Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do I get web/mail/SSL past the PIX

Status
Not open for further replies.
Dyehouse1

Dyehouse1

MIS
Sep 24, 2002
43
0
0
GB
Here is my config (largely unedited) and I am having some problems. Firstly I need to add some aliases to the external interface so that it can forward different DNS names etc. How do I go about this? Secondly the mail runs on the current external IP BUT with this config I am not getting anything - cannot connect via POP or IMAP. Where am I going wrong? - HELP!

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password XXXX encrypted
passwd XXXX encrypted
hostname XXXX
domain-name XXXX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000

access-list outside_access_in permit tcp any eq smtp host 212.240.x.18 eq smtp
access-list outside_access_in permit tcp any eq pop3 host 212.240.x.18 eq pop3
access-list outside_access_in permit tcp any eq 443 host 212.240.x.18 eq 443
access-list outside_access_in permit tcp any eq 143 host 212.240.x.18 eq 143
access-list outside_access_in permit tcp any eq 1723 host 212.240.x.18 eq 1723
access-list outside_access_in permit tcp any eq 212.240.x.20 eq www
access-list outside_access_in permit tcp any eq ftp host 212.240.x.19 eq ftp
access-list outside_access_in permit tcp any eq 98 host 212.240.x.22 eq 98
access-list outside_access_in permit tcp any eq 212.240.x.22 eq www
pager lines 24
logging monitor notifications
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 212.240.x.18 255.255.255.224
ip address inside 10.99.99.13 255.0.0.0
ip address dmz 192.168.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location Bills_PC 255.255.255.255 inside
pdm location 10.250.250.251 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 10.99.99.7 255.255.255.255 inside
pdm location 10.99.99.3 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 212.240.x.18 smtp 10.99.99.7 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.240.x.18 pop3 10.99.99.7 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.240.x.18 1723 10.99.99.3 1723 netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.240.x.18 143 10.99.99.7 143 netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.240.x.18 443 10.99.99.7 443 netmask 255.255.255.255 0 0
static (dmz,outside) tcp 212.240.x.19 ftp ftp.pas.com ftp netmask 255.255.255.255 0 0
static (dmz,outside) tcp 212.240.x.20 255.255.255.255 0 0
static (dmz,outside) tcp 212.240.x.22 98 editor.pas.com 98 netmask 255.255.255.255 0 0
static (dmz,outside) tcp 212.240.x.22 255.255.255.255 0 0
access-group outside_access_in in interface outside
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 212.240.x.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:15:00 absolute uauth 0:05:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http Internal_Network 255.0.0.0 inside
http Bills_PC 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside Bills_PC /PIX
floodguard enable
no sysopt route dnat
telnet Bills_PC 255.255.255.255 inside
telnet 10.250.250.251 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:67cdaf2aca507ca1d4e69281006f25db
: end
 
Sort by date Sort by votes
I think one of the problems you is caused by your access list. For instance the first line specifies a connection from any host but it specifies smtp as the source port. You have correctly included the smtp port along with the destination port, but you wont know what the source port will be.

Try:
access-list outside_access_in permit tcp any host 212.240.x.18 eq smtp

As for the Alias, this is now included in the static command now, here is an example:

static (inside,outside) tcp 213.138.1.1 smtp 10.130.10.16 smtp dns netmask 255.255.255.255 0 0

In this example an internal host send a DNS request for another internal host to an external DNS server, which replies with the 213.138.1.1 address. The static command translates the IP address in the DNS reply to 10.130.10.16.


Hope this helps.
 
Upvote 0 Downvote
OK I have changed the static lines as you requested. I also realised that it should be the other way around:

(inside,outside) outsideIP insideIP

I have amended all the static lines to make these changes but I am still getting nothing (weird!). Here is my latest config (I am not brave enough to try the aliases yet I think I will just try to get something down the interface IP address before I try adding more! Any ideas where I have gone wrong?

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxx encrypted
passwd xxx encrypted
hostname PIXfirewall
domain-name uk.pas.local
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.1.4 name 192.168.1.3 ftp.pas.com
name 192.168.1.2 support.pas.com
name 192.168.1.6 is3.pas.com
name 192.168.1.5 editor.pas.com
name 212.240.1XX.0 PAS_IP_Group
name 10.0.0.0 Internal_Network
name 10.250.250.250 Bills_PC
name 199.41.254.177 DHL1
access-list outside_access_in permit tcp any host 10.99.99.7 eq smtp
access-list outside_access_in permit tcp any host 10.99.99.7 eq pop3
access-list outside_access_in permit tcp any host 10.99.99.7 eq 443
access-list outside_access_in permit tcp any host 10.99.99.7 eq 143
access-list outside_access_in permit tcp any host 10.99.99.3 eq 1723
access-list outside_access_in permit tcp any host support.pas.com eq www
access-list outside_access_in permit tcp any host ftp.pas.com eq ftp
access-list outside_access_in permit tcp any host editor.pas.com eq 98
access-list outside_access_in permit tcp any host eq www
pager lines 24
logging monitor notifications
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 212.240.1XX.18 255.255.255.224
ip address inside 10.99.99.13 255.0.0.0
ip address dmz 192.168.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location support.pas.com 255.255.255.255 dmz
pdm location ftp.pas.com 255.255.255.255 dmz
pdm location 255.255.255.255 dmz
pdm location editor.pas.com 255.255.255.255 dmz
pdm location is3.pas.com 255.255.255.255 dmz
pdm location Bills_PC 255.255.255.255 inside
pdm location 10.250.250.251 255.255.255.255 inside
pdm location DHL1 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 10.99.99.7 255.255.255.255 inside
pdm location 10.99.99.3 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 212.240.1XX.18 smtp 10.99.99.7 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.240.1XX.18 pop3 10.99.99.7 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.240.1XX.18 1723 10.99.99.3 1723 netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.240.1XX.18 143 10.99.99.7 143 netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.240.1XX.18 443 10.99.99.7 443 netmask 255.255.255.255 0 0
static (dmz,outside) tcp 212.240.1XX.19 ftp ftp.pas.com ftp netmask 255.255.255.255 0 0
static (dmz,outside) tcp 212.240.1XX.20 255.255.255.255 0 0
static (dmz,outside) tcp 212.240.1XX.22 98 editor.pas.com 98 netmask 255.255.255.255 0 0
static (dmz,outside) tcp 212.240.1XX.22 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 212.240.1XX.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:15:00 absolute uauth 0:05:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http Internal_Network 255.0.0.0 inside
http Bills_PC 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside Bills_PC /PIX
floodguard enable
no sysopt route dnat
telnet Bills_PC 255.255.255.255 inside
telnet 10.250.250.251 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:db9d97489a7718f9effdcf467888239b
: end
 
Upvote 0 Downvote
Looking better, however I see a problem with the access list.

You have:
access-list outside_access_in permit tcp any host 10.99.99.7 eq smtp

The address in the access list should be the outside address, not the internal address. So it should look like:

access-list outside_access_in permit tcp any host 212.240.1XX.18 eq smtp

This will allow a connection to be made to the outside address, the static will then translate the outside address to the inside and (hopefully!!) you'll get a connection.

One point, when modifying the config issue the clear xlate command as well to flush out the NAT table.


 
Upvote 0 Downvote
Here is my latest config - I have made the access-list changes but still cannot seem to access my mail server on any protocols(pop3/imap4/smtp) I am sure there is something simple I am missing here - any further ideas?

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxx encrypted
passwd xxx encrypted
hostname xxx
domain-name uk.xxx.local
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.1.4 name 192.168.1.3 ftp.pas.com
name 192.168.1.2 support.pas.com
name 192.168.1.6 is3.pas.com
name 192.168.1.5 editor.pas.com
name 212.240.134.0 PAS_IP_Group
name 10.0.0.0 Internal_Network
name 10.250.250.250 Bills_PC
name 199.41.254.177 DHL1
access-list outside_access_in permit tcp any host 212.240.xxx.18 eq smtp
access-list outside_access_in permit tcp any host 212.240.xxx.18 eq pop3
access-list outside_access_in permit tcp any host 212.240.xxx.19 eq 443
access-list outside_access_in permit tcp any host 212.240.xxx.18 eq 143
access-list outside_access_in permit tcp any host 212.240.xxx.18 eq 1723
access-list outside_access_in permit tcp any host 212.240.xxx.20 eq www
access-list outside_access_in permit tcp any host 212.240.xxx.19 eq ftp
access-list outside_access_in permit tcp any host 212.240.xxx.22 eq 98
access-list outside_access_in permit tcp any host 212.240.xxx.22 eq www
pager lines 24
logging monitor notifications
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 212.240.xxx.18 255.255.255.224
ip address inside 10.99.99.13 255.0.0.0
ip address dmz 192.168.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location support.pas.com 255.255.255.255 dmz
pdm location ftp.pas.com 255.255.255.255 dmz
pdm location 255.255.255.255 dmz
pdm location editor.pas.com 255.255.255.255 dmz
pdm location is3.pas.com 255.255.255.255 dmz
pdm location Bills_PC 255.255.255.255 inside
pdm location 10.250.250.251 255.255.255.255 inside
pdm location DHL1 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 10.99.99.7 255.255.255.255 inside
pdm location 10.99.99.3 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 Internal_Network 255.0.0.0 0 0
static (inside,outside) tcp 212.240.xxx.18 smtp 10.99.99.7 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.240.xxx.18 pop3 10.99.99.7 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.240.xxx.18 1723 10.99.99.3 1723 netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.240.xxx.18 143 10.99.99.7 143 netmask 255.255.255.255 0 0
static (dmz,outside) tcp 212.240.xxx.19 ftp ftp.pas.com ftp netmask 255.255.255.255 0 0
static (dmz,outside) tcp 212.240.xxx.20 255.255.255.255 0 0
static (dmz,outside) tcp 212.240.xxx.22 98 editor.pas.com 98 netmask 255.255.255.255 0 0
static (dmz,outside) tcp 212.240.xxx.22 255.255.255.255 0 0
static (inside,outside) tcp 212.240.xxx.19 443 10.99.99.7 443 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 212.240.xxx.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:15:00 absolute uauth 0:05:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http Internal_Network 255.0.0.0 inside
http Bills_PC 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside Bills_PC /PIX
floodguard enable
no sysopt route dnat
telnet Bills_PC 255.255.255.255 inside
telnet 10.250.250.251 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:6d23e3c7b86556b82ce5451503c15fd9
: end
 
Upvote 0 Downvote
After looking a bit closer at your configuration I see another problem.

The outside interface address of your PIX is n.n.n.18, the configuration allowes this to be used as the outgoing source address for PAT, that's fine.

But, the static's are using the outside interface address as well, this wont work. You need to pick another unused address out of your external address space, is n.n.n.23 in use anywhere??
If not, use this address in the static's and access list instead of n.n.n.18.


access-list outside_access_in permit tcp any host 212.240.xxx.23 eq smtp
access-list outside_access_in permit tcp any host 212.240.xxx.23 eq pop3
access-list outside_access_in permit tcp any host 212.240.xxx.23 eq 143
access-list outside_access_in permit tcp any host 212.240.xxx.23 eq 1723

static (inside,outside) tcp 212.240.xxx.23 smtp 10.99.99.7 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.240.xxx.23 pop3 10.99.99.7 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.240.xxx.23 1723 10.99.99.3 1723 netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.240.xxx.23 143 10.99.99.7 143 netmask 255.255.255.255 0 0

You should then be able to telnet to 212.240.xxx.23 port 25
and connect to your smtp server.

Note, if you turn off fixup smtp 25 (no fixup protocol smtp 25) you will get the smtp host name and some other info.

If that works then any MX records will need to use that address for email.

The .224 mask gives you 30 useable addresses.
 
Upvote 0 Downvote
1st off thanx for trying to help its certainly a weird one.

OK I have tried some of your suggestion out - I moved the IP address of the SMTP access to 19 instead of 18 (interface IP) including changing the static rule and the access list rule. No go I am afraid - took out the fixup line and tried telenetting to port 25 (this was my standard test) but with no success.
 
Upvote 0 Downvote
I have also attempted to change the PAT address from the interface address to another address 212.240.1XX.23 so as to free up the interface so that it can be used and not have to be used for PAT. Still doesnt work :( I am running out of ideas - any experts got any?
 
Upvote 0 Downvote
I prefer to use the interface for the PAT, I always set up PIX's that way as it makes maximum use of your IP address space.

I think the next step would be to watch your telnet by using the debug command, this way you can be sure that the telnet packets are hitting the outside interface on the PIX.

command format is `debug packet outside src your-ip dst 212.240.n.19'

Then telnet to n.n.n.19 port 25, see if you get any output.
Also look at the syslog messages, is the access list preventing access, use command `logging monitor 7' and `term mon' if your using telnet to manage the PIX.

Dont forget the clear xlate, clears up all sorts of problems.

I'm not so sure about the syntax of your NAT statement either, I always use the syntax NAT (INSIDE) 1 0 0 unless I'm using NAT 0. I had a look on the documentation CD, it only mentions the use of a name in this statement in conjunction with NAT 0.
 
Upvote 0 Downvote
I think the problem must be something to do with my translation settings. I am have been looking through the settings on my PDM and the following error comes up when looking at my internal network interface NAT settings:

This dynamic translation rule is overlapping with static port redirection translation rule static address translation for inside 10.99.99.7 using address 212.240.1XX.18 on interface outside port mapping TCP 25 to 25. Do you want to proceed.

[STOP] [PROCEED]

OK so whats this mean in English as this is the only error I can find in the PDM to do with my setup.
 
Upvote 0 Downvote
I have amended my configuration just in an attempt to get the SMTP working and trying to telnet into port 25. Here is the config as it stands but I am still unable to connect. I am beginning to think this thing is cursed! I am pretty sure its not the router causing the issue as when I plug in the older unix firewall all of it works fine. Can anyone see a fault that I have missed - I can ping the interface but get nothing on 212.240.1XX.23 which is what I have attempted to open for SMTP. This is drivin me nuts.

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxx encrypted
passwd xxx encrypted
hostname PIXfirewall
domain-name uk.pas.local
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list outside_access_in permit tcp any host 212.240.1XX.23 eq smtp
pager lines 24
logging monitor notifications
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 212.240.1XX.18 255.255.255.240
ip address inside 10.99.99.13 255.0.0.0
ip address dmz 192.168.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.250.250.250 255.255.255.255 inside
pdm location 10.250.250.251 255.255.255.255 inside
pdm location 10.99.99.7 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 212.240.1XX.23 10.99.99.7 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 212.240.1XX.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:15:00 absolute uauth 0:05:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.0.0.0 255.0.0.0 inside
http 10.250.250.250 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.250.250.250 /PIX
floodguard enable
no sysopt route dnat
telnet 10.250.250.250 255.255.255.255 inside
telnet 10.250.250.251 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:f1c583ca19e65c63be8b187d3a3d042d
: end
 
Upvote 0 Downvote
It looks exactly like other configurations I have set up. After reading back through the thread you mention some ping tests, can you ping the internal mail and the external router addresses when logged onto the PIX? eg ping inside 10.99.99.7

What console error messages are you getting when you try to telnet to the mail server from the outside interface?

Did you try the clear xlate, any difference if you reload the firewall?

I can understand your frustration, I cannot see anything in the last config you posted that looks wrong.


 
Upvote 0 Downvote
The thing I dont understand is that I cannot ping the other addresses that should be using the outside interface i.e 212.240.1XX.19 - 23 - 22 - 21 etc etc. The only address I can ping is the 18 address (the interface address) is this normal? On our unix box U can just add an alias to the interface and it acts like it has multiple IP addresses. This way just seems....antequated! shock horror! :)

Thanks for the help I will try out your suggestions and get back.
 
Upvote 0 Downvote
OK I can ping inside to the mailserver fine and I can ping outside (although not the router cuz it has ICMP turned off to hide it) it all appears fine except it doesnt work.

Next question is how do I use the console to check for errors I have never used this feature and I am unsure how to check for port mappings to 25?
 
Upvote 0 Downvote
Your current configuration allows the pix to respond to pings addressed to the outside and inside interfaces:

icmp permit any outside
icmp permit any inside

When you get this working I would recommend removing the line `icmp permit any outside' as with this enabled external port scanner can detect the existance of the unit.

You wont be able to ping the mail server outside address as that ping will not be allowed by your access list, your only allowing TCP connections to the outside address. Hence the reason for using telnet to port 25 for testing.

You could modify (for testing only) the access list to allow ping, replace the tcp keyword with icmp, your current static will allow that through.

The PIX is significantly different to firewall software running on a normal OS platform


 
Upvote 0 Downvote
Well I have tried some ping testing - cannot ping 212.240.1XX.23 at all but can only ping the interface. I have also been on the router and it appears as though the static rule is working as both the 212.240.1XX.18 (interface) and the 212.240.1XX.23 (internal mail server) are appearing the in the routers ARP list under the same MAC address. So it appears as though that part is correct and we have the static right and the router is correct. Have you got any other ideas.

I will go about trying to allow the ICMP through for ping testing and see what happens.
 
Upvote 0 Downvote
OK I tried opening up ICMP but no joy it appears as though it doesnt know that it should have 'adopted' 23 as its external address also. Should we be able to ping it? Here is my config now.

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50

hostname PIXfirewall
domain-name uk.pas.local
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list outside_access_in permit tcp any host 212.240.1xx.23 eq smtp
access-list outside_access_in permit icmp any host 212.240.1xx.23
pager lines 24
logging monitor notifications
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 212.240.1xx.18 255.255.255.240
ip address inside 10.99.99.13 255.0.0.0
ip address dmz 192.168.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.250.250.250 255.255.255.255 inside
pdm location 10.250.250.251 255.255.255.255 inside
pdm location 10.99.99.7 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 212.240.1xx.23 10.99.99.7 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 212.240.1xx.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:15:00 absolute uauth 0:05:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.0.0.0 255.0.0.0 inside
http 10.250.250.250 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.250.250.250 /PIX
floodguard enable
no sysopt route dnat
telnet 10.250.250.250 255.255.255.255 inside
telnet 10.250.250.251 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:6a4466c8dc19ec73dc79454cf60f412b
: end
 
Upvote 0 Downvote
Looks like the post's got delayed maybe the server is a bit on the slow side today.

A useful command on the PIX is `debug icmp trace', this it turned off with `no debug icmp trace'

This will show all ICMP packets through the firewall, and will show if those packets from outside are being translated, output takes a bit of figuring out but its all there.

One point, does your internal email server's default gateway point to the inside address of the PIX, it will need a route there.


The console output depends on how you are monitoring the PIX. If you are using a console connection to the serial port or a telnet connection.

The command "logging monitor notifications" sends log messages to a telnet session, you would need to use "logging console notifications" to see the same messages via a serial connection.

The notification is the level of messages you see, try increase this to informational, may get some clues as to the nature of the problem.



 
Upvote 0 Downvote
The gateway on my mail server is set to our other external line - I am guessing that this may be my fault! I will test this today and get back.

Could I just add it to the gateway list on the mail server or will it have to go in as the primary field?
 
Upvote 0 Downvote
I think it will have to be the primary field, the mail server will be replying to potentially any Internet based source address. I'm assuming here that the primary entry is the default or gateway of last resort?

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
143
Sameer258
Sameer258
intel233
  • Locked
  • Question
ASA5510 - SSL Cert
Replies
0
Views
92
intel233
intel233
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
173
Shmid
Shmid
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
121
XLNTech1
XLNTech1
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
119
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top