«

Hi guys have a Cisco PIX configured to work with my leased line , also
am lucky enough to have 254 useable IP addresses (don't think i need
for this solution but thought i should mention) I am trying to
configure the PIX to send any smtp and pptp traffic destined to
a.a.a.a to the local smtp server 172.17.135.100, that way i can
authenticate my remote users with my windows 2000 server instead of
authenticating to the PIX, I have an exchange server sitting on same
IP i am using for PPTP.

Two problems, neither the port 25 mapping or the VPN connection seem
to work, when i try to telnet the ports just closes straight away -
this points to the access-lists / pix config - If i telnet from the
local LAN i get a response on 25 and the screens sits there on 1723
(as expected)

Any chance you guys could have a look through and put me in the right
direction , i am running IOS 6.3(1)


interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list out-acl permit icmp any any echo-reply
access-list out-acl permit icmp any any unreachable
access-list out-acl permit icmp any any time-exceeded
access-list out-acl permit icmp any any source-quench
access-list out-acl permit icmp any any parameter-problem
access-list out-acl permit tcp any any eq ssh
access-list out-acl permit tcp any any eq pop3
access-list out-acl permit gre host a.a.a.a any
access-list out-acl permit tcp host a.a.a.a any eq pptp
access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq www
access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq https
access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq smtp
access-list acl100 permit icmp 172.17.135.0 255.255.255.0 any
access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq domain
access-list acl100 permit udp 172.17.135.0 255.255.255.0 any eq domain
access-list acl100 permit udp 172.17.135.0 255.255.255.0 any eq ntp
access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq ssh
access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq telnet
access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq pop3
access-list acl100 permit tcp any any eq ssh
access-list acl100 permit tcp 172.17.135.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list acl100 permit udp 172.17.135.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list acl100 permit icmp 172.17.135.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list acl100 permit tcp any any eq smtp
access-list 101 permit ip 172.17.135.0 255.255.255.0 172.17.150.0
255.255.255.0
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
ip address outside b.b.b.b 255.255.255.0
ip address inside 172.17.135.230 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 172.17.150.230-172.17.150.240
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) a.a.a.a 172.17.135.100 netmask 255.255.255.255
0 0
access-group out-acl in interface outside
access-group acl100 in interface inside
route outside 0.0.0.0 0.0.0.0 c.c.c.c 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet 0.0.0.0 0.0.0.0 inside
telnet 172.17.135.0 255.255.255.0 inside
telnet timeout 25
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 25
console timeout 0
dhcpd ping_timeout 750
terminal width 80

In article < >,
paul tomlinson <> wrote:
: I am trying to
:configure the PIX to send any smtp and pptp traffic destined to
:a.a.a.a to the local smtp server 172.17.135.100,

:Two problems, neither the port 25 mapping or the VPN connection seem
:to work, when i try to telnet the ports just closes straight away -

:i am running IOS 6.3(1)

:access-list out-acl permit icmp any any echo-reply
:access-list out-acl permit icmp any any unreachable
:access-list out-acl permit icmp any any time-exceeded
:access-list out-acl permit icmp any any source-quench
:access-list out-acl permit icmp any any parameter-problem
:access-list out-acl permit tcp any any eq ssh
:access-list out-acl permit tcp any any eq pop3
:access-list out-acl permit gre host a.a.a.a any
:access-list out-acl permit tcp host a.a.a.a any eq pptp

Your out-acl, which you apply against the outside interface,
isn't permitting smtp in to a.a.a.a.

:sysopt connection permit-pptp

That applies only to pptp traffic that terminates at the PIX.

:access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq www
:access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq https
:access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq smtp
:access-list acl100 permit icmp 172.17.135.0 255.255.255.0 any
:access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq domain
:access-list acl100 permit udp 172.17.135.0 255.255.255.0 any eq domain
:access-list acl100 permit udp 172.17.135.0 255.255.255.0 any eq ntp
:access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq ssh
:access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq telnet
:access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq pop3
:access-list acl100 permit tcp any any eq ssh
:access-list acl100 permit tcp 172.17.135.0 255.255.255.0 192.168.1.0
:255.255.255.0
:access-list acl100 permit udp 172.17.135.0 255.255.255.0 192.168.1.0
:255.255.255.0
:access-list acl100 permit icmp 172.17.135.0 255.255.255.0 192.168.1.0
:255.255.255.0
:access-list acl100 permit tcp any any eq smtp

You have acl100 applied against the inside interface. You do not,
though, permit out gre traffic. I am not sure whether that is
important: I don't know whether adaptive security would automatically
permit the return traffic or not.

:access-list 101 permit ip 172.17.135.0 255.255.255.0 172.17.150.0 255.255.255.0
:ip address inside 172.17.135.230 255.255.255.0
:ip local pool pptp-pool 172.17.150.230-172.17.150.240
:nat (inside) 0 access-list 101
:static (inside,outside) a.a.a.a 172.17.135.100 netmask 255.255.255.255 0 0

If you are telneting to a.a.a.a then you are doing so outside
of the pptp tunnel and you have to permit the smtp inward as previously
noted.

To telnet to the smtp port inside of the pptp tunnel that you
are passing through the PIX, you would have to telnet to the
inside address, 172.17.135.100, because you've exempted that
connection from translation by using the nat 0 access-list .
--
What is "The Ultimate Meme"? Would it, like Monty Python's
"The World's Funniest Joke", lead to the deaths of everyone who
encountered it? Ideas *have* lead to the destruction of entire cultures.
-- A Child's Garden Of Memes

Walter thanks for your help on this one i've made the following
changes

access-list out-acl permit tcp host a.a.a.a any eq 25
no sysopt connection permit-pptp
access-list acl100 permit gre any any

When telnetting i'm telnetting to the outside IP a.a.a.a as i am
trying to configure an exchange server with an SMTP feed behind the
PIX, on the IP seperate IP, if i am wasting my time and you think it
would be easier to just use port 25 off the NAT'd IP or even off the
PIX firewall IP then let me know

Thanks again for your help - really appreciated


(Walter Roberson) wrote in message news:<bogn79$11k$>...
> In article < >,
> paul tomlinson <> wrote:
> : I am trying to
> :configure the PIX to send any smtp and pptp traffic destined to
> :a.a.a.a to the local smtp server 172.17.135.100,
>
> :Two problems, neither the port 25 mapping or the VPN connection seem
> :to work, when i try to telnet the ports just closes straight away -
>
> :i am running IOS 6.3(1)
>
> :access-list out-acl permit icmp any any echo-reply
> :access-list out-acl permit icmp any any unreachable
> :access-list out-acl permit icmp any any time-exceeded
> :access-list out-acl permit icmp any any source-quench
> :access-list out-acl permit icmp any any parameter-problem
> :access-list out-acl permit tcp any any eq ssh
> :access-list out-acl permit tcp any any eq pop3
> :access-list out-acl permit gre host a.a.a.a any
> :access-list out-acl permit tcp host a.a.a.a any eq pptp
>
> Your out-acl, which you apply against the outside interface,
> isn't permitting smtp in to a.a.a.a.
>
> :sysopt connection permit-pptp
>
> That applies only to pptp traffic that terminates at the PIX.
>
> :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq www
> :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq https
> :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq smtp
> :access-list acl100 permit icmp 172.17.135.0 255.255.255.0 any
> :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq domain
> :access-list acl100 permit udp 172.17.135.0 255.255.255.0 any eq domain
> :access-list acl100 permit udp 172.17.135.0 255.255.255.0 any eq ntp
> :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq ssh
> :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq telnet
> :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 any eq pop3
> :access-list acl100 permit tcp any any eq ssh
> :access-list acl100 permit tcp 172.17.135.0 255.255.255.0 192.168.1.0
> :255.255.255.0
> :access-list acl100 permit udp 172.17.135.0 255.255.255.0 192.168.1.0
> :255.255.255.0
> :access-list acl100 permit icmp 172.17.135.0 255.255.255.0 192.168.1.0
> :255.255.255.0
> :access-list acl100 permit tcp any any eq smtp
>
> You have acl100 applied against the inside interface. You do not,
> though, permit out gre traffic. I am not sure whether that is
> important: I don't know whether adaptive security would automatically
> permit the return traffic or not.
>
> :access-list 101 permit ip 172.17.135.0 255.255.255.0 172.17.150.0 255.255.255.0
> :ip address inside 172.17.135.230 255.255.255.0
> :ip local pool pptp-pool 172.17.150.230-172.17.150.240
> :nat (inside) 0 access-list 101
> :static (inside,outside) a.a.a.a 172.17.135.100 netmask 255.255.255.255 0 0
>
> If you are telneting to a.a.a.a then you are doing so outside
> of the pptp tunnel and you have to permit the smtp inward as previously
> noted.
>
> To telnet to the smtp port inside of the pptp tunnel that you
> are passing through the PIX, you would have to telnet to the
> inside address, 172.17.135.100, because you've exempted that
> connection from translation by using the nat 0 access-list .

In article <> ,
paul tomlinson <> wrote:
:Walter thanks for your help on this one i've made the following
:changes

:access-list out-acl permit tcp host a.a.a.a any eq 25

That should be

access-list out-acl permit tcp any host a.a.a.a eq 25

if you want outside hosts to be able to connect to tcp port 25 of a.a.a.a
--
"WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)

Well it didn't fix my SMTP issue but same thing fixed my PPTP problem,
so PPTP is all sorted but i think SMTP may be configured to accept
connections from only one IP address - will need to look into it

Thanks again for all your help

Paul

(Walter Roberson) wrote in message news:<bokg4h$nik$>...
> In article <> ,
> paul tomlinson <> wrote:
> :Walter thanks for your help on this one i've made the following
> :changes
>
> :access-list out-acl permit tcp host a.a.a.a any eq 25
>
> That should be
>
> access-list out-acl permit tcp any host a.a.a.a eq 25
>
> if you want outside hosts to be able to connect to tcp port 25 of a.a.a.a