HELP With Cisco PIX 506E routing/port forwarding with SMTP?????

Discussion in 'Cisco' started by Rodney Hall, Jul 23, 2004.

  1. Rodney Hall

    Rodney Hall Guest

    We are replacing an old TeamInternet Firewall/Proxy/SMTP. We are
    installing a new Pix 506E. I am having a heck of a time with getting
    it to port forward and/or open the port for SMTP(25)??? below is a
    copy of my config, and everything else seems to be working ok....
    HTTP, FTP, VPN... everything, except the SMTP forwarding??? Any
    Ideas???

    Rodney Hall



    pixfirewall# show run
    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 6NSln6otKGstraBl encrypted
    passwd 6NSln6otKGstraBl encrypted
    hostname pixfirewall
    domain-name XXXXXX.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 105 permit tcp any host XXX.XXX.XX.122 eq 8000
    access-list 105 permit tcp any host XXX.XXX.XX.122 eq 8080
    access-list 105 permit tcp any host XXX.XXX.XX.122 eq www
    access-list 105 permit tcp any host XXX.XXX.XX.122 eq ftp-data
    access-list 105 permit tcp any host XXX.XXX.XX.122 eq ftp
    access-list 105 permit tcp any host XXX.XXX.XX.122 eq 491
    access-list 105 permit udp any host XXX.XXX.XX.122 eq 8000
    access-list 105 permit udp any host XXX.XXX.XX.122 eq www
    access-list 105 permit udp any host XXX.XXX.XX.122 eq 20
    access-list 105 permit udp any host XXX.XXX.XX.122 eq 21
    access-list 105 permit udp any host XXX.XXX.XX.122 eq 491
    access-list 105 permit tcp any host XXX.XXX.XX.122 eq smtp
    access-list 105 permit udp any host XXX.XXX.XX.122 eq 25
    access-list 105 permit tcp any host XXX.XXX.XX.122 eq 2233
    access-list 105 permit udp any host XXX.XXX.XX.122 eq 2233
    access-list 105 permit icmp any any
    pager lines 24
    logging on
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside XXX.XXX.XX.122 255.255.255.248
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.1.2 255.255.255.255 inside
    pdm location 192.168.1.212 255.255.255.255 inside
    pdm location 192.168.1.216 255.255.255.255 inside
    pdm location 192.168.2.205 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp XXX.XXX.XX.122 8000 192.168.1.216 8000
    netmask 255.25
    5.255.255 0 0
    static (inside,outside) udp XXX.XXX.XX.122 8000 192.168.1.216 8000
    netmask 255.25
    5.255.255 0 0
    static (inside,outside) udp XXX.XXX.XX.122 www 192.168.1.212 www
    netmask 255.255.
    255.255 0 0
    static (inside,outside) tcp XXX.XXX.XX.122 www 192.168.1.212 www
    netmask 255.255.
    255.255 0 0
    static (inside,outside) tcp XXX.XXX.XX.122 ftp-data 192.168.1.212
    ftp-data netmas
    k 255.255.255.255 0 0
    static (inside,outside) udp XXX.XXX.XX.122 20 192.168.1.212 20 netmask
    255.255.25
    5.255 0 0
    static (inside,outside) udp XXX.XXX.XX.122 21 192.168.1.212 21 netmask
    255.255.25
    5.255 0 0
    static (inside,outside) tcp XXX.XXX.XX.122 ftp 192.168.1.212 ftp
    netmask 255.255.
    255.255 0 0
    static (inside,outside) tcp XXX.XXX.XX.122 491 192.168.1.216 491
    netmask 255.255.
    255.255 0 0
    static (inside,outside) udp XXX.XXX.XX.122 491 192.168.1.216 491
    netmask 255.255.
    255.255 0 0
    static (inside,outside) udp XXX.XXX.XX.122 2233 192.168.1.2 2233
    netmask 255.255.
    255.255 0 0
    static (inside,outside) tcp XXX.XXX.XX.122 2233 192.168.1.2 2233
    netmask 255.255.
    255.255 0 0
    static (inside,outside) tcp XXX.XXX.XX.122 smtp 192.168.2.205 smtp
    netmask 255.25
    5.255.255 0 0
    static (inside,outside) udp XXX.XXX.XX.122 25 192.168.2.205 25 netmask
    255.255.25
    5.255 0 0
    access-group 105 in interface outside
    route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.121 1
    route inside 192.168.2.0 255.255.255.0 192.168.1.2 1
    route inside 192.168.3.0 255.255.255.0 192.168.1.2 1
    route inside 192.168.4.0 255.255.255.0 192.168.1.2 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    timeout uauth 0:05:00 absolute
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 60
    console timeout 0
    dhcpd address 192.168.1.10-192.168.1.16 inside
    dhcpd dns 24.92.226.11 24.92.226.12
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain XXXXXX.com
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:b2f4f5e5b8eebb6b17c2ece9d37ae013
    : end
    pixfirewall#
     
    Rodney Hall, Jul 23, 2004
    #1
    1. Advertisements

  2. :We are replacing an old TeamInternet Firewall/Proxy/SMTP. We are
    :installing a new Pix 506E. I am having a heck of a time with getting
    :it to port forward and/or open the port for SMTP(25)???

    :ip address outside XXX.XXX.XX.122 255.255.255.248

    :static (inside,outside) tcp XXX.XXX.XX.122 8000 192.168.1.216 8000 netmask 255.25

    Any time you have an interface IP in a 'static' statement, replace
    the IP with the single word 'interface'. For example,

    static (inside,outside) tcp interface 8000 192.168.1.216 8000 netmask 255.255.255.255 0 0

    access-list 105 permit tcp any host XXX.XXX.XX.122 eq 8000

    Any time you have an interface IP appearing an an access-list, then
    since you are using 6.3(2) or later, replace the IP with the two
    word combination which is the keyword 'interface' followed by the
    name of the interface. For example,

    access-list 105 permit tcp any interface outside eq 8000


    Note: if you are doing port forwarding on the outside interface IP,
    it's usually because you only -have- one external IP to play with.
    In such a case, you might as well instead use

    access-list 105 permit tcp any any eq 8000

    seeing as there is no other IP address than the interface that
    it could match against.
     
    Walter Roberson, Jul 24, 2004
    #2
    1. Advertisements

  3. Please note that this will allow only old basic SMTP
    commands to pass through the Pix. ESMTP will not work.
    The manual says:

    "The fixup protocol smtp command enables the Mail Guard
    feature, which only lets mail servers receive the RFC 821,
    section 4.5.1, commands of HELO, MAIL, RCPT, DATA, RSET,
    NOOP, and QUIT. All other commands are translated into X's
    which are rejected by the internal server. This results in
    a message such as "500 Command unknown: 'XXX'." Incomplete
    commands are discarded."

    More info:

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379
     
    Jyri Korhonen, Jul 24, 2004
    #3
  4. just to add some another degree of difficulty to the mix... we have a
    Shiva VPN that acts as a firewall to our DMZ segment(seg 1). i was
    figuring that the Shiva was blocking the traffic to out internal notes
    server, so i opened up the ports... the mail server eventually started
    recieveing mail, then after about an hour... it stopped again???? any
    ideas???

    Rodney
     
    Rodney Hall Jr, Jul 25, 2004
    #4
  5. Rodney Hall

    ThaBroker Guest

    I am trying to setup my Pix to forward port 8000 to our server. We have
    one static IP address to the firewall. from what I understand, the
    commands should go as follows:

    enable
    enter password
    configure terminal
    static (inside,outside) tcp interface 8000 172.16.16.10 8000 netmask
    255.255.255.0 0 0
    access-list 105 permit tcp any any eq 8000
    quit
    write memory

    I've done a good bit of reading and I think this should accomplish what
    I'm looking to do. The only thing that isn't clear is the "105" after
    access-list. I'm uncertain what that number is for and don't know if it
    should be something different. Any help would be very much appreciated.
    Thanks,

    Jason
     
    ThaBroker, Jan 12, 2005
    #5
  6. Rodney Hall

    mcaissie Guest

    You need also to apply the access-list to the outside interface

    access-group 105 in interface outside

    It's just the name of the acess-list . You can either use a number or a
    name like acl_out
     
    mcaissie, Jan 12, 2005
    #6
  7. :I am trying to setup my Pix to forward port 8000 to our server. We have
    :eek:ne static IP address to the firewall. from what I understand, the
    :commands should go as follows:

    :static (inside,outside) tcp interface 8000 172.16.16.10 8000 netmask 255.255.255.0 0 0

    Change the netmask to 255.255.255.255

    :access-list 105 permit tcp any any eq 8000

    As Rod indicated, access-group 105 in interface outside. Also, it
    would be better to use

    access-list 105 permit tcp any interface outside eq 8000

    :quit

    not 'quit' at that point but 'exit'.

    :The only thing that isn't clear is the "105" after
    :access-list. I'm uncertain what that number is for and don't know if it
    :should be something different.

    As Rod indicated, it is an arbitrary alphanumeric label with no
    inherent signfigance. The choice of 105 (instead of, say, 203)
    comes from someone who is used to writing IOS access lists that
    allow protocol ('tcp'), source IP, destination IP, and protocols
    to be specified -- the PIX access-lists look very much like that
    kind of IOS access list (but the mask bits are completely different.)
    It happens that in IOS, the range 100 thru 199 is reserved for
    access lists of that form, with different number ranges being used
    for completely different kinds of access lists. PIX only has the
    one kind of access list, and it doesn't care whether you give a number
    or a name or something like 2inside or something like
    access.from-outside%[email protected] -- all just characters to it.
     
    Walter Roberson, Jan 12, 2005
    #7
  8. Rodney Hall

    Jason Smith Guest

    Thank you both for your help. I have entered the commands into the Cosco and
    will be testing it later today. Thanks again for all the help!

    Jason
     
    Jason Smith, Jan 13, 2005
    #8
  9. Rodney Hall

    Jason Smith Guest

    Ok so it didn't work. Here's a little more on what i am trying to do:

    We have 2 T-1 connections coming into a tasman router which has dhcp turned
    off and forwards everything to the pix firewall. We have a program installed
    on the server that runs over IIS. We install the client at our satellite
    office and tell it to login to http://our-ip_address/

    Apparently the only port that needs to be opened is 80 according to the
    software developer. I'm getting an error that the software cannot connect.
    My original settings had port 8000 which I thought is the same as 80. If
    this isn't the case, please let me know. Any help is appreciated!

    Jason
     
    Jason Smith, Jan 13, 2005
    #9
  10. :We install the client at our satellite
    :eek:ffice and tell it to login to http://our-ip_address/

    The normal port for http://ip/ is port 80.

    :Apparently the only port that needs to be opened is 80 according to the
    :software developer. I'm getting an error that the software cannot connect.
    :My original settings had port 8000 which I thought is the same as 80. If
    :this isn't the case, please let me know.

    Of course 8000 is not the same as 80. Some people choose to put
    an http server on port 8000, but that is not -equivilent- to
    port 80. Every different possible port number is distinct.
     
    Walter Roberson, Jan 13, 2005
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.