Cisco PIX 515 - need help.

Discussion in 'Cisco' started by sunmagic, Mar 6, 2005.

  1. sunmagic

    sunmagic Guest

    Hello all,

    We have to setup the rule on Cisco PIX 515.
    Here is the case:

    I have single public ip address: 62.192.2.X
    I have one exchange server (192.168.2.10) and one spammail system
    (192.168.2.9).
    The setup:
    Internet---->spammail-----> exchange ------> to mail client
    *******************************************
    object-group service spammail tcp-udp
    description spammail
    port-object eq 25
    object-group service mail tcp-udp
    description mail server
    port-object eq 25
    port-object eq 21
    port-object eq www
    port-object eq 443
    access-list outside_access_in permit tcp host 62.192.2.X object-group
    mail
    static (inside,outsie) tcp 62.192.2.X https mail https netmask
    255.255.255.255 0 0
    static (inside,outsie) tcp 62.192.2.X www mail www netmask
    255.255.255.255 0 0
    static (inside,outsie) tcp 62.192.2.X smtp spammail smtp netmask
    255.255.255.255 0 0
    ******************************************
    The mail server and spammail did not receive any mail. What's wrong on
    my setup?

    Can anyone help?

    Thanks.

    Peter
     
    sunmagic, Mar 6, 2005
    #1
    1. Advertising

  2. In article <>,
    sunmagic <> wrote:
    :We have to setup the rule on Cisco PIX 515.
    :I have single public ip address: 62.192.2.X
    :I have one exchange server (192.168.2.10) and one spammail system
    :(192.168.2.9).

    :access-list outside_access_in permit tcp host 62.192.2.X object-group mail

    You do not say which PIX version you are using; we can deduce that it
    is at least 6.2 from your use of 'object group'.

    If you are using 6.2, you should change the above to:

    access-list outside_access_in permit tcp interface object-group mail

    If you are using 6.3, you should instead use:

    access-list outside_access_in permit tcp interface outside object-group mail


    :static (inside,outsie) tcp 62.192.2.X https mail https netmask 255.255.255.255 0 0

    In 6.2 and 6.3, you would change 62.192.2.X to interface
    (with no interface name for either version.) Similarily for the other
    lines.

    Also, you need 'outside' instead of 'outsie'. The lowest security
    interface on the PIX may not be renamed.

    I would also suggest that you change your object groups from type
    tcp-udp to plain tcp . You aren't using the object groups for udp
    anywhere.

    Another thing I note is that you haven't made any provision for
    returning DNS (udp 53). Oh, and don't forget your

    access-group outside_access_in in interface outside
    --
    History is a pile of debris -- Laurie Anderson
     
    Walter Roberson, Mar 6, 2005
    #2
    1. Advertising

  3. sunmagic

    BradReeseCom Guest

    BradReeseCom, Mar 6, 2005
    #3
  4. sunmagic

    sunmagic Guest

    It is PIX Version 6.3(4)

    Thanks.


    Walter Roberson wrote:
    > In article <>,
    > sunmagic <> wrote:
    > :We have to setup the rule on Cisco PIX 515.
    > :I have single public ip address: 62.192.2.X
    > :I have one exchange server (192.168.2.10) and one spammail system
    > :(192.168.2.9).
    >
    > :access-list outside_access_in permit tcp host 62.192.2.X

    object-group mail
    >
    > You do not say which PIX version you are using; we can deduce that it
    > is at least 6.2 from your use of 'object group'.
    >
    > If you are using 6.2, you should change the above to:
    >
    > access-list outside_access_in permit tcp interface object-group mail
    >
    > If you are using 6.3, you should instead use:
    >
    > access-list outside_access_in permit tcp interface outside

    object-group mail
    >
    >
    > :static (inside,outsie) tcp 62.192.2.X https mail https netmask

    255.255.255.255 0 0
    >
    > In 6.2 and 6.3, you would change 62.192.2.X to interface
    > (with no interface name for either version.) Similarily for the other
    > lines.
    >
    > Also, you need 'outside' instead of 'outsie'. The lowest security
    > interface on the PIX may not be renamed.
    >
    > I would also suggest that you change your object groups from type
    > tcp-udp to plain tcp . You aren't using the object groups for udp
    > anywhere.
    >
    > Another thing I note is that you haven't made any provision for
    > returning DNS (udp 53). Oh, and don't forget your
    >
    > access-group outside_access_in in interface outside
    > --
    > History is a pile of debris -- Laurie Anderson
     
    sunmagic, Mar 6, 2005
    #4
  5. sunmagic

    sunmagic Guest

    It is PIX Version 6.3(4)

    Thanks.

    --
    Peter
     
    sunmagic, Mar 6, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eddie
    Replies:
    9
    Views:
    1,372
    Eddie
    Jun 20, 2004
  2. Kilgore Troute
    Replies:
    1
    Views:
    684
    S. Gione
    Sep 7, 2004
  3. Scott Townsend
    Replies:
    8
    Views:
    705
    Roman Nakhmanson
    Feb 22, 2006
  4. Stephen M
    Replies:
    1
    Views:
    664
    mcaissie
    Nov 14, 2006
  5. solutionsplus

    Need help with PIX 515

    solutionsplus, Feb 5, 2008, in forum: General Computer Support
    Replies:
    0
    Views:
    662
    solutionsplus
    Feb 5, 2008
Loading...

Share This Page