I HAVE A CISCO PIX 515E (V.7.0)CONNECTED TO CISCO ROUTER 837 FOR WAN ACCESS.
I HAVE ONY ONE LAN 10.0.0.0 AND I DISABLE DMZ.
BEHIND THIS WORKING WINDOWS SERVER 2003 STANDARD,CITRIX PRESENTATION SERVER 4.0,MICROSOFT EXCHANGE SERVER 2003 AND PC.
EVERYTHING WORKING PROPERLY EXCEPT EXCHANGE SERVER 2003.
I HAVE DISABLE SMTP INSPECTION,I MAKE ACCESS LISTS TO PERMIT :SMTP ON PORT 25,POP3,NETBIOS BUT WE HAVE SERIOUS DELAY TO SEND OR RECEIVE MAILS AND SOME MAILS ARE LOST.
YOU HAVE ANY IDEA TO SOLVE THIS PROBLEM ?
pix configuration:
interface Ethernet0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
enable password xxx encrypted
passwd xxx encrypted
hostname PIX
domain-name xxx.local
ftp mode passive
object-group network computer_room
description servers,firewall,network equipment
network-object host PrimaryDomainController
network-object host Citrix
network-object host Thinprint
network-object host SecondaryDomainController
network-object host Fileserver
network-object host mailserver
network-object host 10.0.0.8
...........................
object-group network it
description it department use
network-object host 10.0.0.11
.............................
object-group protocol full_access
description full access for computer room,it department
protocol-object tcp
protocol-object udp
protocol-object icmp
protocol-object ip
object-group protocol limited_access
description limited access for users
protocol-object tcp
protocol-object udp
object-group network users
description users
network-object host 10.0.0.31
............................
object-group service all tcp-udp
port-object range 0 65535
access-list acl_in extended permit tcp any any eq smtp
access-list acl_in extended permit tcp any host 194.30.219.14 eq smtp
access-list acl_in extended permit object-group full_access object-group computer_room any
access-list acl_in extended permit object-group full_access object-group it any
access-list acl_in extended permit object-group limited_access object-group users any
access-list acl_in extended permit tcp object-group computer_room any eq ftp
access-list acl_in extended permit tcp object-group computer_room any eq ftp-data
access-list acl_in extended permit tcp object-group it any eq ftp-data
access-list acl_in extended permit tcp object-group it any eq ftp
access-list acl_in extended permit tcp any host mailserver eq netbios-ssn
access-list acl_in extended permit tcp any host mailserver eq 135
access-list acl_in extended permit udp any host mailserver eq netbios-ns
access-list acl_in extended permit udp any host mailserver eq netbios-dgm
access-list acl_in extended permit tcp any host mailserver eq pop3
access-list acl_in extended permit tcp any host mailserver range 1 65535
access-list acl_in extended permit udp any host mailserver range 1 65535
access-list acl_in extended permit ip any host mailserver
access-list acl_out extended deny tcp object-group users any eq ftp
access-list acl_out extended deny tcp object-group users any eq ftp-data
access-list acl_out extended permit icmp any any
pager lines 24
logging enable
logging timestamp
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
logging facility 23
mtu outside 1500
mtu inside 1500
ip audit name attack-policy attack action
ip audit interface outside attack-policy
ip audit attack action alarm drop reset
monitor-interface outside
monitor-interface inside
no asdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.x mailserver netmask 255.255.255.255 tcp 0 65535
access-group acl_in in interface outside
access-group acl_out out interface inside
established tcp 135 0 permitto tcp 1-65535 permitfrom tcp 0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
no snmp-server enable traps all
telnet x.x.x.x 255.255.255.0 outside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect esmtp
!
service-policy global_policy global
Router configuration :
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxxx
!
enable password 7 0000000
!
no aaa new-model
ip subnet-zero
ip name-server x.x.x.x
ip name-server x.x.x.x
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
no crypto isakmp enable
!
!
!
!
interface Ethernet0
ip address x.x.x.x 255.255.255.240 secondary
ip address 10.0.0.254 255.255.255.0
hold-queue 100 out
!
interface ATM0
no ip address
load-interval 30
no snmp trap link-status
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp pap sent-username xxxxxx password 7 0000000
!
ip nat inside source list 110 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip http server
no ip http secure-server
!
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 120 0
password 7 0000000000
login
!
no scheduler max-task-time
!
end
I HAVE ONY ONE LAN 10.0.0.0 AND I DISABLE DMZ.
BEHIND THIS WORKING WINDOWS SERVER 2003 STANDARD,CITRIX PRESENTATION SERVER 4.0,MICROSOFT EXCHANGE SERVER 2003 AND PC.
EVERYTHING WORKING PROPERLY EXCEPT EXCHANGE SERVER 2003.
I HAVE DISABLE SMTP INSPECTION,I MAKE ACCESS LISTS TO PERMIT :SMTP ON PORT 25,POP3,NETBIOS BUT WE HAVE SERIOUS DELAY TO SEND OR RECEIVE MAILS AND SOME MAILS ARE LOST.
YOU HAVE ANY IDEA TO SOLVE THIS PROBLEM ?
pix configuration:
interface Ethernet0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
enable password xxx encrypted
passwd xxx encrypted
hostname PIX
domain-name xxx.local
ftp mode passive
object-group network computer_room
description servers,firewall,network equipment
network-object host PrimaryDomainController
network-object host Citrix
network-object host Thinprint
network-object host SecondaryDomainController
network-object host Fileserver
network-object host mailserver
network-object host 10.0.0.8
...........................
object-group network it
description it department use
network-object host 10.0.0.11
.............................
object-group protocol full_access
description full access for computer room,it department
protocol-object tcp
protocol-object udp
protocol-object icmp
protocol-object ip
object-group protocol limited_access
description limited access for users
protocol-object tcp
protocol-object udp
object-group network users
description users
network-object host 10.0.0.31
............................
object-group service all tcp-udp
port-object range 0 65535
access-list acl_in extended permit tcp any any eq smtp
access-list acl_in extended permit tcp any host 194.30.219.14 eq smtp
access-list acl_in extended permit object-group full_access object-group computer_room any
access-list acl_in extended permit object-group full_access object-group it any
access-list acl_in extended permit object-group limited_access object-group users any
access-list acl_in extended permit tcp object-group computer_room any eq ftp
access-list acl_in extended permit tcp object-group computer_room any eq ftp-data
access-list acl_in extended permit tcp object-group it any eq ftp-data
access-list acl_in extended permit tcp object-group it any eq ftp
access-list acl_in extended permit tcp any host mailserver eq netbios-ssn
access-list acl_in extended permit tcp any host mailserver eq 135
access-list acl_in extended permit udp any host mailserver eq netbios-ns
access-list acl_in extended permit udp any host mailserver eq netbios-dgm
access-list acl_in extended permit tcp any host mailserver eq pop3
access-list acl_in extended permit tcp any host mailserver range 1 65535
access-list acl_in extended permit udp any host mailserver range 1 65535
access-list acl_in extended permit ip any host mailserver
access-list acl_out extended deny tcp object-group users any eq ftp
access-list acl_out extended deny tcp object-group users any eq ftp-data
access-list acl_out extended permit icmp any any
pager lines 24
logging enable
logging timestamp
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
logging facility 23
mtu outside 1500
mtu inside 1500
ip audit name attack-policy attack action
ip audit interface outside attack-policy
ip audit attack action alarm drop reset
monitor-interface outside
monitor-interface inside
no asdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.x mailserver netmask 255.255.255.255 tcp 0 65535
access-group acl_in in interface outside
access-group acl_out out interface inside
established tcp 135 0 permitto tcp 1-65535 permitfrom tcp 0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
no snmp-server enable traps all
telnet x.x.x.x 255.255.255.0 outside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect esmtp
!
service-policy global_policy global
Router configuration :
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxxx
!
enable password 7 0000000
!
no aaa new-model
ip subnet-zero
ip name-server x.x.x.x
ip name-server x.x.x.x
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
no crypto isakmp enable
!
!
!
!
interface Ethernet0
ip address x.x.x.x 255.255.255.240 secondary
ip address 10.0.0.254 255.255.255.0
hold-queue 100 out
!
interface ATM0
no ip address
load-interval 30
no snmp trap link-status
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp pap sent-username xxxxxx password 7 0000000
!
ip nat inside source list 110 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip http server
no ip http secure-server
!
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 120 0
password 7 0000000000
login
!
no scheduler max-task-time
!
end