Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
try to telnet but no working
- Thread starter amarchi
- Start date
- Thread starter
- #5
sorry.......i'm a stupid...here it's
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
names
name 10.10.1.5 mail
name 11.11.11.11 dns_server
name 11.11.11.12 webmail
access-list outside_access_in permit tcp any host 13.13.13.13 eq smtp
access-list outside_access_in permit tcp any host 13.13.13.13 eq pop3
access-list outside_access_in permit udp any host 13.13.13.14 eq domain
access-list outside_access_in permit tcp any host 13.13.13.15 eq www
access-list outside_access_in permit tcp any host 13.13.13.16 eq telnet
access-list outside_access_in deny ip any any
access-list 101 permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
ip address outside 13.13.13.13 255.255.255.224
ip address inside 10.10.1.1 255.255.0.0
ip address dmz 11.11.11.1 255.255.255.0
global (outside) 1 interface
global (dmz) 2 interface
global (dmz) 1 11.11.11.6
nat (inside) 0 access-list 101
nat (inside) 1 10.10.1.6 255.255.255.255 0 0
nat (inside) 2 0.0.0.0 0.0.0.0 0 0
alias (inside) 13.13.13.14 dns_server 255.255.255.255
static (inside,outside) 13.13.13.13 mail netmask 255.255.255.255 0 50
static (dmz,outside) 13.13.13.14 dns_server netmask 255.255.255.255 0 50
static (dmz,outside) 13.13.13.15 webmail netmask 255.255.255.255 0 50
static (inside,dmz) webmail mail netmask 255.255.255.255 0 50
static (inside,outside) 13.13.13.16 telnet netmask 255.255.255.255 0 50
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
names
name 10.10.1.5 mail
name 11.11.11.11 dns_server
name 11.11.11.12 webmail
access-list outside_access_in permit tcp any host 13.13.13.13 eq smtp
access-list outside_access_in permit tcp any host 13.13.13.13 eq pop3
access-list outside_access_in permit udp any host 13.13.13.14 eq domain
access-list outside_access_in permit tcp any host 13.13.13.15 eq www
access-list outside_access_in permit tcp any host 13.13.13.16 eq telnet
access-list outside_access_in deny ip any any
access-list 101 permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
ip address outside 13.13.13.13 255.255.255.224
ip address inside 10.10.1.1 255.255.0.0
ip address dmz 11.11.11.1 255.255.255.0
global (outside) 1 interface
global (dmz) 2 interface
global (dmz) 1 11.11.11.6
nat (inside) 0 access-list 101
nat (inside) 1 10.10.1.6 255.255.255.255 0 0
nat (inside) 2 0.0.0.0 0.0.0.0 0 0
alias (inside) 13.13.13.14 dns_server 255.255.255.255
static (inside,outside) 13.13.13.13 mail netmask 255.255.255.255 0 50
static (dmz,outside) 13.13.13.14 dns_server netmask 255.255.255.255 0 50
static (dmz,outside) 13.13.13.15 webmail netmask 255.255.255.255 0 50
static (inside,dmz) webmail mail netmask 255.255.255.255 0 50
static (inside,outside) 13.13.13.16 telnet netmask 255.255.255.255 0 50
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
In your static you have used the name "telnet" ..
static (inside,outside) 13.13.13.16 telnet netmask 255.255.255.255 0 50
.. but you don't appear to have a host named telnet ..
names
name 10.10.1.5 mail
name 11.11.11.11 dns_server
name 11.11.11.12 webmail
Otherwise, the ACL is okay ..
access-list outside_access_in permit tcp any host 13.13.13.16 eq telnet
access-group outside_access_in in interface outside
Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
static (inside,outside) 13.13.13.16 telnet netmask 255.255.255.255 0 50
.. but you don't appear to have a host named telnet ..
names
name 10.10.1.5 mail
name 11.11.11.11 dns_server
name 11.11.11.12 webmail
Otherwise, the ACL is okay ..
access-list outside_access_in permit tcp any host 13.13.13.16 eq telnet
access-group outside_access_in in interface outside
Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
- Thread starter
- #7
unfortunately I'm not in the office and I have taken an old copy of the configuration of the firewall, perhaps in replacing the address to publish here, I have omitted the telnet ip:I think the problems it's that i have not done the "access-group outside_access_in in interface outside"
command (SGRUNT)
Thanks Chris for your help
At salut
Max
command (SGRUNT)
Thanks Chris for your help
At salut
Max
- Thread starter
- #8
Either,
1. The access list is wrong
2. The access list isn't applied to the interface
3. The static is wrong
4. The telnet server doesn't have its default gateway set
5. Telnet isn't open on the box
On the server, see if you can get external access via the Pix. Make sure that the telnet server is running. On the Pix, check your static using "sh xlate". When trying to connect to the server from the outside, check the hits on the access list.
Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
1. The access list is wrong
2. The access list isn't applied to the interface
3. The static is wrong
4. The telnet server doesn't have its default gateway set
5. Telnet isn't open on the box
On the server, see if you can get external access via the Pix. Make sure that the telnet server is running. On the Pix, check your static using "sh xlate". When trying to connect to the server from the outside, check the hits on the access list.
Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
NetworkGuy101
IS-IT--Management
It definitly odes look like this is messed up:
static (inside,outside) 13.13.13.16 telnet netmask 255.255.255.255 0 50
Wither define the host that will be nicked telnet or just do a set static for whatever the internale IP address is for the telnet server.
static (inside,outside) 13.13.13.16 xxx.xxx.xxx.xxx netmask 255.255.255.255 0 50
No connection can be made unless this address is natted on the outside(Static or Dynamic).
static (inside,outside) 13.13.13.16 telnet netmask 255.255.255.255 0 50
Wither define the host that will be nicked telnet or just do a set static for whatever the internale IP address is for the telnet server.
static (inside,outside) 13.13.13.16 xxx.xxx.xxx.xxx netmask 255.255.255.255 0 50
No connection can be made unless this address is natted on the outside(Static or Dynamic).
cisconewbee
Programmer
Hi, I am fairly new to the Pix 501 and I am configuring
a basic network with one outside public IP and 2 public servers behind the PIX (Email and web). My problem is, the email is working great except the Outlook clients outside my network cannot reach the server to download mail. They can send email just fine. The incoming email server is pop3.mydomain.com and the client is set to use port 995 (pop3/ssl)
Since inside the network, everyone can send and receive mail just fine,I suspect something in the PIX is blocking it. Any help would be appreciated
Pix 501 config:
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfw
domain abc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol smtp 995
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host x.x.6.39 eq smtp
access-list 101 permit tcp any host x.x.6.39 eq http
access-list 101 permit tcp any host x.x.6.39 eq www
access-list 101 permit tcp any host x.x.6.39 eq https
access-list 101 permit tcp any host x.x.6.39 eq pop3
access-list 101 permit tcp any host x.x.6.39 eq ftp
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any host x.x.6.39 eq 995
pager lines 24
logging on
logging timestamp
logging standby
logging trap notifications
logging facility 19
logging host inside 192.168.1.11
mtu outside 1500
mtu inside 1500
ip address outside x.x.6.39 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.6.39 smtp 192.168.1.11 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.6.39 pop3 192.168.1.11 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.6.39 995 192.168.1.11 995 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.6.39 https 192.168.1.54 http netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.6.39 https 192.168.1.54 https netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.6.39 255.255.255.255 0 0
static (inside,outside) tcp x.x.6.39 ftp 192.168.1.54 ftp netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.6.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.249 inside
dhcpd dns x.x.x.200 x.x.x.202
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
a basic network with one outside public IP and 2 public servers behind the PIX (Email and web). My problem is, the email is working great except the Outlook clients outside my network cannot reach the server to download mail. They can send email just fine. The incoming email server is pop3.mydomain.com and the client is set to use port 995 (pop3/ssl)
Since inside the network, everyone can send and receive mail just fine,I suspect something in the PIX is blocking it. Any help would be appreciated
Pix 501 config:
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfw
domain abc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol smtp 995
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host x.x.6.39 eq smtp
access-list 101 permit tcp any host x.x.6.39 eq http
access-list 101 permit tcp any host x.x.6.39 eq www
access-list 101 permit tcp any host x.x.6.39 eq https
access-list 101 permit tcp any host x.x.6.39 eq pop3
access-list 101 permit tcp any host x.x.6.39 eq ftp
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any host x.x.6.39 eq 995
pager lines 24
logging on
logging timestamp
logging standby
logging trap notifications
logging facility 19
logging host inside 192.168.1.11
mtu outside 1500
mtu inside 1500
ip address outside x.x.6.39 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.6.39 smtp 192.168.1.11 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.6.39 pop3 192.168.1.11 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.6.39 995 192.168.1.11 995 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.6.39 https 192.168.1.54 http netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.6.39 https 192.168.1.54 https netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.6.39 255.255.255.255 0 0
static (inside,outside) tcp x.x.6.39 ftp 192.168.1.54 ftp netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.6.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.249 inside
dhcpd dns x.x.x.200 x.x.x.202
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
NetworkGuy101
IS-IT--Management
Do you have POP set up on the mail server? Have you tested it within your network to make sure it is working properly?
NetworkGuy101
IS-IT--Management
Also you say the client is set to use port 995. Isnt Pop3 port 110? If you changed the port you will have to define that on the firewall.
He's right that you will have to define port 995 on the firewall to allow connections to come into the network on that port. However, 995 is the default port for the SSL POP3 connection, so that's normal NG101.
As you are having no problems connections to the POP3 server from inside the network, you must just have an ACL issue on the firewall.
Computer/Network Technician
CCNA
As you are having no problems connections to the POP3 server from inside the network, you must just have an ACL issue on the firewall.
Computer/Network Technician
CCNA
NetworkGuy101
IS-IT--Management
Yes but I think he is just using regular POP3 correct at least that is what is reflected in the Pix config?
NetworkGuy101
IS-IT--Management
Good Catch. It definitly is an ACL issue but if he is just defining POP3 and not SSL POP3 his users wont be able to connect because they are using the wrong ports. If they tried on 110 they might just connect with the config he has in place now.
NetworkGuy101
IS-IT--Management
Depending on his mail server setup that is.
NetworkGuy101
IS-IT--Management
Either way the wrong port is being allowed and if he chages the port on the acl he should be good to go.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question
- Locked
- Question