help with port redirection pix 501

Discussion in 'General Computer Support' started by gefunk, Aug 30, 2006.

  1. gefunk


    Aug 30, 2006
    Likes Received:
    Hey guys, I am completely stuck with this port redirection problem. I had the pix forwarding the ports to my exchange mail server yesterday. But all of a sudden today the pix wouldn't let the traffic through to the mail server. I can't figure out what is going on. Please HELP!!! I am posting my config to the forum.


    P.S. I have tried to follow so many other configs but all of them fail. please let me know what i am doing wrong here. I know my mailserver because i can access it on the internal lan

    my setup is INTERNET ---> PIX ----> Internal LAN

    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password Dtz5T/b57zithj.d encrypted
    passwd XMXqv.PfYjShc4N6 encrypted
    hostname pixfirewall
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    name mailserver
    access-list aclOUTSIDE permit ip any any
    access-list inbound-outside permit tcp host any eq 8080
    access-list inbound permit tcp any host eq 8080
    access-list aclVPN permit ip

    access-list aclNONAT permit ip 255.255.255.
    access-list outside_in permit tcp any host eq telnet
    access-list outside_in permit tcp any host eq ftp
    access-list outside_in permit tcp any host eq smtp
    access-list outside_in permit tcp any host eq www
    access-list outside_in permit tcp any host eq 8080
    pager lines 24
    logging on
    mtu outside 1500
    mtu inside 1500
    ip address outside
    ip address inside
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list aclNONAT
    nat (inside) 1 0 0
    static (inside,outside) tcp interface telnet mailserver telnet netmask 255.255.2
    55.255 0 0
    static (inside,outside) tcp interface www mailserver www netmask
    0 0
    static (inside,outside) tcp interface smtp mailserver smtp netmask
    55 0 0
    route outside 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set setAC esp-des esp-md5-hmac
    crypto ipsec transform-set setAC3DES esp-3des esp-md5-hmac
    crypto map acmap 10 ipsec-isakmp
    crypto map acmap 10 match address aclVPN
    crypto map acmap 10 set peer
    crypto map acmap 10 set transform-set setAC3DES
    crypto map acmap interface outside
    isakmp enable outside
    isakmp key ******** address netmask
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    telnet inside
    telnet timeout 5
    ssh outside
    ssh timeout 15
    console timeout 0
    dhcpd address inside
    dhcpd dns
    dhcpd lease 366000
    dhcpd ping_timeout 750
    dhcpd enable inside
    terminal width 80
    gefunk, Aug 30, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.