[b]Mail goes out but cannot get back in from the Internet[/b]

[Vin999]

Currently I can send mail out but cannot receive mail back from the Internet, if I remove the Pix and connect directly to the Modem/Router then I can SMTP in on port 25 and SMTP mail works fine both in & out.

I very much appreciate any help.

Vinny.

1. I have 1 global IP address from my ISP - 80.xxx.xxx.225
2. I have a Netgear router/modem connected to the Internet, with the address of 192.168.2.1
3. I have a Cisco Pix 501, with External address of 192.168.2.2 & Internal address 192.168.1.1
4. The router port forwards all traffic on port 80 & port 25 to the Mail Server External interface 192.168.1.2
5. Mail server external address 192.168.1.2 & internal address 192.168.0.3
6. I then have the internal network range from 192.168.0.10 to 192.168.0.20
7. I am running ISA server only in proxy mode so this should not interfere
8. I know the problem is the Pix as everything works fine when I remove the Pix.

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100

hostname SFUKfirewall
domain-name xxx.com

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25

names
access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list acl_out permit tcp any host 192.168.1.2 eq smtp
access-list acl_out permit tcp any host 192.168.1.2 eq www
access-list acl_out permit tcp any host 192.168.1.2 eq pop3
access-list smtpcap permit tcp any any eq smtp

pager lines 24

logging on
logging buffered debugging

interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500

ip address outside 192.168.2.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm

pdm logging informational 100
pdm history enable
arp timeout 14400

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
route inside 192.168.0.0 255.255.255.0 192.168.1.2 1

timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

http server enable
http 192.168.1.0 255.255.255.0 inside

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.3 inside
dhcpd dns 158.152.1.58 158.152.1.43
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

 

[LloydSev]

add the line

fixup protocol smtp 25

Computer/Network Technician
CCNA

 

[LloydSev]

Also I noticed that you have not bound your access-lists to any interfaces...

try these as well..

access-group smtpcap in interface outside
access-group acl_out in interface outside

Computer/Network Technician
CCNA

 

[LloydSev]

Then also.. I am assuming your Netgear Router has the option for NAT one-to-one IP mapping correct?

To set this up you would go ahead and enter the static command...

static (inside,outside) 192.168.2.3 192.168.1.2 netmask 255.255.255.255 0 0

Go ahead then and map your global IP to 192.168.2.3

This would forward the global IP to your mail/web server.

Computer/Network Technician
CCNA

 

[Vin999]

Hi LloydSev,

Thanks for your input.

1. I have added "fixup protocol smtp 25"

2. With regard to the following lines of code: -

access-group smtpcap in interface outside
access-group acl_out in interface outside

Only one line remains, which ever line I put in last writes over the first one. Please see config below.

3. I am sorry I did not understand your third suggestion, Please can you explain?

Thanks Vinny.

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100

hostname SFUKfirewall
domain-name xxx.com

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol smtp 25

names
access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list acl_out permit tcp any host 192.168.1.2 eq smtp
access-list acl_out permit tcp any host 192.168.1.2 eq www
access-list acl_out permit tcp any host 192.168.1.2 eq pop3
access-list smtpcap permit tcp any any eq smtp

pager lines 24
logging on
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500

ip address outside 192.168.2.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group smtpcap in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
route inside 192.168.0.0 255.255.255.0 192.168.1.2 1

timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

http server enable
http 192.168.1.0 255.255.255.0 inside

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.3 inside
dhcpd dns 158.152.1.58 158.152.1.43
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

 

[LloydSev]

Well.. most routers have the ability to map an internal IP address to an external public IP..

like say 192.168.1.1 could be made 66.73.164.243 via NAT one-to-one IP Maps.

to what you do is add a static line to your PIX config..

static (inside,outside) 192.168.2.3 192.168.1.2 netmask 255.255.255.255 0 0

This would effectively bridge the 193.168.1.2 address on the LAN side of the PIX to 192.168.2.3 on the WAN side of the PIX.

You could then use NAT one-to-one IP Mapping on your Netgear Router to map 192.168.2.3 to an external public IP so that you can access the mail/web server from the internet.

Computer/Network Technician
CCNA

 

[Vin999]

Hi LloydSev,

I have changed my config a little, please have a look.

This is what I am trying to do: -

1. Let the Router handle NAT & PAT
2. The Pix will just forward all requests so no static’s will be required
3. I have removed “access-list smtpcap permit….” As I was only trying to use this to capture traffic info. So there no need for “access-group smtpcap…”
4. I have put in the statement “access-group acl_out in interface outside” to tie in all the “acl_out” statements

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname PIXfirewall
domain-name xxx.com

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol smtp 25

names
access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list acl_out permit tcp any host 192.168.1.2 eq smtp
access-list acl_out permit tcp any host 192.168.1.2 eq www
access-list acl_out permit tcp any host 192.168.1.2 eq pop3

pager lines 24
logging on
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500

ip address outside 192.168.2.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
route inside 192.168.0.0 255.255.255.0 192.168.1.2 1

timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

http server enable
http 192.168.1.0 255.255.255.0 inside

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.3 inside
dhcpd dns 158.152.1.58 158.152.1.43

dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end
[OK]

 

[LloydSev]

I don't understand why you have your web/mail server setup within the dhcp pool?
dhcpd address 192.168.1.2-192.168.1.3 inside


You want the router to handle NAT correct?
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
this command should be

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

You want ALL traffic forwarded to your mail server?
route inside 192.168.0.0 255.255.255.0 192.168.1.2 1
this command should be..

route inside 0.0.0.0 0.0.0.0 192.168.1.2 1

Computer/Network Technician
CCNA

 

[Vin999]

Hi,

1.
"dhcpd address 192.168.1.2-192.168.1.3 inside"

The 192.168.1.2 is the Pix Internal Interface

The 192.168.1.3 is for a laptop I rigged up to analyse packet flow using Ethereal.

In the future I will make the Pix 192.168.1.2 Static.

2.
"nat (inside) 0 0.0.0.0 0.0.0.0 0 0"

I got the following message from Pix

SFUKfirewall(config)# nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat 0 0.0.0.0 will be non-translated
(This statement causes me to loose internet)

3.
"route inside 0.0.0.0 0.0.0.0 192.168.1.2 1 "

Tried to enter this statement into Pix and got the following: -

SFUKfirewall(config)# route inside 0.0.0.0 0.0.0.0 192.168.1.2 1
cannot add route entry
Usage: [no] route <if_name> <foreign_ip> <mask> <gateway> [<metric>]
SFUKfirewall(config)# no route inside 192.168.0.0 255.255.255.0 192.168.1.2 1
SFUKfirewall(config)# route inside 0.0.0.0 0.0.0.0 192.168.1.2 1
cannot add route entry
Usage: [no] route <if_name> <foreign_ip> <mask> <gateway> [<metric>]
SFUKfirewall(config)# route inside 0.0.0.0 0.0.0.0 192.168.1.2
cannot add route entry
Usage: [no] route <if_name> <foreign_ip> <mask> <gateway> [<metric>]
SFUKfirewall(config)# route inside 0.0.0.0 0.0.0.0 192.168.1.2 1
cannot add route entry
cannot add route entry

Thanks Vinny.

 

[Vin999]

Sorry correction,

1.
"dhcpd address 192.168.1.2-192.168.1.3 inside"

The 192.168.1.2 is the Mail Server External Interface

In the future I will make this Static.

 

[LloydSev]

I thought 192.168.1.1 was the PIX internal Interface?
And 192.168.1.2 was the Mail Server?

2.
"nat (inside) 0 0.0.0.0 0.0.0.0 0 0"

I got the following message from Pix

SFUKfirewall(config)# nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat 0 0.0.0.0 will be non-translated


This means that NAT will not be translated, which will let your router do NAT instead of the PIX.

Of course you would have to remove the "nat (inside) 1 ..." line that you have already entered.

Also, the route inside command can only be done once you remove the original route command.

Computer/Network Technician
CCNA

 

[Vin999]

Hi,

RE:
I thought 192.168.1.1 was the PIX internal Interface?
And 192.168.1.2 was the Mail Server?

My mistake, The 192.168.1.2 is the Mail Server External Interface. In the future I will make this Static.

-----------------------

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

I added the above line but loose internet!

-----------------------

SFUKfirewall(config)# no route inside 192.168.0.0 255.255.255.0 192.168.1.2 1

SFUKfirewall(config)# route inside 0.0.0.0 0.0.0.0 192.168.1.2 1

cannot add route entry

I removed the old route before adding the new one but still would not work!

Regards Vinny

 

[Vin999]

Hi,

Can anyone clear this up for me.

1. I have 1 global IP address from my ISP - 80.xxx.xxx.225

2. I have a Netgear router/modem connected to the Internet, the external interface uses the 80.xxx.xxx.225 & the internal inteface uses 192.168.2.1

3. I have a Cisco Pix 501, with External address of 192.168.2.2 & Internal address 192.168.1.1

4. The router port forwards all traffic on port 80 & port 25 to the Mail Server External interface 192.168.1.2

The Router can obviously ping 80.xxx.xxx.225 & 192.168.2.2. because it is directly connected to these interfaces.

It cannot ping 192.168.1.1 OR 1.2, so am I wrong in telling the Router to Port forward all Traffic on ports 25 & 80 to my Mail Server External interface 192.168.1.2, which the Router cannot possibly see???

Thanks in Advance.
Vinny

 

[LloydSev]

It can see those addresses, but you have not allowed icmp in your access-lists, so you won't receive a reply as the mail server should never receive the pings through the PIX.



Computer/Network Technician
CCNA

 

[LloydSev]

Why don't you do this...


Internet ->-> Hub/Switch ->-> PIX ->-> LAN
|
|
Mail Server

Computer/Network Technician
CCNA

 

[Vin999]

I wanted the Mail Server behind the Pix for security, we only have the one Server, which we use for Mail & other Applications.

So, where should my Router be Forwarding all traffic?

Regards Vinny