PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT

Discussion in 'Cisco' started by Michiel, Aug 22, 2006.

  1. Michiel

    Michiel Guest


    I have an PIX 506E, seems to be a wonderfull thing... but i can't seem to
    get it working properly... This is the situation:

    I have as a modem the Zyxel Prestige 660HW wich is used as modem, but it
    will NAT the public ip.

    WAN : Internet (public ip natted, DMZ is
    LAN : mask

    WAN : mask
    LAN : mask

    What i want is that form the outside everything is blocked and from the
    inside lan ( all allowed to outside (internet), then here
    it comes i want to PIX to allow several services, for example WEB and SMTP
    but als more, i only used WEB and SMTP as examples in my configuration. This
    last thing is not working... The internet from inside to the outside is
    working perfectly, and the PIX is with every test STEALTH. So no problems
    with that. My config with the mapping and allowings of SMTP and WEB are not
    working properly. When i connect from the outside with SMTP by a telnet
    program, it connects, it also gives the message my mailserver should give,
    only corrupted... so the data it gives is not readable...

    Does anyone have any idea that seems to be the problem...? or someone able
    to give me a working config in my situation so i can put it in and then
    change the defaults...?

    I have made the configuration below with PDM 3.0(1), and more or less i have
    no idea how to make the rules by commandline so that is why i am using PDM.
    Though when i have a working config i can see in PDM how it is supposed to


    P.S. When i use instead of the PIX 506E a more simple or other
    firewall/cable router in the same config then it is working fine.
    P.S. Below here is the config of the PIX 506E
    Building configuration...
    : Saved
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxxxxxxxxxxxxpasswd xxxxxxxxxxxxx
    hostname pixfirewall
    domain-name test.local
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    access-list outside_access_in permit icmp any any
    access-list outside_access_in remark smtp
    access-list outside_access_in permit tcp any any eq smtp
    access-list outside_access_in remark HTTP
    access-list outside_access_in permit tcp any any eq www
    access-list outside_access_in deny ip any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside
    ip address inside
    ip audit info action alarm
    ip audit attack action alarm
    pdm location inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0 0
    static (inside,outside) tcp interface smtp smtp netmask 0 0
    static (inside,outside) tcp interface www www netmask 0 0
    access-group outside_access_in in interface outside
    route outside 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http inside
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    : end
    Michiel, Aug 22, 2006
    1. Advertisements

  2. Michiel

    SAto Guest

    with that. My config with the mapping and allowings of SMTP and WEB are not
    Does the HTTP work or is that broken as well?

    The SMTP could be because the fixup smtp is on in your configuration.
    That denies any ESMTP commands and only accepts regular smtp commands
    This may or may not be the problem.

    SAto, Aug 22, 2006
    1. Advertisements

  3. Michiel

    Michiel Guest

    Thanks SAto! ;)...

    I have tested that, and that seems to be working fine... ;)... When i use
    telnet i see normal IIS html... so that is right!

    But how can i get the ESMTP/SMTP working properly then...?

    Will i need any special configuring for DNS/VPN/WEB/SMTP/POP/RDP traffic...?
    I am running on the LAN side my own DNS/VPN/WEB/SMTP/POP/RDP for public use.
    I have this as a temporary situation... because later i am going to have an
    connection with an ip block of at minumum 8 ip's... But for now i just need
    this to get working... ;)...

    Michiel, Aug 22, 2006
  4. Michiel

    Chad Mahoney Guest

    enter config mode
    conf t
    no fixup smtp
    Chad Mahoney, Aug 22, 2006
  5. Michiel

    Michiel Guest

    Thanks Chad,

    But i knew how to do it by console... after a few minutes of searching in
    the PDM i found the option... removed it, and DONE! ;)

    The PIX is now good up and running! ;)...

    I have another question, but make a new post on that...

    Michiel, Aug 22, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.