PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT

Hello,

I have an PIX 506E, seems to be a wonderfull thing... but i can't seem to
get it working properly... This is the situation:

I have as a modem the Zyxel Prestige 660HW wich is used as modem, but it
will NAT the public ip.

Zyxel
WAN : Internet (public ip natted, DMZ is 192.168.168.2)
LAN : 192.168.168.1 mask 255.255.255.252

Cisco
WAN : 192.168.168.2 mask 255.255.255.252
LAN : 192.168.68.8 mask 255.255.255.0

What i want is that form the outside everything is blocked and from the
inside lan (192.168.68.0/255) all allowed to outside (internet), then here
it comes i want to PIX to allow several services, for example WEB and SMTP
but als more, i only used WEB and SMTP as examples in my configuration. This
last thing is not working... The internet from inside to the outside is
working perfectly, and the PIX is with every test STEALTH. So no problems
with that. My config with the mapping and allowings of SMTP and WEB are not
working properly. When i connect from the outside with SMTP by a telnet
program, it connects, it also gives the message my mailserver should give,
only corrupted... so the data it gives is not readable...

Does anyone have any idea that seems to be the problem...? or someone able
to give me a working config in my situation so i can put it in and then
change the defaults...?

I have made the configuration below with PDM 3.0(1), and more or less i have
no idea how to make the rules by commandline so that is why i am using PDM.
Though when i have a working config i can see in PDM how it is supposed to
be.

Sincerely,
Michiel


P.S. When i use instead of the PIX 506E a more simple or other
firewall/cable router in the same config then it is working fine.
P.S. Below here is the config of the PIX 506E
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxpasswd xxxxxxxxxxxxx
hostname pixfirewall
domain-name test.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any
access-list outside_access_in remark smtp
access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in remark HTTP
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in deny ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.168.2 255.255.255.252
ip address inside 192.168.68.8 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.68.1 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.68.1 smtp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.68.1 www netmask
255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.168.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.68.0 255.255.255.0 inside
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
[OK]

 

with that. My config with the mapping and allowings of SMTP and WEB are not

Does the HTTP work or is that broken as well?

The SMTP could be because the fixup smtp is on in your configuration.
That denies any ESMTP commands and only accepts regular smtp commands
through.
This may or may not be the problem.

-SAto

 

Thanks SAto! ...

I have tested that, and that seems to be working fine... ... When i use
telnet i see normal IIS html... so that is right!

But how can i get the ESMTP/SMTP working properly then...?

Will i need any special configuring for DNS/VPN/WEB/SMTP/POP/RDP traffic...?
I am running on the LAN side my own DNS/VPN/WEB/SMTP/POP/RDP for public use.
I have this as a temporary situation... because later i am going to have an
connection with an ip block of at minumum 8 ip's... But for now i just need
this to get working... ...

Thanks!

 

enter config mode
enable
conf t
no fixup smtp

 

Thanks Chad,

But i knew how to do it by console... after a few minutes of searching in
the PDM i found the option... removed it, and DONE!

The PIX is now good up and running! ...

I have another question, but make a new post on that...

Sincerely,
Michiel