 0

It all seems to work. Basically I bundled the VPN onto the same access-list as the email one and it seems OK.

Lewej