Cisco 515E setup

Discussion in 'Cisco' started by geewiz, Feb 15, 2005.

  1. geewiz

    geewiz Guest

    I have a config here but everything is not working the way I need it
    to.

    1) Users make MS-VPN (PPTP) connection to site internal Win2003 host
    (name=dns1)
    this does not work the way I have it
    I have acl for 1723/tcp and gre, acl-group and static

    2) SMTP is Echange2003 host inside (name=email)
    this works outbound but not inbound
    I have "no fixup" for smtp
    I have acl for smtp, acl-group and static

    3) Outlook Web Access is allowed from the world (I know, I know)
    this does not work
    I have acl for 9090, 20000 and 20001, acl-group and static

    The service network has a loopback only and I am setting the ACLs and
    stuff in advance.

    I am not 100% sure of static statements.

    I only have one external ip address (yy.yy.yy.yy).

    Any help would be appreciated.

    begin "sho runn"

    sho runn
    : Saved
    :
    PIX Version 6.3(4)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 service security50
    enable password EiQBnSVGNNsNqN69 encrypted
    passwd kUKNsfvh5WzbVbbE encrypted
    hostname area51
    domain-name zzz.net
    clock timezone CST -6
    clock summer-time CDT recurring
    fixup protocol dns
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol icmp error
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.1.94 email
    name 192.168.1.200 dns1
    name 192.168.1.201 dns2
    name 10.9.8.21 ftpserver
    name 10.9.8.53 authdns2
    name xx.xx.228.138 prodmail
    access-list outside permit icmp any any echo-reply
    access-list outside permit icmp any any time-exceeded
    access-list outside permit icmp any any unreachable
    access-list outside permit tcp any host yy.yy.yy.yy eq smtp
    access-list outside permit tcp host prodmail host yy.yy.yy.yy eq pop3
    access-list outside permit tcp any host yy.yy.yy.yy eq 9090
    access-list outside permit udp any host yy.yy.yy.yy eq 9090
    access-list outside permit tcp any host yy.yy.yy.yy range 20000 20001
    access-list outside permit udp any host yy.yy.yy.yy range 20000 20001
    access-list outside permit udp any host yy.yy.yy.yy eq domain
    access-list outside permit tcp any host yy.yy.yy.yy eq domain
    access-list outside permit udp any host dns1 eq domain
    access-list outside permit udp any host dns2 eq domain
    access-list outside permit gre any host dns1
    access-list outside permit tcp any host dns1 eq pptp
    access-list tunnel permit ip 192.168.0.0 255.255.255.0 192.168.1.0
    255.255.255.0
    access-list service permit tcp any host ftpserver eq ftp
    access-list service permit tcp any host authdns2 eq domain
    access-list service permit udp any host authdns2 eq domain
    pager lines 24
    logging on
    logging timestamp
    logging monitor debugging
    logging buffered debugging
    logging trap debugging
    logging facility 23
    logging queue 8094
    icmp permit any echo-reply outside
    icmp permit any echo outside
    icmp permit 192.168.1.0 255.255.255.0 inside
    icmp permit any echo inside
    icmp permit any echo-reply inside
    mtu outside 1500
    mtu inside 1500
    mtu service 1500
    ip address outside yy.yy.yy.yy 255.255.255.252
    ip address inside 192.168.1.1 255.255.255.0
    ip address service 10.9.8.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool bigpool 192.168.1.214-192.168.1.249
    no pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list tunnel
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (service) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface smtp email smtp netmask
    255.255.255.255 0 0
    static (inside,outside) tcp prodmail pop3 email pop3 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 9090 email 9090 netmask
    255.255.255.255 0 0
    static (inside,outside) udp interface 9090 email 9090 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 20000 email 20000 netmask
    255.255.255.255 0 0
    static (inside,outside) udp interface 20000 email 20000 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 20001 email 20001 netmask
    255.255.255.255 0 0
    static (inside,outside) udp interface 20001 email 20001 netmask
    255.255.255.255 0 0
    static (service,outside) tcp interface ftp ftpserver ftp netmask
    255.255.255.255 0 0
    static (service,outside) tcp interface domain authdns2 domain netmask
    255.255.255.255 0 0
    static (service,outside) udp interface domain authdns2 domain netmask
    255.255.255.255 0 0
    access-group outside in interface outside
    access-group service in interface service
    route outside 0.0.0.0 0.0.0.0 66.37.239.13 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    snmp-server location 10842_Farnam_Dr
    snmp-server contact
    snmp-server community not_known
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set goliath esp-3des esp-md5-hmac
    crypto map whse_map 1 ipsec-isakmp
    crypto map whse_map 1 match address tunnel
    crypto map whse_map 1 set peer qq.qq.qq.qq
    crypto map whse_map 1 set transform-set goliath
    isakmp enable outside
    isakmp key ******** address qq.qq.qq.qq netmask 255.255.255.255
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption 3des
    isakmp policy 1 hash md5
    isakmp policy 1 group 1
    isakmp policy 1 lifetime 1000
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh dd.dd.dd.dd 255.255.255.255 outside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:3812dd63622b50ca883e2fdca5ea25f5
    : end
    geewiz, Feb 15, 2005
    #1
    1. Advertising

  2. geewiz

    geewiz Guest

    cont'd

    I also have some people using "clear xlate" and "clear arp-cache" to
    get things going in the *right* direction. Is this viable? I am using
    loopback in the ethernet0 and ethernet1 until I cut over the existing
    firewall after-hours; does this cause some problems?
    geewiz, Feb 15, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Walter Roberson

    Re: help with pix 515E setup

    Walter Roberson, Jul 6, 2003, in forum: Cisco
    Replies:
    0
    Views:
    2,023
    Walter Roberson
    Jul 6, 2003
  2. Illusion

    Cisco PIX 515E - Proxy ARP?

    Illusion, Jul 23, 2003, in forum: Cisco
    Replies:
    0
    Views:
    592
    Illusion
    Jul 23, 2003
  3. Illusion

    Cisco PIX 515E - Proxy ARP?

    Illusion, Jul 23, 2003, in forum: Cisco
    Replies:
    4
    Views:
    5,938
    Illusion
    Jul 24, 2003
  4. =?Utf-8?B?UmFkYXIxNjU=?=

    Windows XP Setup Restarts the Setup Program

    =?Utf-8?B?UmFkYXIxNjU=?=, Dec 12, 2005, in forum: Windows 64bit
    Replies:
    21
    Views:
    3,024
    Colin Barnhorst
    Dec 14, 2005
  5. Jim
    Replies:
    3
    Views:
    769
Loading...

Share This Page