PIX 501 Firewall Config

[systemengineer1972]

I have an exsisting configuration that works o.k., i need to open up port 110 for pop3 so a user in our network can access his pop box outside of the network...
is this possible, any help and commands to do this would be great

 

[AJ1982]

Where is the POP box and user?



===

Fatman Superstar (Andrew James)

CCNA,
(CCNA Cisco Academy Instructor Trained)

 

[systemengineer1972]

This is on a private ip of 192.168.*.7 there is a static of 81.5.14*.13* that directs it to the private IP.
The user is outside of the network, an i would like them to connect to there pop box using outlook..

 

[AJ1982]

....assign your static address translation...., if you only have one IP you have done this...


Try....

access-list COMMINGIN permit tcp any host 81.5.14*.13* eq 110

If they have a specific IP address at home you can use...

access-list COMMINGIN permit tcp host x.x.x.x host 81.5.14*.13* eq 110

Hope this works.

Ta

AJ




===

Fatman Superstar (Andrew James)

CCNA,
(CCNA Cisco Academy Instructor Trained)

 

[systemengineer1972]

Hi Andrew,

no i did not work here is my config ..

ims> en
Password: ********
ims# sho static
static (inside,outside) 81.5.14*.13* Tech netmask 255.255.255.255 0 0
static (inside,outside) 81.5.14*.14* TONIC netmask 255.255.255.255 0 0
static (inside,outside) 81.*.141.1*5 192.168.200.5 netmask 255.255.255.255 0 0
static (inside,outside) 81.*.141.1*0 192.168.200.4 netmask 255.255.255.255 0 0
static (inside,outside) 81.5.141.1*1 192.168.200.7 netmask 255.255.255.255 0 0
ims#
ims# sho access-list
access-list outside_access_in permit tcp any host 81.5.14*.1*5 eq 1723 (hitcnt=0
)
access-list outside_access_in permit udp any host 81.5.14*.1*5 eq isakmp (hitcnt
=0)
access-list outside_access_in permit udp any host 81.*.141.*35 eq 1701 (hitcnt=0
)
access-list outside_access_in permit tcp any host 81.*.141.*30 eq smtp (hitcnt=0
)
access-list outside_access_in permit tcp any host 81.*.14*.130 eq pop3 (hitcnt=0
)
access-list outside_access_in permit tcp any host 81.5.14*.1*1 eq pop3 (hitcnt=0
)
access-list outside_access_in permit tcp any host 8*.5.*41.13* eq

http://www (hitcnt=0)

access-list acl-out permit tcp any host 81.*.141.1*0 eq smtp (hitcnt=0)
access-list acl-out permit tcp any host 81.*.141.1*5 eq 1723 (hitcnt=0)
access-list acl-out permit gre any host 81.*.141.1*5 (hitcnt=0)
access-list acl-out permit udp any host 81.*.141.1*5 eq 1723 (hitcnt=0)
access-list acl-out permit udp any host 81.*.141.1*5 eq 1701 (hitcnt=0)
access-list acl-out permit udp any host 81.*.141.1*5 eq isakmp (hitcnt=0)
access-list acl-out permit tcp any host 192.168.200.1*9 eq 5045 (hitcnt=0)
access-list acl-out deny tcp any any (hitcnt=23)
access-list acl-out permit tcp any host 81.*.141.1*1 eq pop3 (hitcnt=0)
access-list acl_out permit tcp any host 81.*.141.1*0 eq

http://www (hitcnt=0)

access-list acl_out permit tcp host 81.*.141.1*1 eq pop3 any (hitcnt=0)
access-list acl_out permit tcp any host 81.*.1*1.1*1 eq pop3 (hitcnt=0)
access-list outside_acess_in permit tcp any host 81.5.141.130 eq

http://www (hitcnt=0)

 

[AJ1982]

Can you do me a show run

Ta

AJ

===

Fatman Superstar (Andrew James)

CCNA,
(CCNA Cisco Academy Instructor Trained)

 

[systemengineer1972]

the command sho run does not work on pix.. not like a router.. what command can i use instead

 

[AJ1982]

Show me your running config then,

===

Fatman Superstar (Andrew James)

CCNA,
(CCNA Cisco Academy Instructor Trained)

 

[systemengineer1972]

how do i do that.. typing the command of sho running does not work.. what will

 

[Roots000]

show conf

 

[systemengineer1972]

Cheers Here

ims(config)# sho conf
: Saved
:
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password QfSCP6BSRXVTKzlY encrypted
passwd QfSCP6BSRXVTKzlY encrypted
hostname ims
domain-name hq.ims
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.200.9 EPO
name 192.168.200.177 TONIC
name 192.168.200.7 IMS-PDC
name 192.168.200.187 Tech
access-list outside_access_in permit tcp any host 81.5.*.* eq 1723
access-list outside_access_in permit udp any host 81.5.*.* eq isakmp
access-list outside_access_in permit udp any host 81.5.*.* eq 1701
access-list outside_access_in permit tcp any host 81.5.*.* eq smtp
access-list outside_access_in permit tcp any host 81.5.*.* eq pop3
access-list outside_access_in permit tcp any host 81.5.*.* eq pop3
access-list outside_access_in permit tcp any host 81.5.*.* eq www
access-list acl-out permit tcp any host 81.5.*.* eq smtp
access-list acl-out permit tcp any host 81.5.*.* eq 1723
access-list acl-out permit gre any host 81.5.*.*
access-list acl-out permit udp any host 81.5.*.* eq 1723
access-list acl-out permit udp any host 81.5.*.* eq 1701
access-list acl-out permit udp any host 81.5.*.* eq isakmp
access-list acl-out permit tcp any host 192.168.200.149 eq 5045
access-list acl-out deny tcp any any
access-list acl-out permit tcp any host 81.5.*.* eq pop3
access-list acl_out permit tcp any host 81.5.*.* eq www
access-list acl_out permit tcp host 81.5.*.* eq pop3 any
access-list acl_out permit tcp any host 81.5.*.* eq pop3
access-list outside_acess_in permit tcp any host 81.5.*.* eq www
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 81.5.*.* 255.255.255.240
ip address inside 192.168.200.240 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.200.190-192.168.200.194
pdm location EPO 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 192.168.0.0 255.255.255.0 outside
pdm location TONIC 255.255.255.255 inside
pdm location IMS-PDC 255.255.255.255 inside
pdm location Tech 255.255.255.255 inside
pdm location 207.68.171.233 255.255.255.255 outside
pdm location 207.68.171.233 255.255.255.255 inside
pdm location 212.69.194.157 255.255.255.255 outside
pdm location 217.207.11.140 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 81.5.*.132-81.5.*.133 netmask 255.255.255.240
global (outside) 1 81.5.*.134 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 81.5.*.137 Tech netmask 255.255.255.255 0 0
static (inside,outside) 81.5.*.* TONIC netmask 255.255.255.255 0 0
static (inside,outside) 81.5.*.* 192.168.200.5 netmask 255.255.255.255 0 0
static (inside,outside) 81.5.*.* 192.168.200.4 netmask 255.255.255.255 0 0
static (inside,outside) 81.5.*.* IMS-PDC netmask 255.255.255.255 0 0
access-group acl-out in interface outside
conduit deny tcp any any eq 1863
conduit deny udp any any eq 1863
route outside 0.0.0.0 0.0.0.0 81.5.*.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
url-server (outside) host 207.68.171.233 timeout 5 protocol TCP version 1
http server enable
http 192.168.200.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet 192.168.200.0 255.255.255.0 inside
telnet 81.5.*.* 255.255.255.255 inside
telnet 81.5.*.* 255.255.255.255 inside
telnet IMS-PDC 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:259a681616b00b0ed054a326d45d7fd8
ims(config)#

 

[chicocouk]

The command show run DOES work on a pix, as long as you are in enable mode.

 

[ChrisAC]

Here's your problem ..

access-list acl-out deny tcp any any
access-list acl-out permit tcp any host 81.5.*.* eq pop3


You can't deny ALL TCP traffic and then let specific traffic through. The traffic has already matched an ACL entry (deny tcp any any) and so the next line will not be processed.

Re-jig the ACL to allow the specific TCP ports through and THEN block all other TCP traffic.

Chris.



**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************