PIX Firewall problem, please help.

Discussion in 'Cisco' started by cosmicspin@yahoo.com, Apr 14, 2005.

  1. Guest

    Hi,

    I'm pretty new to configuring the PIX, but I have a slight problem that
    maybe someone knows the answer to. One of the sites I'm working on has
    a mailserver behind a PIX, but a standard static (inside,outside)
    command cannot fix the problem. The problem is that incoming mail
    first goes to one server, and THAT server forwards the mail to the
    mailserver. Thus, I need a way to make the mail go to the inside IP,
    but then exit using the same IP it came in, even though it's a differen
    inside machine. Anyone have any clues? I've been reading up and see
    some possibilities, but I'd like to see if anyone's dealth with a
    similar issue.

    Thanks in advance,

    -cos
     
    , Apr 14, 2005
    #1
    1. Advertising

  2. Chris Guest

    <> wrote in message
    news:...
    > Hi,
    >
    > I'm pretty new to configuring the PIX, but I have a slight problem that
    > maybe someone knows the answer to. One of the sites I'm working on has
    > a mailserver behind a PIX, but a standard static (inside,outside)
    > command cannot fix the problem. The problem is that incoming mail
    > first goes to one server, and THAT server forwards the mail to the
    > mailserver. Thus, I need a way to make the mail go to the inside IP,
    > but then exit using the same IP it came in, even though it's a differen
    > inside machine. Anyone have any clues? I've been reading up and see
    > some possibilities, but I'd like to see if anyone's dealth with a
    > similar issue.
    >
    > Thanks in advance,
    >
    > -cos


    If mail is delivered to the relay server which then passes it onto the
    internal server, why not get the internal server to relay its outbound mail
    through the relay server. Normally a relay server is used for
    filtering/virus checking etc, so it makes sense to do it in both directions.

    Chris.
     
    Chris, Apr 14, 2005
    #2
    1. Advertising

  3. Guest

    Unfortunetly, the request I have is specific and that's the way they're
    setup :( . I'd like to know if there's a way to do it just for my
    reference anyhow, because it seems like it should be simple. Basically
    I just need an example of the command(s) that would allow me to have
    ONE IP for two different protocols, each one going to a different
    machine. One incoming, the other outgoing. I don't know if they'd
    want me to tell them to start changing how their servers do stuff, I'd
    rather just change it at the PIX to be honest. Keep in mind that this
    PIX is using NAT, so I made sure that the mailserver IP is not going to
    be in the global NAT pool.

    Maybe this will help.

    Let's say I have mailserver 192.168.1.10, and a mail/filter virus
    checker on 192.168.1.5.
    The command on my PIX says :
    static (inside,outside) xxx.xxx.xxx.128 192.168.1.5 netmask
    255.255.255.255 0 0

    This allows incoming mail to contact xxx.xxx.xxx.128 and get to the
    mailserver filter/virus checker, which in turn forwards the email to
    the actual mailserver. What command will let me specify the IP in
    which outgoing SMTP (from 192.168.1.10) will appear as OUTSIDE? If I
    have to change their server IPs and stuff, it's going to require much
    more time than a simple IOS command.

    Thanks anyhow Chris, if nothing else works I can try doing what you
    suggested.

    -cos
     
    , Apr 14, 2005
    #3
  4. In article <>,
    <> wrote:
    :I'm pretty new to configuring the PIX, but I have a slight problem that
    :maybe someone knows the answer to. One of the sites I'm working on has
    :a mailserver behind a PIX, but a standard static (inside,outside)
    :command cannot fix the problem. The problem is that incoming mail
    :first goes to one server, and THAT server forwards the mail to the
    :mailserver. Thus, I need a way to make the mail go to the inside IP,
    :but then exit using the same IP it came in, even though it's a differen
    :inside machine. Anyone have any clues? I've been reading up and see
    :some possibilities, but I'd like to see if anyone's dealth with a
    :similar issue.

    The key to this is to recognize that the incoming email is always
    going to inside port 25, but the outgoing email is going to -outside-
    port 25, with some random high numbered port as the inside port.

    So, you configure something like,

    static (inside,outside) tcp PUBLICIP smtp FILTERSERVERIP smtp netmask 255.255.255.255
    nat (inside) 2 MAILSERVERIP
    global (outside) 2 PUBLICIP

    The static PAT (port address translation) takes precidence over
    the nat, so the incoming smtp will go to the filter server.
    The outgoing smtp will not have source port 25, so the static will
    not apply, and the nat will take over.


    Note that the following will NOT work:

    static (inside,outside) tcp PUBLICIP smtp FILTERSERVERIP smtp netmask 255.255.255.255
    static (inside,outside) PUBLICIP MAILSERVERIP netmask 255.255.255.255

    You cannot use that because a plain static takes precidence over
    a static with ports.


    In PIX 6.3(2) or later [I think it is] you have an additional option,
    which is to use policy static. That's a static with an access-list
    that controls the circumstances under which the static is used.
    policy statics are a bit wonky -- you have to know undocumented
    details about which part of the access list is being paid attention to.
    --
    Look out, there are llamas!
     
    Walter Roberson, Apr 14, 2005
    #4
  5. Guest

    Thanks Walter, it makes much more sense now. I was wrongly trying to
    do the static thing you said NOT to do, and that's why it wasn't
    working. You probably saved me hours of painful mucking about. :D

    If worse comes to worse, I'll try Chris's idea which should've been the
    way they configured it in the first place. Thanks again guys! Your
    input has been helpful.

    -cos
     
    , Apr 15, 2005
    #5
  6. Guest

    Walter Roberson wrote:
    > In article <>,
    >
    > You cannot use that because a plain static takes precidence over
    > a static with ports.
    >
    >


    How about NAT? Is there a priority level for NAT?

    For example, take these following commands...

    global (outside) 1 10.10.10.10-10.10.10.24 netmask 255.255.255.0
    global (outside) 2 10.10.10.25
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (inside) 2 192.168.1.15

    Is there a way to establish priority? Or does the translating inside
    addresses by default take priority?
     
    , Apr 15, 2005
    #6
  7. In article <>,
    <> wrote:
    :How about NAT? Is there a priority level for NAT?

    :For example, take these following commands...

    :global (outside) 1 10.10.10.10-10.10.10.24 netmask 255.255.255.0
    :global (outside) 2 10.10.10.25
    :nat (inside) 1 0.0.0.0 0.0.0.0
    :nat (inside) 2 192.168.1.15

    :Is there a way to establish priority? Or does the translating inside
    :addresses by default take priority?

    Regular works by "longest match", the same as routing.
    The numbers after the interface in 'nat' and 'global' statements
    have no significance other than as arbitrary labels, with the
    one exception of the use of 0 .

    The relative order of static, static PAT, nat, policy nat,
    policy static, nat exception, and identity nat, are documented
    in the PIX command reference under the 'static' and 'nat' references.
    Mostly. The relative order of policy static to policy nat is not
    documented. I did get the information from Cisco, but I have forgotten
    for now.
    --
    "Who Leads?" / "The men who must... driven men, compelled men."
    "Freak men."
    "You're all freaks, sir. But you always have been freaks.
    Life is a freak. That's its hope and glory." -- Alfred Bester, TSMD
     
    Walter Roberson, Apr 16, 2005
    #7
  8. Guest

    Walter Roberson wrote:

    >
    > :Is there a way to establish priority? Or does the translating

    inside
    > :addresses by default take priority?
    >
    > Regular works by "longest match", the same as routing.
    > The numbers after the interface in 'nat' and 'global' statements
    > have no significance other than as arbitrary labels, with the
    > one exception of the use of 0 .
    >


    Well if anyone has some input, it'd be much appreciated.

    Okay, the reason I asked was because the configuration you lead me to
    now has an interesting issue. I'll show you an example config, so you
    can get the picture. The problem is there's now another issue that has
    arisen, even worse than the previous!

    *Site is using a global pool of 10 addresses with NAT, in which the
    last address is specified as the mailserver (IP POOL 10.10.10.10-20)*
    *keep in mind I'm using example IPs, in which 10.10.10.0 is considered
    a public IP*

    *Virus/Filter checker (IP = 192.168.1.5) forwards mail to actual
    mailserver (IP = 192.168.1.10), mailserver sends out mail directly*

    **********************************

    PIX Version 6.1(1)
    ....snip...

    static (inside,outside) tcp 10.10.10.20 smtp 192.168.1.5 smtp netmask
    255.255.255.255

    nat (inside) 0 access-list do-no-nat

    global (outside) 1 10.10.10.10-10.10.10.19 netmask 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0

    global (outside) 2 10.10.10.20
    nat (inside) 2 192.168.1.10 netmask 255.255.255.255

    route outside 0.0.0.0 0.0.0.0 #ROUTER_OUTSIDE_PIX_IP# 1

    ....snip...

    ************************************

    Now assuming the config is somewhat correct and understandable, the PIX
    should send mail to the 192.168.1.5 to check it for viruses, which in
    turn sends it to 192.168.1.10. Then 192.168.1.10; the ACTUAL
    mailserver, sends SMTP traffic via the IP 10.10.10.20. Meanwhile, all
    other machines in the local IP pool are numbered randomly between 10-19
    for the last octet.

    The problem that is occuring now is that I send mail outbound with the
    correct IP (10.10.10.20), which shows up in the email header... But
    when mail is incoming, it doesn't seem to reach the server, and I get a
    'failed attempt' email after 24 hours of waiting. NAT is functioning
    fine as well. The only problem is that email doesn't seem to be going
    to the right place now, when it was before. Am I missing something
    simple?

    Thanks in advance,

    cos
     
    , Apr 18, 2005
    #8
  9. In article <>,
    <> wrote:
    :pIX Version 6.1(1)

    :static (inside,outside) tcp 10.10.10.20 smtp 192.168.1.5 smtp netmask 255.255.255.255

    :global (outside) 1 10.10.10.10-10.10.10.19 netmask 255.255.255.0

    :global (outside) 2 10.10.10.20

    Is your outside IP address distinct from all of 10.10.10.10 thru
    10.10.10.19 ? If not, then you are going to have problems,
    especially if the outside IP is 10.10.10.20 .

    If 10.10.10.20 is your outside IP, then in static and global
    statements you should replace it with the keyword interface
    as in

    static (inside,outside) tcp interface smtp 192.168.1.5 smtp netmask 255.255.255.255

    global (outside) 2 interface

    6.1(1) and 6.1(2) is particularily problematic with respect
    to static PAT on the outside IP.

    If you use the real outside IP address in the global statement,
    then some things will work but some will fail, and it can be
    hard to track down.
    --
    Are we *there* yet??
     
    Walter Roberson, Apr 21, 2005
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Phil
    Replies:
    1
    Views:
    2,108
    Walter Roberson
    Dec 11, 2004
  2. Learning Cisco
    Replies:
    3
    Views:
    2,142
    Walter Roberson
    Oct 15, 2005
  3. XS11E
    Replies:
    1
    Views:
    619
    XS11E
    Oct 1, 2008
  4. VanguardLH
    Replies:
    0
    Views:
    676
    VanguardLH
    Sep 30, 2008
  5. Tommy McClure
    Replies:
    0
    Views:
    619
    Tommy McClure
    Sep 30, 2008
Loading...

Share This Page