HELP With Cisco PIX 506E routing/port forwarding with SMTP?????

We are replacing an old TeamInternet Firewall/Proxy/SMTP. We are
installing a new Pix 506E. I am having a heck of a time with getting
it to port forward and/or open the port for SMTP(25)??? below is a
copy of my config, and everything else seems to be working ok....
HTTP, FTP, VPN... everything, except the SMTP forwarding??? Any
Ideas???

Rodney Hall



pixfirewall# show run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 6NSln6otKGstraBl encrypted
passwd 6NSln6otKGstraBl encrypted
hostname pixfirewall
domain-name XXXXXX.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 105 permit tcp any host XXX.XXX.XX.122 eq 8000
access-list 105 permit tcp any host XXX.XXX.XX.122 eq 8080
access-list 105 permit tcp any host XXX.XXX.XX.122 eq www
access-list 105 permit tcp any host XXX.XXX.XX.122 eq ftp-data
access-list 105 permit tcp any host XXX.XXX.XX.122 eq ftp
access-list 105 permit tcp any host XXX.XXX.XX.122 eq 491
access-list 105 permit udp any host XXX.XXX.XX.122 eq 8000
access-list 105 permit udp any host XXX.XXX.XX.122 eq www
access-list 105 permit udp any host XXX.XXX.XX.122 eq 20
access-list 105 permit udp any host XXX.XXX.XX.122 eq 21
access-list 105 permit udp any host XXX.XXX.XX.122 eq 491
access-list 105 permit tcp any host XXX.XXX.XX.122 eq smtp
access-list 105 permit udp any host XXX.XXX.XX.122 eq 25
access-list 105 permit tcp any host XXX.XXX.XX.122 eq 2233
access-list 105 permit udp any host XXX.XXX.XX.122 eq 2233
access-list 105 permit icmp any any
pager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside XXX.XXX.XX.122 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.1.212 255.255.255.255 inside
pdm location 192.168.1.216 255.255.255.255 inside
pdm location 192.168.2.205 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp XXX.XXX.XX.122 8000 192.168.1.216 8000
netmask 255.25
5.255.255 0 0
static (inside,outside) udp XXX.XXX.XX.122 8000 192.168.1.216 8000
netmask 255.25
5.255.255 0 0
static (inside,outside) udp XXX.XXX.XX.122 www 192.168.1.212 www
netmask 255.255.
255.255 0 0
static (inside,outside) tcp XXX.XXX.XX.122 www 192.168.1.212 www
netmask 255.255.
255.255 0 0
static (inside,outside) tcp XXX.XXX.XX.122 ftp-data 192.168.1.212
ftp-data netmas
k 255.255.255.255 0 0
static (inside,outside) udp XXX.XXX.XX.122 20 192.168.1.212 20 netmask
255.255.25
5.255 0 0
static (inside,outside) udp XXX.XXX.XX.122 21 192.168.1.212 21 netmask
255.255.25
5.255 0 0
static (inside,outside) tcp XXX.XXX.XX.122 ftp 192.168.1.212 ftp
netmask 255.255.
255.255 0 0
static (inside,outside) tcp XXX.XXX.XX.122 491 192.168.1.216 491
netmask 255.255.
255.255 0 0
static (inside,outside) udp XXX.XXX.XX.122 491 192.168.1.216 491
netmask 255.255.
255.255 0 0
static (inside,outside) udp XXX.XXX.XX.122 2233 192.168.1.2 2233
netmask 255.255.
255.255 0 0
static (inside,outside) tcp XXX.XXX.XX.122 2233 192.168.1.2 2233
netmask 255.255.
255.255 0 0
static (inside,outside) tcp XXX.XXX.XX.122 smtp 192.168.2.205 smtp
netmask 255.25
5.255.255 0 0
static (inside,outside) udp XXX.XXX.XX.122 25 192.168.2.205 25 netmask
255.255.25
5.255 0 0
access-group 105 in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.121 1
route inside 192.168.2.0 255.255.255.0 192.168.1.2 1
route inside 192.168.3.0 255.255.255.0 192.168.1.2 1
route inside 192.168.4.0 255.255.255.0 192.168.1.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
timeout uauth 0:05:00 absolute
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.10-192.168.1.16 inside
dhcpd dns 24.92.226.11 24.92.226.12
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain XXXXXX.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:b2f4f5e5b8eebb6b17c2ece9d37ae013
: end
pixfirewall#

 

:We are replacing an old TeamInternet Firewall/Proxy/SMTP. We are
:installing a new Pix 506E. I am having a heck of a time with getting
:it to port forward and/or open the port for SMTP(25)???

:ip address outside XXX.XXX.XX.122 255.255.255.248

:static (inside,outside) tcp XXX.XXX.XX.122 8000 192.168.1.216 8000 netmask 255.25

Any time you have an interface IP in a 'static' statement, replace
the IP with the single word 'interface'. For example,

static (inside,outside) tcp interface 8000 192.168.1.216 8000 netmask 255.255.255.255 0 0

access-list 105 permit tcp any host XXX.XXX.XX.122 eq 8000

Any time you have an interface IP appearing an an access-list, then
since you are using 6.3(2) or later, replace the IP with the two
word combination which is the keyword 'interface' followed by the
name of the interface. For example,

access-list 105 permit tcp any interface outside eq 8000


Note: if you are doing port forwarding on the outside interface IP,
it's usually because you only -have- one external IP to play with.
In such a case, you might as well instead use

access-list 105 permit tcp any any eq 8000

seeing as there is no other IP address than the interface that
it could match against.

 

Please note that this will allow only old basic SMTP
commands to pass through the Pix. ESMTP will not work.
The manual says:

"The fixup protocol smtp command enables the Mail Guard
feature, which only lets mail servers receive the RFC 821,
section 4.5.1, commands of HELO, MAIL, RCPT, DATA, RSET,
NOOP, and QUIT. All other commands are translated into X's
which are rejected by the internal server. This results in
a message such as "500 Command unknown: 'XXX'." Incomplete
commands are discarded."

More info:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379

 

just to add some another degree of difficulty to the mix... we have a
Shiva VPN that acts as a firewall to our DMZ segment(seg 1). i was
figuring that the Shiva was blocking the traffic to out internal notes
server, so i opened up the ports... the mail server eventually started
recieveing mail, then after about an hour... it stopped again???? any
ideas???

Rodney

 

I am trying to setup my Pix to forward port 8000 to our server. We have
one static IP address to the firewall. from what I understand, the
commands should go as follows:

enable
enter password
configure terminal
static (inside,outside) tcp interface 8000 172.16.16.10 8000 netmask
255.255.255.0 0 0
access-list 105 permit tcp any any eq 8000
quit
write memory

I've done a good bit of reading and I think this should accomplish what
I'm looking to do. The only thing that isn't clear is the "105" after
access-list. I'm uncertain what that number is for and don't know if it
should be something different. Any help would be very much appreciated.
Thanks,

Jason

 

You need also to apply the access-list to the outside interface

access-group 105 in interface outside

It's just the name of the acess-list . You can either use a number or a
name like acl_out

 

:I am trying to setup my Pix to forward port 8000 to our server. We have
ne static IP address to the firewall. from what I understand, the
:commands should go as follows:

:static (inside,outside) tcp interface 8000 172.16.16.10 8000 netmask 255.255.255.0 0 0

Change the netmask to 255.255.255.255

:access-list 105 permit tcp any any eq 8000

As Rod indicated, access-group 105 in interface outside. Also, it
would be better to use

access-list 105 permit tcp any interface outside eq 8000

:quit

not 'quit' at that point but 'exit'.

:The only thing that isn't clear is the "105" after
:access-list. I'm uncertain what that number is for and don't know if it
:should be something different.

As Rod indicated, it is an arbitrary alphanumeric label with no
inherent signfigance. The choice of 105 (instead of, say, 203)
comes from someone who is used to writing IOS access lists that
allow protocol ('tcp'), source IP, destination IP, and protocols
to be specified -- the PIX access-lists look very much like that
kind of IOS access list (but the mask bits are completely different.)
It happens that in IOS, the range 100 thru 199 is reserved for
access lists of that form, with different number ranges being used
for completely different kinds of access lists. PIX only has the
one kind of access list, and it doesn't care whether you give a number
or a name or something like 2inside or something like
access.from-outside%[email protected] -- all just characters to it.

 

Thank you both for your help. I have entered the commands into the Cosco and
will be testing it later today. Thanks again for all the help!

Jason

 

Ok so it didn't work. Here's a little more on what i am trying to do:

We have 2 T-1 connections coming into a tasman router which has dhcp turned
off and forwards everything to the pix firewall. We have a program installed
on the server that runs over IIS. We install the client at our satellite
office and tell it to login to http://our-ip_address/

Apparently the only port that needs to be opened is 80 according to the
software developer. I'm getting an error that the software cannot connect.
My original settings had port 8000 which I thought is the same as 80. If
this isn't the case, please let me know. Any help is appreciated!

Jason

 

:We install the client at our satellite
ffice and tell it to login to http://our-ip_address/

The normal port for http://ip/ is port 80.

:Apparently the only port that needs to be opened is 80 according to the
:software developer. I'm getting an error that the software cannot connect.
:My original settings had port 8000 which I thought is the same as 80. If
:this isn't the case, please let me know.

Of course 8000 is not the same as 80. Some people choose to put
an http server on port 8000, but that is not -equivilent- to
port 80. Every different possible port number is distinct.