Pls Help problem with configuring Cisco Pix

[Vin999]

I have set up MS Exchange to use SMTP to host our own mail

Pix does not allow mail to come in from the outside world. I can send & receive mail from other users on the internal network and can send mail out over the Internet, but cannot receive from the Internet.

When I remove the Pix it all works fine and can telnet to port 25 but as soon as I put the Pix back I cannot telnet in nor receive mail.

I know I have to create access rules and have tried but I am new with Cisco Pix and cannot see what I am doing wrong, I have tried many different things & succeeded in confusing myself.

I have the following arrangement: -

· Incoming Broadband connected to Modem/Router (Fixed IP Address Outside, IP address inside 192.168.0.1)
· Modem connected to Pix 501 on (Outside Interface 192.168.0.2)
· Pix (Inside Interface 192.168.1.1) connected to my server on (Outside interface 192.168.1.2)
· Server (Inside interface 192.168.0.3) connected to internal network

Internet ||||| 192.168.0.1 – 192.168.0.2 ||||||-----
Out In Out In
Modem Pix


-----192.168.1.1 – 192.168.1.2 |||||| 192.168.0.3
Out In
Server


Please Help and Thanks in Advance

Vinny.

p.s. below is a copy of my running config on the Pix: -

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100

hostname xxxx
domain-name xxxx

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000

names
name 192.168.0.1
access-list acl_out permit tcp host 192.168.0.2 eq netbios-ssn
access-list acl_out permit udp host 192.168.0.2 eq netbios-ns
access-list acl_out permit udp host 192.168.0.2 eq netbios-dgm
access-list acl_out permit tcp host 192.168.0.2 eq 135
pager lines 24

interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500

ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm

pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.2.2 255.255.255.255 inside
pdm location 255.255.255.255 outside
pdm logging informational 100
pdm history enable

arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.0.2 192.168.1.2 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

 

[FestusMcShamus]

A known issue with the Pix and Exchange is fixup smtp.
You need to enter the command
no fixup smtp......

If I remember correctly, Exchange uses Ehello instead of hello or something like that.

Hope this helps.

 

[Vin999]

Thanks FestusMcShamus,

I have now included 'no fixup protocol smtp 25', but still no joy.

Cheers

Vin999

 

[dopehead]

Your config looks very strange, your acl is not correct syntax.....how were you ever able to enter that acl in your pix ?

Your acl on the outside should first of all permit smtp if you need to receive mail.

"access-list acl_out permit tcp any host 192.168.0.2 eq 25"


And 192.168.0.2 shouldn't be a part of your dhcp scope as it is now, since it is a server.

Please post the "live" config of your pix, not the edited one you have there, of course leave out any official ip addresses and passwords.

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec

 

[Vin999]

Thanks Jan,

I have implemented the changes you suggested but still no joy. I would very grateful if could you check my config below to see if I made these changes correctly.

Could you also tell me what the 'eq 25' is for?

This is my running config.

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname xxx
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
name x.x.10.1 NetgearGateway
access-list acl_out permit tcp any host x.x.10.2 eq netbios-ssn
access-list acl_out permit udp any host x.x.10.2 eq netbios-ns
access-list acl_out permit icmp any any echo-reply
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside x.x.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location x.x.11.2 255.255.255.255 inside
pdm location x.x.12.2 255.255.255.255 inside
pdm location NetgearGateway 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.10.2 x.x.11.2 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http x.x.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address x.x.11.2-x.x.11.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

Cheers Vinny.

 

[dopehead]

If that is your running config, you have not made any of the changes i asked you.

Also if you run dhcp on the outside, hwo do you know what address your pix has ? and is it the same all the time ?

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec

 

[Vin999]

Hi Jan,

Thank you very much for your help and patience.

Sorry I’ve taken so long getting back I didn’t really understand what you meant, after taking timeout to digest, I understand what you were saying.

I have simplified all the internal IP's please take a look at my latest running config, I would appeciate any ideas.

1. My Public IP is Static

2. We have a Netgear Router but the Pix failed to comunicate with router when config statically, so I used DHCP but limited the range of IP's available to just 1 IP address

Latest Running Config

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxx encrypted
passwd xxxxx encrypted
hostname xxxxx
domain-name ciscopix.com

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25

names

access-list acl_out permit tcp any host xx.xxx.xxx.225 eq smtp
access-list acl_out permit tcp any host xx.xxx.xxx.225 eq pop3
access-list acl_out permit tcp any host xx.xxx.xxx.225 eq www

(xx.xxx.xxx.225 is my public static IP from isp)

pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500

ip address outside dhcp setroute

(The external interface of the Pix receives DHCP from the border router but the range has been set to only 1 IP - 192.168.0.2)

ip address inside 192.168.1.1 255.255.255.0

(192.168.1.1 is the internal interface of the Pix)

ip audit info action alarm
ip audit attack action alarm

pdm logging informational 100
pdm history enable
arp timeout 14400

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xxx.xxx.225 192.168.1.2 netmask 255.255.255.255 0 0

(192.168.1. is the External interface my mail server)

access-group acl_out in interface outside

timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

http server enable
http 192.168.1.0 255.255.255.0 inside

(192.168.1.0 is the internal interface of the Router)

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

Thanks again Vinny.

 

[dopehead]

Alright, i think i can see the problem here....that static should not be like that when it is the adress of the pix you are using. syntax should be :

static (inside,outside) xx.xxx.xxx.225 192.168.1.2 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 25 192.168.1.2 25 netmask 255.255.255.255 0 0

If you need more than smtp from the internet to the server just add lines like this :

static (inside,outside) tcp interface <port #> 192.168.1.2 <port #> netmask 255.255.255.255 0 0

And of course remove the static which is already there, and do a "clear xlate" before testing.


Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec