PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT

Discussion in 'Cisco' started by Michiel, Aug 22, 2006.

  1. Michiel

    Michiel Guest

    Hello,

    I have an PIX 506E, seems to be a wonderfull thing... but i can't seem to
    get it working properly... This is the situation:

    I have as a modem the Zyxel Prestige 660HW wich is used as modem, but it
    will NAT the public ip.

    Zyxel
    WAN : Internet (public ip natted, DMZ is 192.168.168.2)
    LAN : 192.168.168.1 mask 255.255.255.252

    Cisco
    WAN : 192.168.168.2 mask 255.255.255.252
    LAN : 192.168.68.8 mask 255.255.255.0

    What i want is that form the outside everything is blocked and from the
    inside lan (192.168.68.0/255) all allowed to outside (internet), then here
    it comes i want to PIX to allow several services, for example WEB and SMTP
    but als more, i only used WEB and SMTP as examples in my configuration. This
    last thing is not working... The internet from inside to the outside is
    working perfectly, and the PIX is with every test STEALTH. So no problems
    with that. My config with the mapping and allowings of SMTP and WEB are not
    working properly. When i connect from the outside with SMTP by a telnet
    program, it connects, it also gives the message my mailserver should give,
    only corrupted... so the data it gives is not readable...

    Does anyone have any idea that seems to be the problem...? or someone able
    to give me a working config in my situation so i can put it in and then
    change the defaults...?

    I have made the configuration below with PDM 3.0(1), and more or less i have
    no idea how to make the rules by commandline so that is why i am using PDM.
    Though when i have a working config i can see in PDM how it is supposed to
    be.

    Sincerely,
    Michiel


    P.S. When i use instead of the PIX 506E a more simple or other
    firewall/cable router in the same config then it is working fine.
    P.S. Below here is the config of the PIX 506E
    Building configuration...
    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxxxxxxxxxxxxpasswd xxxxxxxxxxxxx
    hostname pixfirewall
    domain-name test.local
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list outside_access_in permit icmp any any
    access-list outside_access_in remark smtp
    access-list outside_access_in permit tcp any any eq smtp
    access-list outside_access_in remark HTTP
    access-list outside_access_in permit tcp any any eq www
    access-list outside_access_in deny ip any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 192.168.168.2 255.255.255.252
    ip address inside 192.168.68.8 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.68.1 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface smtp 192.168.68.1 smtp netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface www 192.168.68.1 www netmask
    255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 192.168.168.1 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.68.0 255.255.255.0 inside
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    : end
    [OK]
     
    Michiel, Aug 22, 2006
    #1
    1. Advertising

  2. Michiel

    SAto Guest

    > with that. My config with the mapping and allowings of SMTP and WEB are not
    > working properly. When i connect from the outside with SMTP by a telnet
    > program, it connects, it also gives the message my mailserver should give,
    > only corrupted... so the data it gives is not readable...


    Does the HTTP work or is that broken as well?

    The SMTP could be because the fixup smtp is on in your configuration.
    That denies any ESMTP commands and only accepts regular smtp commands
    through.
    This may or may not be the problem.

    -SAto
     
    SAto, Aug 22, 2006
    #2
    1. Advertising

  3. Michiel

    Michiel Guest

    Thanks SAto! ;)...

    I have tested that, and that seems to be working fine... ;)... When i use
    telnet i see normal IIS html... so that is right!

    But how can i get the ESMTP/SMTP working properly then...?

    Will i need any special configuring for DNS/VPN/WEB/SMTP/POP/RDP traffic...?
    I am running on the LAN side my own DNS/VPN/WEB/SMTP/POP/RDP for public use.
    I have this as a temporary situation... because later i am going to have an
    connection with an ip block of at minumum 8 ip's... But for now i just need
    this to get working... ;)...

    Thanks!





    "SAto" <> schreef in bericht
    news:...
    >> with that. My config with the mapping and allowings of SMTP and WEB are
    >> not
    >> working properly. When i connect from the outside with SMTP by a telnet
    >> program, it connects, it also gives the message my mailserver should
    >> give,
    >> only corrupted... so the data it gives is not readable...

    >
    > Does the HTTP work or is that broken as well?
    >
    > The SMTP could be because the fixup smtp is on in your configuration.
    > That denies any ESMTP commands and only accepts regular smtp commands
    > through.
    > This may or may not be the problem.
    >
    > -SAto
    >
     
    Michiel, Aug 22, 2006
    #3
  4. Michiel

    Chad Mahoney Guest

    Michiel wrote:
    > Thanks SAto! ;)...
    >
    > I have tested that, and that seems to be working fine... ;)... When i use
    > telnet i see normal IIS html... so that is right!
    >
    > But how can i get the ESMTP/SMTP working properly then...?


    enter config mode
    enable
    conf t
    no fixup smtp
     
    Chad Mahoney, Aug 22, 2006
    #4
  5. Michiel

    Michiel Guest

    Thanks Chad,

    But i knew how to do it by console... after a few minutes of searching in
    the PDM i found the option... removed it, and DONE! ;)

    The PIX is now good up and running! ;)...

    I have another question, but make a new post on that...

    Sincerely,
    Michiel


    "Chad Mahoney" <> schreef in bericht
    news:...
    >
    > Michiel wrote:
    >> Thanks SAto! ;)...
    >>
    >> I have tested that, and that seems to be working fine... ;)... When i use
    >> telnet i see normal IIS html... so that is right!
    >>
    >> But how can i get the ESMTP/SMTP working properly then...?

    >
    > enter config mode
    > enable
    > conf t
    > no fixup smtp
    >
     
    Michiel, Aug 22, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michiel
    Replies:
    2
    Views:
    850
    Michiel
    Aug 22, 2006
  2. Michiel
    Replies:
    19
    Views:
    1,169
    Michiel
    Aug 24, 2006
  3. Michiel
    Replies:
    0
    Views:
    2,307
    Michiel
    Aug 25, 2006
  4. dgr7
    Replies:
    0
    Views:
    498
  5. kasonne

    PAT and NAT Pix 506E

    kasonne, Dec 2, 2009, in forum: Cisco
    Replies:
    1
    Views:
    646
    kasonne
    Dec 9, 2009
Loading...

Share This Page