Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need help with PIX 515E and port 993

Status
Not open for further replies.
jerrycb

jerrycb

IS-IT--Management
Mar 14, 2005
4
NL
Hello everyone,

I'm a newbie on Cisco PIX 515E and I have a few issues I can't resolve. (please forgive me my bad English)

We want to use any application for EDI traffic (which is installed on NL-DOR-XP-033) to make a connection on the internet via the port 993 to host 194.109.209.146

Only pc NL-DOR-XP-033 may use port 993 to connect to 194.109.209.146 (on outside)

I don't know how the traffic is coming back (port 25??)

Can you please help me out ???
Thanks a lot.....
JerryCB

Config of my PIX

Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 IF_VPN security4
nameif ethernet3 intf3 security6
nameif ethernet4 IF_DMZ security8
enable password .......... encrypted
passwd ............ encrypted
hostname PIX
domain-name ST.NL
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.36.253.0 LAN
name 10.0.0.0 VPN
name 10.10.0.0 DMZ
name 192.36.0.0 CB_WAN
name 10.10.0.2 APPLIANCE
name 192.36.253.21 MAILSERVER
name 192.36.253.13 Proxy
name 192.36.253.17 NC001Y2K003
name 192.36.253.10 PCJERRY
name 192.36.253.2 NL-DOR-DC-001
name 192.36.253.24 NL-DOR-XP-033
name 194.109.209.146 gosecure
object-group service Internet_en_Email tcp
port-object eq www
port-object eq ftp-data
port-object eq https
port-object eq ftp
port-object eq smtp
port-object range ftp-data ftp
object-group service Internet tcp
port-object eq www
port-object eq ftp-data
port-object eq ftp
port-object eq https
object-group network DNS_Resolvers
network-object Proxy 255.255.255.255
network-object NL-DOR-DC-001 255.255.255.255
network-object MAILSERVER 255.255.255.255
object-group service ePolicyAgent tcp
port-object eq 82
object-group service Edi tcp
port-object eq imap4
port-object eq 993
port-object eq 137
port-object range 4000 5000
access-list inside_access_in permit tcp CB_WAN 255.255.0.0 DMZ 255.255.255.0 object-group Internet_en_Email
access-list inside_access_in permit ip CB_WAN 255.255.0.0 VPN 255.255.255.0
access-list inside_access_in permit udp object-group DNS_Resolvers any eq domain
access-list inside_access_in permit tcp host NC001Y2K003 host APPLIANCE eq 8081
access-list DMZ_access_in permit tcp DMZ 255.255.255.0 CB_WAN 255.255.0.0 object-group Internet_en_Email
access-list DMZ_access_in permit tcp DMZ 255.255.255.0 VPN 255.255.255.0 object-group Internet_en_Email
access-list DMZ_access_in permit tcp host APPLIANCE any object-group Internet_en_Email
access-list DMZ_access_in permit udp DMZ 255.255.255.0 any eq domain
access-list DMZ_access_in permit udp DMZ 255.255.255.0 LAN 255.255.255.0 eq domain
access-list DMZ_access_in permit tcp host APPLIANCE host NC001Y2K003 object-group ePolicyAgent
access-list IF_VPN_access_in permit ip VPN 255.255.255.0 CB_WAN 255.255.0.0
access-list IF_VPN_access_in permit tcp VPN 255.255.255.0 DMZ 255.255.255.0 object-group Internet_en_Email
access-list IF_VPN_inbound_nat0_acl permit ip VPN 255.255.255.0 DMZ 255.255.255.0
access-list IF_DMZ_outbound_nat0_acl permit ip DMZ 255.255.255.0 VPN 255.255.255.0
access-list inside_outbound_nat0_acl permit ip CB_WAN 255.255.0.0 DMZ 255.255.255.0
access-list inside_outbound_nat0_acl permit ip CB_WAN 255.255.0.0 VPN 255.255.255.0
access-list outside_access_in permit tcp any host xxx.xxx.194.210 eq smtp
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside PCJERRY
mtu outside 1500
mtu inside 1500
mtu IF_VPN 1500
mtu intf3 1500
mtu IF_DMZ 1500
ip address outside xxx.xxx.194.194 255.255.255.192
ip address inside 192.36.253.4 255.255.255.0
ip address IF_VPN 10.0.0.1 255.255.255.0
no ip address intf3
ip address IF_DMZ 10.10.0.1 255.255.255.0
ip audit name CB attack action alarm
ip audit interface outside CB
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address IF_VPN
no failover ip address intf3
no failover ip address IF_DMZ
pdm location LAN 255.255.255.0 inside
pdm location CB_WAN 255.255.0.0 inside
pdm location MAILSERVER 255.255.255.255 inside
pdm location APPLIANCE 255.255.255.255 IF_DMZ
pdm location NL-DOR-DC-001 255.255.255.255 inside
pdm location Proxy 255.255.255.255 inside
pdm location 192.36.253.187 255.255.255.255 inside
pdm location VPN 255.255.255.0 inside
pdm location PCJERRY 255.255.255.255 inside
pdm location 192.36.253.98 255.255.255.255 inside
pdm location NC001Y2K003 255.255.255.255 inside
pdm location NL-DOR-XP-033 255.255.255.255 inside
pdm location gosecure 255.255.255.255 outside
pdm group DNS_Resolvers inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 NL-DOR-DC-001 255.255.255.255 0 0
nat (inside) 1 Proxy 255.255.255.255 0 0
nat (inside) 0 LAN 255.255.255.0 0 0
nat (inside) 0 CB_WAN 255.255.0.0 0 0
nat (IF_VPN) 0 access-list IF_VPN_inbound_nat0_acl outside
nat (IF_VPN) 0 VPN 255.255.255.0 0 0
nat (IF_DMZ) 0 access-list IF_DMZ_outbound_nat0_acl
nat (IF_DMZ) 0 DMZ 255.255.255.0 0 0
static (IF_DMZ,outside) xxx.xxx.194.210 APPLIANCE netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group IF_VPN_access_in in interface IF_VPN
access-group DMZ_access_in in interface IF_DMZ
route outside 0.0.0.0 0.0.0.0 xxx.xxx.194.193 1
route inside CB_WAN 255.255.0.0 192.36.253.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 213.84.46.114 source outside
http server enable
http LAN 255.255.255.0 inside
http VPN 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet LAN 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:..........
: end
[OK]


 
Sort by date Sort by votes
You already have an access list inbound on the LAN interface;

access-list inside_access_in permit tcp CB_WAN 255.255.0.0 DMZ 255.255.255.0 object-group Internet_en_Email
access-list inside_access_in permit ip CB_WAN 255.255.0.0 VPN 255.255.255.0
access-list inside_access_in permit udp object-group DNS_Resolvers any eq domain
access-list inside_access_in permit tcp host NC001Y2K003 host APPLIANCE eq 8081

So just add this new rule;

access-list inside_access_in permit tcp host NL-DOR-XP-033 host 194.109.209.146 eq 993

.. and then deny all other traffic to that IP and port ..

access-list inside_access_in deny tcp any host 194.109.209.146 eq 993

Chris.


**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
Chris,

Thanks for you response.

I added the 2 new rules successfully but still having problems with pc NL-DOR-XP-033 connecting to the internet with 993 (imaps).

Do I have to open more ports for the communication??
The EDI programm works with IMAPS.

All the smtp traffice is rerouted to our appliance which is checking all the e-mail(smtp) and afther that it w'll be sent to our exchange server.

Does the IMAPS server (194.109.209.146 ) sent info back on port 25? If so the answer for the NL-DOR-XP-033 will never come back. I can only see on the pc the following :

edicon.exe:3248 TCP 001xp033.cb.local:1270 194.109.209.146:993 SYN_SENT

Do you have any idee's?

Jerry

 
Upvote 0 Downvote
Jerry,

Not sure. Your best best would be to have a look through your logs and see if any traffic is being dropped. This should give you a better idea as to what is going on. Also, check your access list counters to see if traffic is hitting the rule that you have added.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
582
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
472
XLNTech1
XLNTech1
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
141
PauS0n
PauS0n
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
565
intel233
intel233
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
465
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top