Help with Router>Pix>Exchange ? 1

[DKMOORE]

I have just installed a Pix515. My intention is to allow traffic to Exchange Server on inside of Pix. I want to allow all traffic for smtp, pop3, OWA (Http) for now until I setup certificates. I have no trouble with outbound traffic. I have set up a static translation to the Exchange Box on the Pix, and I am using Nat/Pat on the Pix.
Problem - - - - I can ping the Exchange machine from either interface on the router, but can not access it from any other outside source. I think the problem stems from the Nat statements on the router, however I am not sure how fix it. (I am a newbie).

Configs - - - - -
Pix>
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password NC1KgWaSUzBT8QU2 encrypted
passwd NC1KgWaSUzBT8QU2 encrypted
hostname pix515
domain-name svc.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host xxx.158.224.107 eq smtp
access-list 100 permit icmp any host xxx.158.224.107
access-list 100 permit tcp any host xxx.158.224.107 eq www
pager lines 24
logging on
logging timestamp
logging trap alerts
logging history debugging
logging host inside 172.16.10.3
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.158.224.106 255.255.255.248
ip address inside 172.16.10.1 255.255.255.0
ip address dmz 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm location 172.16.10.5 255.255.255.255 inside
pdm location 172.16.10.11 255.255.255.255 inside
pdm location 172.16.10.3 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 xxx.158.224.108-xxx.158.224.109
global (outside) 1 xxx.158.224.110
nat (inside) 1 172.16.10.0 255.255.255.0 0 0
static (inside,outside) xxx.158.224.107 172.16.10.5 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 216.158.224.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.10.11 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 172.16.10.0 255.255.255.0 inside
telnet timeout 2
ssh timeout 5
dhcpd dns 172.16.10.3
dhcpd wins 172.16.10.3
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain svc.com
terminal width 80
Cryptochecksum:0454e4938222f73d16a95565d1df49c2
: end
[OK]
pix515#

Router>
Current configuration : 999 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ICCI_Gateway
!
enable password 7 03174D08395D711C1F4D
!
ip subnet-zero
ip name-server xxx.0.191.140
!
!
!
!
interface FastEthernet0
description connected to Deering_Lan
ip address xxx.158.224.105 255.255.255.248
ip nat inside
speed auto
!
interface Serial0
description connected to Internet
ip address xxx.158.217.34 255.255.255.252
ip nat outside
service-module t1 remote-alarm-enable
!
interface Serial1
no ip address
shutdown
!
ip nat inside source list 1 interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route xxx.158.224.104 255.255.255.248 xxx.158.224.106
no ip http server
!
!
access-list 1 permit 172.16.10.0 0.0.0.255
access-list 1 permit xxx.158.224.104 0.0.0.7
snmp-server community public RO
!
line con 0
exec-timeout 0 0
password 7 04481D0530731C1E585D
login
line aux 0
line vty 0 4
password 7 08325A4D364B5547434F
login
!
end

ICCI_Gateway#

Any help will be greatly appreciated!!!!

 

[routerman]

Why is NAT enabled on the router, if the PIX is providing NAT/PAT do you need it on the router for some other service connected to the router? However i dont think that is the cause of the problem.

You state that outgoing traffic is fine, is that just outgoing mail or is it any traffic such as web browsing? Does all this traffic come from the same server (172.16.10.5), or from other devices on your inside network.

My feeling is that this is a routing issue on the server, does its default gateway point at the PIX inside address?

 

[DKMOORE]

Thanks for the reply routerman!

No I don't think I need NAT on the router, this is left from the previous config before the pix.

Yes all traffic including smtp, http, icmp gets out and back. I just can't get to the Public IP of the Exchange box from beyond the router. I can telnet from either interface on the router to the Exchange machine. Yes the gateway is set to the inside ip of the pix. also running DNS and DHCP on the inside via W2K server.

The thing that has me puzzled is when I debug icmp trace on the pix - the packets get translated outbound correctly...but when I ping from the router to the exchange server public ip address the address from the router gets translated to an internal ip address 172.16.10.44
Router Add Pix Nat(why?) Inside
ie xxx.xxx.xxx.34 > xxx.xxx.xxx.110 > 172.16.10.44

Why is the outside getting nat on the way in?
How does it get translated to an inside address?
We are using DHCP on our W2K server so I am guessing that somehow the pix is getting this address from there?
Clarification - the pix and the exchange server have a static address outside the DHCP pool - And do have an entries in the DNS.

I hope this clarifies things a bit...

 

[routerman]

Ok, if you dont need NAT on the outside router then you can remove it, the following text would do that.

interface FastEthernet0
no ip nat inside
interface Serial0
no ip nat outside!
no ip nat inside source list 1 interface Serial0 overload
no access-list 1 permit 172.16.10.0 0.0.0.255
no access-list 1 permit xxx.158.224.104 0.0.0.7

Save the new config (wr mem) and to be sure reload the router.

On the PIX, the public facing IP address of your server 172.16.10.5 is xxx.158.224.107, not xxx.xxx.xxx.110. Is this the address you are telnet'ing to? This is defined in the static (inside, outside) command.

If you have made any config changes to the PIX you need to issue `wr mem' command followed by `clear xlate' if you have changed NAT or static statements.

 

[DKMOORE]

Well I am back....

Thanks for your suggestions! But -
I removed all of the nat stements from the router, saved and reloaded and all http and smtp traffic from inside to outside was blocked

This can be so frustrating - I have read so much info stating just do this an voila but this has yet to be the case for me...

This seems like such a simple setup - but I can't seem to get it.

Can someone please review my configs and suggest other than the (nat on the router) what could be keeping traffic from outside from reaching the Exchange Box...

Thanks in advance

 

[routerman]

I agree, it should be a simple set up, however it looks like you have picked up a real bag of worms here. From your last post it looks like the router configuration was NATing the PIX NAT addresses, a

To make that a bit clearer, the packet sets off from your server with a source IP 172.16.10.5, via the PIX NAT gets translated to address xx.158.224.107 via the inside outside statement.
It then gets translated again via the router NAT to xxx.158.217.34 which is the serial interface IP address on the router.

By removing the router NAT the source address of those packets hitting the Internet is now in the range xx.158.224.104/29.

If you agree with this so far, I would suggest that you check with you ISP the address range they have allocated for the PIX to router LAN. They should have a route back to this network which is configured as xx.158.224.104/29. via
xxx.158.217.34, serial 0 on the router. If they dont then that would cause a problem.

 

[DKMOORE]

Routerman!

It is funny how something so simple can be overlooked.
I have a feeling you are correct, without a static route on our ISP's router no way back...

I will let you know how that turns out - if successful then I will work on getting rid of the NAT on our router again.

 

[DKMOORE]

Actually, after about 3 seconds of thinking about it, I remebered a little thing about Routing Tables...
If my router has a static route entry and it is connected to my ISP's router, then the ISP's router should know how to get to my other subnet via the routing table. Should it not?

 

[baddos]

Your static route on your router won't announce a route to your ISP's router. Your ISP needs that have the route in it's router and announce it to it's peers (other ISPs). A simple call to their tech support will verify if they have the route to your subnet.

You could also (from outside your office) try a traceroute to your new subnet (xxx.158.224.104/29), and see where the last hop is. It should be your router.

 

[DKMOORE]

Well I am back...I finally resolved the main problem!
Apparently there was mis-communication between myself and our ISP. They had assigned, or I configured with an incorrect IP address pool. Since discovering this I have been able to remove all nat statements from the router and traffic flows as expected.

My problem now lies in the fact that I cannot establish a connection with the exchange server from outside our network.

I have read several threads about setting TCP/IP ports for Ex and Pix - have implemented and still no success. I am able to Telnet into the opened ports, but cannot establish a connection either via HTTP browser our via POP3/SMTP from outside our net.

We are running Exchange(OWA)/IIS all on the same machine, which is inside the PIX and cannot figure out the problem.

I can connect from inside using either web or exchange account, so I believe the Exchange server is configured correctly. I have also succesfully sent mail via Exchange server from inside so...

Here is my PIX config -

PIX

PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password NC1KgWaSUzBT8QU2 encrypted
passwd NC1KgWaSUzBT8QU2 encrypted
hostname pix515
domain-name svc.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list outside_access_in permit tcp any eq

http://www host

XXX.158.222.107 eq www
access-list outside_access_in permit tcp any eq smtp host XXX.158.222.107 eq smtp
access-list outside_access_in permit tcp any eq pop3 host XXX.158.222.107 eq pop3
access-list outside_access_in permit tcp any host XXX.158.222.107 eq 135
access-list outside_access_in permit tcp any host XXX.158.222.107 eq 5000
access-list outside_access_in permit tcp any host XXX.158.222.107 eq 5001
access-list outside_access_in permit icmp any host XXX.158.222.107
pager lines 24
logging on
logging timestamp
logging trap alerts
logging history debugging
logging host inside 172.16.10.3
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside XXX.158.222.106 255.255.255.248
ip address inside 172.16.10.1 255.255.255.0
ip address dmz 172.16.20.1 255.255.255.0
ip audit name test attack action alarm
ip audit interface outside test
ip audit interface inside test
ip audit info action alarm
ip audit attack action alarm
pdm location 172.16.10.5 255.255.255.255 inside
pdm location 172.16.10.11 255.255.255.255 inside
pdm location 172.16.10.3 255.255.255.255 inside
pdm location 172.16.10.38 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 XXX.158.222.108-XXX.158.222.109
global (outside) 1 XXX.158.222.110
nat (inside) 1 172.16.10.0 255.255.255.0 0 0
static (inside,outside) XXX.158.222.107 172.16.10.5 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.158.224.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:3
0:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.10.11 255.255.255.255 inside
http 172.16.10.38 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 172.16.10.0 255.255.255.0 inside
telnet timeout 2
ssh timeout 5
terminal width 80
Cryptochecksum:5040e9d2e8373a9bbc1df868207d1a66
: end
[OK]

Thanks in advance for any help!

 

[routerman]

I think the problem is in your ACL:

access-list outside_access_in permit tcp any eq

http://www host

XXX.158.222.107 eq www
access-list outside_access_in permit tcp any eq smtp host XXX.158.222.107 eq smtp
access-list outside_access_in permit tcp any eq pop3 host XXX.158.222.107 eq pop3

The port used by the originating host will not be

http://www/smtp/pop3,

but will be the next available. So I suggest trying:

access-list outside_access_in permit tcp any host XXX.158.222.107 eq www
access-list outside_access_in permit tcp any host XXX.158.222.107 eq smtp
access-list outside_access_in permit tcp any host XXX.158.222.107 eq pop3


Andy

 

[DKMOORE]

Andy,

Thanks for responding...you were absolutely correct. I now have web access. I am still getting an error when I try to connect using pop3...

Error message - The specified server was found, but there was no response from the server. Please verify that the port and SSL information is correct.

I have been succseful sending however, so I think the smtp side is working.

Any ideas?

Thanks

Don

 

[vuongxibul]

I think you should open static PAT in your router
to permit outside access to your pix ip address in pop3,smtp,web port when you need to open it.

ip nat inside source static ...(follow the help)

Because I see you open in the PIX, but how can I access to your PIX when your router filter it.

Internet user ---> IOS router (with static PAT) ---> PIX (static PAT or static NAT)--> server service.

hope helpful.

 

[routerman]

After reading through all this thread again I'm sure the basic communication path through the PIX is OK. You say that the one server supports email etc, so if one service works then the rest have a path out as well.

From the server you should be able to ping your pop3 server, try ping the URL of the POP server. Your PIX config allows ICMP echo replies back if you ping from the server, so you should get a reply, this also assumes that the server is configured to respond to a ping. If you get a reply then you know the path is OK, if you dont, well thats not 100% bad. If that fails you could try telnet to the URL, setting the destination port to 110, you would expect a response from the pop3 server.

I think the PIX is OK, and that the problem may lie in the server set up either at your site or the ISP, the error seems to indicate you are reaching the remote server.

 

[DKMOORE]

Routerman,

Just wanted to let you know...I did not correct the access list for the pop3 port.

Now that I have done this all is working.

Thanks for all your help.

Question: If I am using exchange client inside, and web access outside, the only ports I really need open are http and smtp correct?

Thanks again for the help.

Don

 

[routerman]

Hi Don, got there at last!!

You are correct, if your exchange client connects to an external pop3 server then the PIX will allow the outbound connection and the corresponding replies unless blocked by any access-list on the inside interface.

But for devices on the outside (SMTP and HTTP access) you need to specifically open up a hole through the PIX, this is done with the static and access-list commands.