Email/ VPN using PIX 506

Discussion in 'Cisco' started by dilan.weerasinghe@gmail.com, Oct 5, 2005.

  1. Guest

    Hi,

    I'm new to using PIX and was wondering if anyone could help me with a
    question I have. I'm looking at the PIX config that has been left by a
    network admin and cleaned up by myself, and have a few questions. Would
    be really grateful if anyone could help me here - :)

    y=external IP address range
    x=internal IP address range

    Our internet MASQ is y.243 and all email is sent out straight to the
    internet.
    Incoming mail goes to an SMTP gateway on x.8. There is a translation on
    the PIX for the SMTP gateway that NATS it to y.241
    There is also a rule on the PIX that directs port 25 traffic to x.8

    We are currently experiencing problems sending emails to a certain
    domain because the A record for mail.domain.com (where our MX record
    points to) is y.241 - not y.243 where the mail originates from.

    My question is this - if I tell our ISP to change the A record to
    y.243, will this affect our ability to recieve mails? Surely since all
    SMTP traffic is directed to the SMTP gateway when it hits the firewall
    this shouldn't matter, and we don't really need the translation for the
    Gateway?

    Additionally, when I try and VPN to the network from the outside, I can
    authenticate and get in, but cannot seem to reach any of the servers.

    I've posted the Access lists config below -

    access-list outside_access_in remark Allow Mail delivery
    access-list outside_access_in permit tcp any any eq smtp
    access-list outside_access_in remark Allow Office1 Connectivity
    access-list outside_access_in permit ip Office1 255.255.252.0 any
    access-list outside_access_in permit tcp any eq smtp host mail_outside
    eq smtp
    access-list outside_access_in remark Allow IPsec Traffic
    access-list outside_access_in permit udp host ARCPHC host y.243 eq
    isakmp
    access-list outside_access_in remark Allow IPsec Traffic
    access-list outside_access_in permit ah host ARCPHC host y.243
    access-list outside_access_in remark Allow IPsec Traffic
    access-list outside_access_in permit esp host ARCPHC host y.243
    access-list outside_access_in permit tcp any object-group LANGlobal y.0
    255.255.255.0 object-group LANGlobal
    access-list outside_access_in remark Web Access
    access-list outside_access_in permit tcp any host y.242 eq www
    access-list outside_access_in permit icmp Office1 255.255.0.0 y.0
    255.255.255.0
    access-list outside_access_in deny udp any eq 1434 any
    access-list outside_access_in remark Allow ICMP
    access-list outside_access_in permit icmp any any
    access-list outside_access_in remark User1- PC Anywhere
    access-list outside_access_in permit tcp host User1_IP host y.245 eq
    pcanywhere-data
    access-list outside_access_in remark User1 PCAnywhere
    access-list outside_access_in permit udp host NAME host y.245 eq
    pcanywhere-status
    access-list outside_access_in deny tcp any any
    access-list outside_access_in remark Block everything to come in.
    access-list inside_access_in permit ip any any
    access-list inside_access_in permit icmp 192.168.1.0 255.255.255.0
    Office1 255.255.0.0
    access-list inside_access_in deny udp any eq 1434 any
    access-list inside_outbound_nat0_acl permit ip 192.168.1.0
    255.255.255.0 Office1 255.255.252.0
    access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0
    Office1 255.255.252.0
    pager lines 24
    icmp permit any outside
    mtu outside 1500
    mtu inside 1500
    ip address outside y.243 255.255.255.240
    ip address inside 192.168.1.5 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpn_pool 192.168.1.200-192.168.1.210
    ip local pool VPN_Pool2 192.168.2.200-192.168.2.210
    ip local pool VPN_Pool3 10.10.0.1-10.10.0.10
    pdm location mail_outside 255.255.255.255 outside
    pdm location 192.168.1.192 255.255.255.224 outside
    pdm location srvroom 255.255.255.255 inside
    pdm location inbound_SMTP 255.255.255.255 inside
    pdm location Server1 255.255.255.255 inside
    pdm location Office1 255.255.252.0 outside
    pdm location PIX 255.255.255.255 outside
    pdm location ARCPHC 255.255.255.255 outside
    pdm location PIX 255.255.255.255 inside
    pdm location Office1 255.255.0.0 outside
    pdm location mailserv 255.255.255.255 inside
    pdm location DC 255.255.255.255 inside
    pdm location fileserv 255.255.255.255 inside
    pdm location 192.168.1.2 255.255.255.255 inside
    pdm location 192.168.1.7 255.255.255.255 inside
    pdm location VPN_Pool 255.255.255.0 outside
    pdm location User2 255.255.255.255 outside
    pdm location User10 255.255.255.255 outside
    pdm location User3 255.255.255.255 outside
    pdm location User4 255.255.255.255 outside
    pdm location User5 255.255.255.255 outside
    pdm location User6 255.255.255.255 outside
    pdm location 192.169.1.51 255.255.255.255 inside
    pdm location User1 255.255.255.255 inside
    pdm location User2 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    static (inside,outside) mail_outside inbound_SMTP netmask
    255.255.255.255 0 0
    static (inside,outside) y.242 fileserv netmask 255.255.255.255 0 0
    static (inside,outside) y.246 192.168.1.7 netmask 255.255.255.255 0 0
    static (inside,outside) y.245 Computer1 netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 y.254 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http srvroom 255.255.255.255 inside
    http server1 255.255.255.255 inside
    http mailserv 255.255.255.255 inside
    http DC 255.255.255.255 inside
    http fileserv 255.255.255.255 inside
    http 192.168.1.7 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer ARCPHC
    crypto map outside_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address ARCPHC netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet srvroom 255.255.255.255 inside
    telnet mailserv 255.255.255.255 inside
    telnet fileserv 255.255.255.255 inside
    telnet 192.168.1.7 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 10
    vpdn group VPN accept dialin pptp
    vpdn group VPN ppp authentication mschap
    vpdn group VPN client configuration address local VPN_Pool2
    vpdn group VPN client configuration dns DC
    vpdn group VPN client configuration wins mailserv
    vpdn group VPN pptp echo 60
    vpdn group VPN client authentication local
    vpdn username VPNUser1 password *********
    vpdn username VPNUser2 password *********
    vpdn username VPNUser3 password *********
    vpdn username VPNUser4 password *********
    vpdn username VPNUser5 password *********
    vpdn username VPNUser6 password *********
    vpdn enable outside
    dhcprelay server DC inside
    dhcprelay enable outside
    dhcprelay setroute outside
    username AdminUser2 password X encrypted privilege 15
    username AdminUser1 password XX encrypted privilege 15
    terminal width 80
    banner exec Authorised access only
    banner exec This system is the property of Me banner exec Disconnect
    IMMEDIATELY if you are not an authorised user !
    banner exec Contact support@x or tel for help.
    banner exec User Access Verification
    banner login Welcome
    Cryptochecksum:XXX
    : end
    [OK]

    Would be grateful for any help.

    Thanks
    Dilan
    , Oct 5, 2005
    #1
    1. Advertising

  2. <> wrote in message
    >
    > We are currently experiencing problems sending emails to a certain
    > domain because the A record for mail.domain.com (where our MX record
    > points to) is y.241 - not y.243 where the mail originates from.
    >


    yes, mail server likes to be able to reverse DNS the IP.


    > My question is this - if I tell our ISP to change the A record to
    > y.243, will this affect our ability to recieve mails? Surely since all
    > SMTP traffic is directed to the SMTP gateway when it hits the firewall
    > this shouldn't matter, and we don't really need the translation for the
    > Gateway?


    No, the A record is simply a hostname record. and the MX is for
    Mail-eXchange
    They can be the same or be two different - doesnt matter, from a DNS P.O.V.


    in regards to your VPN - Get 3DES running and enable isakmp nat-t command
    and if you are not on 6.3.x - get there.


    HTH
    Martin Bilgrav


    >
    > Additionally, when I try and VPN to the network from the outside, I can
    > authenticate and get in, but cannot seem to reach any of the servers.
    >
    > I've posted the Access lists config below -
    >
    > access-list outside_access_in remark Allow Mail delivery
    > access-list outside_access_in permit tcp any any eq smtp
    > access-list outside_access_in remark Allow Office1 Connectivity
    > access-list outside_access_in permit ip Office1 255.255.252.0 any
    > access-list outside_access_in permit tcp any eq smtp host mail_outside
    > eq smtp
    > access-list outside_access_in remark Allow IPsec Traffic
    > access-list outside_access_in permit udp host ARCPHC host y.243 eq
    > isakmp
    > access-list outside_access_in remark Allow IPsec Traffic
    > access-list outside_access_in permit ah host ARCPHC host y.243
    > access-list outside_access_in remark Allow IPsec Traffic
    > access-list outside_access_in permit esp host ARCPHC host y.243
    > access-list outside_access_in permit tcp any object-group LANGlobal y.0
    > 255.255.255.0 object-group LANGlobal
    > access-list outside_access_in remark Web Access
    > access-list outside_access_in permit tcp any host y.242 eq www
    > access-list outside_access_in permit icmp Office1 255.255.0.0 y.0
    > 255.255.255.0
    > access-list outside_access_in deny udp any eq 1434 any
    > access-list outside_access_in remark Allow ICMP
    > access-list outside_access_in permit icmp any any
    > access-list outside_access_in remark User1- PC Anywhere
    > access-list outside_access_in permit tcp host User1_IP host y.245 eq
    > pcanywhere-data
    > access-list outside_access_in remark User1 PCAnywhere
    > access-list outside_access_in permit udp host NAME host y.245 eq
    > pcanywhere-status
    > access-list outside_access_in deny tcp any any
    > access-list outside_access_in remark Block everything to come in.
    > access-list inside_access_in permit ip any any
    > access-list inside_access_in permit icmp 192.168.1.0 255.255.255.0
    > Office1 255.255.0.0
    > access-list inside_access_in deny udp any eq 1434 any
    > access-list inside_outbound_nat0_acl permit ip 192.168.1.0
    > 255.255.255.0 Office1 255.255.252.0
    > access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0
    > Office1 255.255.252.0
    > pager lines 24
    > icmp permit any outside
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside y.243 255.255.255.240
    > ip address inside 192.168.1.5 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool vpn_pool 192.168.1.200-192.168.1.210
    > ip local pool VPN_Pool2 192.168.2.200-192.168.2.210
    > ip local pool VPN_Pool3 10.10.0.1-10.10.0.10
    > pdm location mail_outside 255.255.255.255 outside
    > pdm location 192.168.1.192 255.255.255.224 outside
    > pdm location srvroom 255.255.255.255 inside
    > pdm location inbound_SMTP 255.255.255.255 inside
    > pdm location Server1 255.255.255.255 inside
    > pdm location Office1 255.255.252.0 outside
    > pdm location PIX 255.255.255.255 outside
    > pdm location ARCPHC 255.255.255.255 outside
    > pdm location PIX 255.255.255.255 inside
    > pdm location Office1 255.255.0.0 outside
    > pdm location mailserv 255.255.255.255 inside
    > pdm location DC 255.255.255.255 inside
    > pdm location fileserv 255.255.255.255 inside
    > pdm location 192.168.1.2 255.255.255.255 inside
    > pdm location 192.168.1.7 255.255.255.255 inside
    > pdm location VPN_Pool 255.255.255.0 outside
    > pdm location User2 255.255.255.255 outside
    > pdm location User10 255.255.255.255 outside
    > pdm location User3 255.255.255.255 outside
    > pdm location User4 255.255.255.255 outside
    > pdm location User5 255.255.255.255 outside
    > pdm location User6 255.255.255.255 outside
    > pdm location 192.169.1.51 255.255.255.255 inside
    > pdm location User1 255.255.255.255 inside
    > pdm location User2 255.255.255.255 outside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list inside_outbound_nat0_acl
    > nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    > static (inside,outside) mail_outside inbound_SMTP netmask
    > 255.255.255.255 0 0
    > static (inside,outside) y.242 fileserv netmask 255.255.255.255 0 0
    > static (inside,outside) y.246 192.168.1.7 netmask 255.255.255.255 0 0
    > static (inside,outside) y.245 Computer1 netmask 255.255.255.255 0 0
    > access-group outside_access_in in interface outside
    > access-group inside_access_in in interface inside
    > route outside 0.0.0.0 0.0.0.0 y.254 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > http server enable
    > http srvroom 255.255.255.255 inside
    > http server1 255.255.255.255 inside
    > http mailserv 255.255.255.255 inside
    > http DC 255.255.255.255 inside
    > http fileserv 255.255.255.255 inside
    > http 192.168.1.7 255.255.255.255 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    > crypto map outside_map 20 ipsec-isakmp
    > crypto map outside_map 20 match address outside_cryptomap_20
    > crypto map outside_map 20 set peer ARCPHC
    > crypto map outside_map 20 set transform-set ESP-DES-MD5
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp key ******** address ARCPHC netmask 255.255.255.255 no-xauth
    > no-config-mode
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption des
    > isakmp policy 20 hash md5
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    > telnet srvroom 255.255.255.255 inside
    > telnet mailserv 255.255.255.255 inside
    > telnet fileserv 255.255.255.255 inside
    > telnet 192.168.1.7 255.255.255.255 inside
    > telnet timeout 5
    > ssh timeout 5
    > console timeout 10
    > vpdn group VPN accept dialin pptp
    > vpdn group VPN ppp authentication mschap
    > vpdn group VPN client configuration address local VPN_Pool2
    > vpdn group VPN client configuration dns DC
    > vpdn group VPN client configuration wins mailserv
    > vpdn group VPN pptp echo 60
    > vpdn group VPN client authentication local
    > vpdn username VPNUser1 password *********
    > vpdn username VPNUser2 password *********
    > vpdn username VPNUser3 password *********
    > vpdn username VPNUser4 password *********
    > vpdn username VPNUser5 password *********
    > vpdn username VPNUser6 password *********
    > vpdn enable outside
    > dhcprelay server DC inside
    > dhcprelay enable outside
    > dhcprelay setroute outside
    > username AdminUser2 password X encrypted privilege 15
    > username AdminUser1 password XX encrypted privilege 15
    > terminal width 80
    > banner exec Authorised access only
    > banner exec This system is the property of Me banner exec Disconnect
    > IMMEDIATELY if you are not an authorised user !
    > banner exec Contact support@x or tel for help.
    > banner exec User Access Verification
    > banner login Welcome
    > Cryptochecksum:XXX
    > : end
    > [OK]
    >
    > Would be grateful for any help.
    >
    > Thanks
    > Dilan
    >
    Martin Bilgrav, Oct 5, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Javier Villegas
    Replies:
    1
    Views:
    502
    Walter Roberson
    Jan 27, 2004
  2. CL

    track vpn usage PIX 506

    CL, Apr 9, 2004, in forum: Cisco
    Replies:
    1
    Views:
    615
    Hugo Drax
    Apr 9, 2004
  3. Jason
    Replies:
    1
    Views:
    4,141
    Walter Roberson
    Apr 28, 2004
  4. Replies:
    3
    Views:
    2,173
  5. RPS13
    Replies:
    2
    Views:
    588
    Greeley
    Dec 20, 2007
Loading...

Share This Page