Cisco PIX 605 help needed

Booty

Senior member
Aug 4, 2000
977
0
0
First off, disclaimer: I have no idea what I'm talking about. This stuff is way over my head and I'm just trying to relay the message and help get some answers.

I'm posting this message on behalf of a friend who's trying to get a 605 configured for a local business... someone set this thing up for them a while back but now the business can't get ahold of them to help configure it for their new server.

Basically, he's just looking to open up port 25 since they're hosting their own email and such now.

The web interface for the device doesn't seem to be working... how would one normally access this? Again, I'm not the one working with it, so I don't know what he's tried, so I'll pass on any info you've got and come back and let you know the outcome or if he's tried it.

So anyway, he's using the other interface... I don't know if you'd call it command-line or what... it looked kinda like *nix to me, but anyway... he's apparantly tried a few commands he found in documentation but nothing's worked. Can anyone help with this, or point to some good documentation (that might be geared a little more towards a Cisco-newbie)? Thanks a bunch...
 

MysticLlama

Golden Member
Sep 19, 2000
1,003
0
0
A PIX 506? Or is there some new one out that I didn't hear about?

What you need to pass mail are a few different rules.

You need a NAT rule to make an outside IP = an inside IP
static (inside,outside) real_ip_here inside_ip_here netmask 255.255.255.255 0 0

Then you'll need an access rule to let through port 25 traffic
access-list outside_access_in permit tcp any host real_ip_here eq smtp

If it's an Exchange server, you can't use SMTP fixup (at least on the version of the software I have)
no fixup protocol smtp 25

To get the web interface working you need to look at a couple of commands
http server enable
http internal_ip_network internal_ip_address_mask inside
 

Booty

Senior member
Aug 4, 2000
977
0
0
It is, indeed, an Exchange server. Thank God someone replied... my friend had me going through documentation and I didn't have the first clue where to start with this stuff without having the thing in front of me. I'll pass on the info. If anyone has anything else to add, that's great too.

Oh, and he said 605. I'll see if he's dyslexic.
 

MysticLlama

Golden Member
Sep 19, 2000
1,003
0
0
Yeah, if you have an Exchange server and don't know to turn off the SMTP fixup you can really be beating your head against a wall.
 

Booty

Senior member
Aug 4, 2000
977
0
0
I'll know by later this afternoon whether this worked or not... thanks again for the replies
 

Booty

Senior member
Aug 4, 2000
977
0
0
Okay, it's a PIX 501... does that change anything?

Those commands didn't seem to work... right now the server's able to connect to the net, but no one else on the network can, and Exchange still doesn't function. Again, I hope I'm not losing too much in the translation...

Is there an easy way to just reset the default configuration for this thing and then to just set it up from there?
 

MysticLlama

Golden Member
Sep 19, 2000
1,003
0
0
If only the server is getting on to the net, you probably have a single NAT and not a PAT. NAT is a one to one relationship from inside to outside IP, PAT allows many inside machines to use one outside IP.

To set a PAT address, do this:

global (outside) 1 interface

That will set up a PAT to the outside interface IP address.
 

Booty

Senior member
Aug 4, 2000
977
0
0
Okay, I was searching the web for him (it sure helps to search with the correct model number
rolleye.gif
) and came upon these two sites, which were pretty relevant...

link
link

So between what you've been posting and those two sites, it's up as far as everyone can get to the net, and mail goes out... but mail still doesn't come in (like the one guy on one of those links). It's still using NAT (as far as I know)... will the command in your most recent post affect the mail issue? Other than that, it's working.

Oh, and one other thing... trying to access the PIX from outside the network isn't working... is that tough to get up and going?

I'm going to post the config he sent me... I think he changed any relevant lines as far as hiding true IP's, but if he missed any, please tell me so I can edit it... like I said, mail goes out, but doesn't come in... other than that, all is well.

Config:
------------------------------------------------

router> en
Password: ******
router# e show run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password BTqL4q3Xo/2QNA.g encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname router
domain-name MYDOMAIN.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.0.2 mail.MYDOMAIN.com
access-list permit_mail permit tcp any eq smtp host <outside ip address here> eq smtp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside <outside ip address here> 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location mail.MYDOMAIN.com 255.255.255.255 inside
pdm location 192.168.0.44 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 <outside ip address here>
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp <outside ip address here> smtp mail.MYDOMAIN.com smtp netmask 255.255.255.255 0 0
access-group permit_mail in interface outside
route outside 0.0.0.0 0.0.0.0 66.207.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http mail.MYDOMAIN.com 255.255.255.255 inside
http 192.168.0.44 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:2d6fd1d3ae039652c39ed9646f405af4
: end
router#
 

Dark

Senior member
Oct 24, 1999
639
0
0
Forget it dude...I tried to set up that for a company last year and unless something changed it's not possible :)
I worked it out with the Cisco TAC. We ended up opening all UDP and TCP to the Exchange server which is not something I am confortable with (almost as if it's sitting directly on the internet but for icmp)... Now I dunno if Cisco updated their fixup but the version was 6.1 and it wasn't doable. There is a white paper on the Cisco website about doing it with a mail proxy...msg me if you need it.
It doesn't matter what Pix model it is...
 

Dark

Senior member
Oct 24, 1999
639
0
0
Another thing you could do (I did not have time) is to have a drop with log at the end of your access-list and check what you client are trying to do to your Exchange...then u can open those specifics ports to your mail server
 

MysticLlama

Golden Member
Sep 19, 2000
1,003
0
0
I'm really confused with this line:

static (inside,outside) tcp <outside ip address here> smtp mail.MYDOMAIN.com smtp netmask 255.255.255.255 0 0
I think it's because he's using the PDM to name stuff, and that makes it harder to read when you don't know the thought behind it.

Just make it:
static (inside,outside) <outside ip address here> <inside address here> netmask 255.255.255.255 0 0
Those extra things about ports and stuff aren't necessary, you control the traffic with the access-lists, not the NATs

access-list permit_mail permit tcp any eq smtp host <outside ip address here> eq smtp
access-group permit_mail in interface outside

You'll want to change your access-list to something more like this:

access-list permit_mail permit tcp any host <outside ip address here> eq smtp

You're limiting the port on the other end to be 25, and with NAT and PAT going on other places it may not be coming from there, but it's aiming for your port 25, so it's okay.

Dark:
Pushing SMTP through the firewall to an Exchange Server works just fine with SMTP fixup turned off, it sounds like you were trying to get an Exchange server running on the DMZ and have it communicating with the DCs, which is a different problem. I know that allowing 25 through to an Exchange server works, because I have it working in 3 locations.
 

Dark

Senior member
Oct 24, 1999
639
0
0
I wasn't trying to set it on the DMZ. Allowing stmp through the pix without the fixup would not allow the exchange client to use their features (checking the addresses against the exchange server and other goodies). The exchange client would not be able to log to check their email also...
 

MysticLlama

Golden Member
Sep 19, 2000
1,003
0
0
So you were trying to have the outlook client on the outside of the firewall and the Exchange server on the inside?

Interesting setup.

I always use VPN or OWA for outside clients.
 

Dark

Senior member
Oct 24, 1999
639
0
0
Originally posted by: MysticLlama
So you were trying to have the outlook client on the outside of the firewall and the Exchange server on the inside?

Interesting setup.

I always use VPN or OWA for outside clients.

I don't remember if they were using outlook but yes that was the thing. It was temporary so the customer did not want to invest in VPN.
 

Booty

Senior member
Aug 4, 2000
977
0
0
Originally posted by: MysticLlama
I'm really confused with this line:

static (inside,outside) tcp <outside ip address here> smtp mail.MYDOMAIN.com smtp netmask 255.255.255.255 0 0
I think it's because he's using the PDM to name stuff, and that makes it harder to read when you don't know the thought behind it.

Just make it:
static (inside,outside) <outside ip address here> <inside address here> netmask 255.255.255.255 0 0
Those extra things about ports and stuff aren't necessary, you control the traffic with the access-lists, not the NATs

access-list permit_mail permit tcp any eq smtp host <outside ip address here> eq smtp
access-group permit_mail in interface outside

You'll want to change your access-list to something more like this:

access-list permit_mail permit tcp any host <outside ip address here> eq smtp

You're limiting the port on the other end to be 25, and with NAT and PAT going on other places it may not be coming from there, but it's aiming for your port 25, so it's okay.

I passed on this information... because I'm in the middle of this, though, I'm trying to get a better understanding... it seemed like when he used that generic inside/outside line, that was when the internet broke for the rest of the workstations. I'm pretty new to a lot of this stuff, so I guess I'm confused as to how you would make the pix point at two different servers... say a mail server and a webserver that were running on different actual machines. What do you point the inside address to at that point if you don't specify a port? I'm extremely confused by this whole thing... damn my inquisitive nature. I wish I didn't care how stuff worked, heh.

 

MysticLlama

Golden Member
Sep 19, 2000
1,003
0
0
Well, the NAT line isn't meant to let you point to a different webserver vs. mailserver, that was never asked before and you were just trying to get mail working.

I was just trying to eliminate possibilities of places where it may not be working so you could get the mailserver up and running.

You can do port translation with NAT, I just didn't see a reason to be putting it in there and complicating matters when there didn't seem to be a reason.
 

Booty

Senior member
Aug 4, 2000
977
0
0
No, that's cool... there isn't a webserver or anything, and I doubt there ever would be a need for one at this particular location... that was just more a question of curiosity than anything. You know, in case that scenario did come up. I appreciate all your help... I'll let you know if he gets this thing set up. Thanks again.