PIX 515e IMAP Problems

Discussion in 'Cisco' started by kck126, Sep 6, 2006.

  1. kck126

    kck126

    Joined:
    Sep 6, 2006
    Messages:
    1
    Hey Everyone. I'm new to the Cisco's PIX and my past Cisco exposure was years ago. I was wondering if the kind people here could potentially help me with a current issue. I recently started a position only to find that the former employee had purposely caused some problems prior to his departure! As a result I'm left with a config that doesn't make much sense to me.


    I am working with a Cisco 515e PIX and my problem is with the IMAP4 forwarding. I need the pix to forward port 143 to my email server inorder to access mail from the public side. However, I have been unable to do so. The best I have been able to do is get the port status to a closed state rather then stealth (which indicates my ISP isn't blocking the port).

    *Please Note:* This network is in need of a major overhaul. It is very apparent that it needs rebuilt from the ground up. I am aware of that, but my initial concern is getting the servers IMAP port accessible from outside the network.






    Guardian# sh ru
    : Saved
    :
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security10
    enable password XXX encrypted
    passwd XXX encrypted
    hostname Guardian
    domain-name XXX.com
    clock timezone est -5
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    no fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 191.0.33.1 mail
    name 192.168.5.2 qmail
    access-list smtp deny tcp host 24.209.xxx.xxx any
    access-list smtp deny tcp host 193.2.xxx.xxx any
    access-list smtp deny tcp host 65.42.xxx.xxx any
    access-list smtp permit tcp any host 66.148.xxx.xxx eq smtp
    access-list smtp permit tcp any host 66.148.xxx.xxx eq www
    access-list smtp permit tcp host 209.248.xxx.xxx host 66.148.xxx.xxx eq imap4
    access-list smtp permit tcp host 209.248.xxx.xxx host 66.148.xxx.xxx eq imap4
    access-list smtp permit tcp host 209.248.xxx.xxx host 66.148.xxx.xxx eq smtp
    access-list smtp permit tcp host 209.248.xxx.xxx host 66.148.xxx.xxx eq smtp
    access-list smtp permit tcp any host 66.148.xxx.xxx eq imap4
    access-list vpn permit ip 191.0.0.0 255.0.0.0 192.168.6.0 255.255.255.0
    access-list vpn permit ip 191.0.0.0 255.0.0.0 192.168.5.0 255.255.255.0
    access-list inside_acl permit icmp any any
    access-list inside_acl permit tcp any host qmail eq pop3
    access-list inside_acl permit tcp any host qmail eq ssh
    access-list inside_acl permit udp any any eq domain
    access-list inside_acl permit tcp any any eq www
    access-list inside_acl permit tcp any any eq netbios-ssn
    access-list inside_acl permit tcp any any eq 445
    access-list inside_acl permit udp any any eq netbios-ns
    access-list inside_acl permit udp any any eq netbios-dgm
    access-list inside_acl permit udp any any eq 445
    access-list inside_acl permit tcp any any eq ftp-data
    access-list inside_acl permit tcp any any eq ftp
    access-list inside_acl permit tcp any any eq smtp
    access-list inside_acl permit tcp any any eq ssh
    access-list inside_acl permit tcp any any
    access-list inside_acl permit udp any any
    access-list outbound deny tcp any any eq aol
    access-list outbound deny tcp any host 204.15.xxx.xxx
    access-list outbound deny tcp any host 64.236.xxx.xxx
    access-list outbound permit tcp any any
    access-list outbound permit udp any any
    access-list outbound permit icmp any host qmail
    access-list outbound deny tcp any host 24.209.xxx.xxx
    access-list troubleshoot permit tcp any any eq www
    access-list troubleshoot deny tcp any any
    access-list troubleshoot deny udp any any
    pager lines 24
    logging on
    logging timestamp
    logging trap notifications
    logging facility 16
    logging device-id ipaddress inside
    logging host inside 192.168.1.37
    icmp deny any echo outside
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip address outside 66.148.xxx.xxx 255.255.255.224
    ip address inside 191.0.33.189 255.255.224.0
    ip address DMZ 192.168.5.1 255.255.255.0
    ip verify reverse-path interface outside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pptp-pool 192.168.6.1-192.168.6.50
    ip local pool ipsec-pool 192.168.6.51-192.168.6.100
    pdm location 191.0.33.221 255.255.255.255 inside
    pdm location 10.10.1.0 255.255.255.0 inside
    pdm location 10.10.2.0 255.255.255.0 inside
    pdm location mail 255.255.255.255 inside
    pdm location 191.0.33.2 255.255.255.255 inside
    pdm location 191.0.33.0 255.255.255.0 inside
    pdm location 191.0.34.18 255.255.255.255 inside
    pdm location 191.0.96.0 255.255.224.0 inside
    pdm location 191.0.0.0 255.255.0.0 inside
    pdm location 192.168.5.3 255.255.255.255 DMZ
    pdm location 192.168.5.4 255.255.255.255 DMZ
    pdm location 191.0.65.0 255.255.255.0 inside
    pdm location 192.168.0.0 255.255.255.0 inside
    pdm location 191.0.32.0 255.255.224.0 inside
    pdm location 191.0.33.115 255.255.255.255 inside
    pdm location 191.0.0.0 255.0.0.0 inside
    pdm location 192.168.5.0 255.255.255.0 inside
    pdm location 192.168.6.0 255.255.255.0 outside
    pdm location 191.0.33.6 255.255.255.255 inside
    pdm location 191.0.33.7 255.255.255.255 inside
    pdm location 191.0.33.90 255.255.255.255 inside
    pdm location 191.0.64.0 255.255.224.0 inside
    pdm history enable
    arp timeout 14400
    global (outside) 2 interface
    global (inside) 3 interface
    nat (inside) 0 access-list vpn
    nat (inside) 2 191.0.0.0 255.255.0.0 0 0
    nat (DMZ) 2 192.168.5.0 255.255.255.0 0 0
    nat (DMZ) 3 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface smtp 191.0.33.2 smtp netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface www 191.0.33.2 www netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface ftp mail ftp netmask 255.255.255.255 0 0
    static (DMZ,inside) tcp 192.168.5.3 smtp 192.168.5.3 smtp netmask 255.255.255.255 0 0
    static (DMZ,outside) tcp 66.148.xxx.xxx smtp qmail smtp netmask 255.255.255.255 0 0
    static (DMZ,outside) tcp 66.148.xxx.xxx imap4 qmail imap4 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface imap4 191.0.33.2 imap4 netmask 255.255.255.255 0 0
    static (inside,DMZ) 191.0.33.0 191.0.33.0 netmask 255.255.255.0 0 0
    static (DMZ,inside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 0 0
    static (inside,DMZ) 192.168.6.0 192.168.6.0 netmask 255.255.255.0 0 0
    static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
    access-group smtp in interface outside
    access-group outbound in interface inside
    access-group inside_acl in interface DMZ
    route outside 0.0.0.0 0.0.0.0 66.148.168.225 1
    route inside 10.10.1.0 255.255.255.0 191.0.32.1 1
    route inside 10.10.2.0 255.255.255.0 191.0.32.1 1
    route inside 191.0.64.0 255.255.224.0 191.0.33.5 1
    route inside 191.0.96.0 255.255.224.0 191.0.32.1 1
    route inside 192.168.0.0 255.255.255.0 191.0.32.1 1
    route inside 192.168.1.0 255.255.255.0 191.0.33.5 1
    route inside 192.168.6.0 255.255.255.0 191.0.33.5 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    ntp server 132.163.4.101 source outside
    http server enable
    http 191.0.34.18 255.255.255.255 inside
    http mail 255.255.255.255 inside
    http 191.0.33.221 255.255.255.255 inside
    http 191.0.33.115 255.255.255.255 inside
    http 191.0.33.90 255.255.255.255 inside
    snmp-server host inside 191.0.33.2 poll
    snmp-server host inside 192.168.1.24
    no snmp-server location
    no snmp-server contact
    snmp-server community Trunetmanagementgroup
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap interface outside
    isakmp enable outside
    isakmp enable inside
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup xxx address-pool ipsec-pool
    vpngroup xxx dns-server 64.19.9.18
    vpngroup xxx wins-server mail
    vpngroup xxx default-domain zeltd
    vpngroup xxx split-tunnel vpn
    vpngroup xxx idle-time 1800
    vpngroup xxx password xxx
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 5
    console timeout 0
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe 40
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username x password *********
    vpdn username x password *********
    vpdn username x password *********
    vpdn username x password *********
    vpdn username x password *********
    vpdn username x password *********
    vpdn username x password *********
    vpdn username x password *********
    vpdn username x password *********
    vpdn username x password *********
    vpdn username x password *********
    vpdn enable outside
    vpdn enable inside
    dhcpd address 191.0.33.90-191.0.33.120 inside
    dhcpd dns 64.xxx.xxx.xxx 64.xxx.xxx.xxx
    dhcpd wins mail mail
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain ZELTD
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:008b16e6d08c4834dd9dee718d3445c5
    : end
     
    kck126, Sep 6, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter Schulz

    IMAP-Problem with PIX 506E

    Peter Schulz, Aug 24, 2005, in forum: Cisco
    Replies:
    14
    Views:
    3,787
    Walter Roberson
    Aug 25, 2005
  2. Dustin
    Replies:
    3
    Views:
    645
    Matty M
    Nov 8, 2005
  3. Romeo
    Replies:
    1
    Views:
    483
    Walter Roberson
    Mar 20, 2006
  4. twoblink

    Pix and IMAP problems

    twoblink, Sep 30, 2008, in forum: Hardware
    Replies:
    0
    Views:
    1,060
    twoblink
    Sep 30, 2008
  5. HandleX84

    Cisco PIX 515e IMAP issue

    HandleX84, May 18, 2010, in forum: Cisco
    Replies:
    1
    Views:
    763
    HandleX84
    May 18, 2010
Loading...

Share This Page