Need help opening pop3 on pix 501

[systemengineer1972]

Can someone help me open up port 110 (pop3) on my firewall, he is my running config..
Try'd for some time now with now sucsess

Help !!!


ims(config)# sho conf
: Saved
:
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password QfSCP6BSRXVTKzlY encrypted
passwd QfSCP6BSRXVTKzlY encrypted
hostname ims
domain-name hq.ims
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.200.9 EPO
name 192.168.200.177 TONIC
name 192.168.200.7 IMS-PDC
name 192.168.200.187 Tech
access-list outside_access_in permit tcp any host 81.5.*.* eq 1723
access-list outside_access_in permit udp any host 81.5.*.* eq isakmp
access-list outside_access_in permit udp any host 81.5.*.* eq 1701
access-list outside_access_in permit tcp any host 81.5.*.* eq smtp
access-list outside_access_in permit tcp any host 81.5.*.* eq pop3
access-list outside_access_in permit tcp any host 81.5.*.* eq pop3
access-list outside_access_in permit tcp any host 81.5.*.* eq www
access-list acl-out permit tcp any host 81.5.*.* eq smtp
access-list acl-out permit tcp any host 81.5.*.* eq 1723
access-list acl-out permit gre any host 81.5.*.*
access-list acl-out permit udp any host 81.5.*.* eq 1723
access-list acl-out permit udp any host 81.5.*.* eq 1701
access-list acl-out permit udp any host 81.5.*.* eq isakmp
access-list acl-out permit tcp any host 192.168.200.149 eq 5045
access-list acl-out deny tcp any any
access-list acl-out permit tcp any host 81.5.*.* eq pop3
access-list acl_out permit tcp any host 81.5.*.* eq www
access-list acl_out permit tcp host 81.5.*.* eq pop3 any
access-list acl_out permit tcp any host 81.5.*.* eq pop3
access-list outside_acess_in permit tcp any host 81.5.*.* eq www
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 81.5.*.* 255.255.255.240
ip address inside 192.168.200.240 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.200.190-192.168.200.194
pdm location EPO 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 192.168.0.0 255.255.255.0 outside
pdm location TONIC 255.255.255.255 inside
pdm location IMS-PDC 255.255.255.255 inside
pdm location Tech 255.255.255.255 inside
pdm location 207.68.171.233 255.255.255.255 outside
pdm location 207.68.171.233 255.255.255.255 inside
pdm location 212.69.194.157 255.255.255.255 outside
pdm location 217.207.11.140 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 81.5.*.132-81.5.*.133 netmask 255.255.255.240
global (outside) 1 81.5.*.134 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 81.5.*.137 Tech netmask 255.255.255.255 0 0
static (inside,outside) 81.5.*.* TONIC netmask 255.255.255.255 0 0
static (inside,outside) 81.5.*.* 192.168.200.5 netmask 255.255.255.255 0 0
static (inside,outside) 81.5.*.* 192.168.200.4 netmask 255.255.255.255 0 0
static (inside,outside) 81.5.*.* IMS-PDC netmask 255.255.255.255 0 0
access-group acl-out in interface outside
conduit deny tcp any any eq 1863
conduit deny udp any any eq 1863
route outside 0.0.0.0 0.0.0.0 81.5.*.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
url-server (outside) host 207.68.171.233 timeout 5 protocol TCP version 1
http server enable
http 192.168.200.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet 192.168.200.0 255.255.255.0 inside
telnet 81.5.*.* 255.255.255.255 inside
telnet 81.5.*.* 255.255.255.255 inside
telnet IMS-PDC 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:259a681616b00b0ed054a326d45d7fd8
ims(config)#

 

[chicocouk]

Open up port 110 inbound or outbound? If inbound, what public address should map to what inside address? In other words, what exactly are you trying to achieve?

 

[systemengineer1972]

I would like a external user via the internet to conect to his pop box on our exchange server.
I aready have a static route of 81.5.141.*** to a internal of 192.168.200.7, and as you can see from my running conf i think i have set up the access-list correctly..?
Is there something else i have to do

 

[themut]

access-list acl-out deny tcp any any
access-list acl-out permit tcp any host 81.5.*.* eq pop3

access-group acl-out in interface outside

your deny statement is matched before your permission for pop3 traffic so that's why it isn't working. They need to be in the following order:

access-list acl-out permit tcp any host 81.5.*.* eq pop3
access-list acl-out deny tcp any any

 

[ChrisAC]

And don't post the same question twice ;-)

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************