Re: [fw-wiz] Pix 501 NAT problems with Web and Exchange server

Alan,



If I understand correctly, you are missing only the ability to pop your
mail server from the outside. Just add the following statements to fix
that.





access-list outside_access_in permit tcp any eq pop3 interface outside
eq pop3

static (inside,outside) tcp interface pop3 Web-Exch-Server pop3 netmask
255.255.255.255 0 0





Cheers,



Rob Gills

________________________________

From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of
William A. May
Sent: November 25, 2006 8:51 PM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Pix 501 NAT problems with Web and Exchange server



I read through the postings about inbound NAT problems with the PIX 501
posted in February 2005 and tried to configure my new PIX 501
accordingly but with little luck. What I trying to do is replace my
Linksys WRT54G with a PIX 501. I have a Web server and an Exchange
Server 2003 on my internal network and I want to be able to have my web
page accessed from the outside and I also want to be able to continue to
receive my email. Currently I can view web pages and send email.
Listed below is my current configuration, with certain marked changes,
please let me know where I'm going wrong?



Thanks,



Alan



: Saved

: Written by enable_15 at 19:49:11.582 UTC Sat Nov 25 2006

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password <deleted> encrypted

passwd <deleted> encrypted

hostname pixfirewall <changed>

domain-name ciscopix.com <changed>

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 172.16.10.0 LAN <changed>

name 172.16.10.11 Web-Exch-Server <changed>

access-list outside_access_in permit tcp any eq www interface outside eq
www

access-list outside_access_in permit tcp any eq https interface outside
eq https

access-list outside_access_in permit tcp any eq smtp interface outside
eq smtp

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any traceroute

access-list outside_access_in permit icmp any any time-exceeded

access-list inside_access_in permit icmp any any

access-list inside_access_in permit ip LAN 255.255.255.0 any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 172.16.10.1 255.255.255.0 <changed>

ip audit info action alarm

ip audit attack action alarm

pdm location LAN 255.255.255.0 inside

pdm location Web-Exch-Server 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www Web-Exch-Server www netmask
255.255.255.255 0 0

static (inside,outside) tcp interface https Web-Exch-Server https
netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp Web-Exch-Server smtp netmask
255.255.255.255 0 0

access-group outside_access_in in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http LAN 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

terminal width 80

Cryptochecksum:8069dd3a26bd7570990dfe55c7c7064e

: end



_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: [fw-wiz] Pix 501 NAT problems with Web and Exchange server
    ... access-list outside_access_in permit tcp any interface outside eq https ... fixup protocol dns maximum-length 512 ... access-group outside_access_in in interface outside ...
    (Firewall-Wizards)
  • Re: static routes on pix 506e
    ... interface ethernet0 auto ... fixup protocol dns maximum-length 1024 ... access-group outside_access_in in interface outside ... vpngroup dh2remote dns-server 194.72.6.57 10.35.104.106 ...
    (comp.dcom.sys.cisco)
  • PIX losing ARP?
    ... interface ethernet1 100full ... fixup protocol dns maximum-length 512 ... access-list outside_access_in permit tcp any host xxx.xxx.xxx.xxx eq ... access-group 100 in interface outside ...
    (comp.dcom.sys.cisco)
  • Re: SSL for OWA
    ... fixup protocol h323 h225 1720 ... access-list out_in permit tcp any any eq domain ... access-group out_in in interface outside ... isakmp policy 10 authentication pre-share ...
    (comp.dcom.sys.cisco)
  • Re: SETUP A VPN CONNECTION FROM THE OUTSIDE
    ... interface ethernet0 100full ... access-list allow_inbound permit tcp any interface outside eq smtp ... pdm location 10.1.1.6 255.255.255.255 inside ... access-group allow_inbound in interface outside ...
    (comp.dcom.sys.cisco)