Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Newbie Ques -- Public Servers behind PIX 501 1

Status
Not open for further replies.
fusionboy

fusionboy

Programmer
Jul 14, 2003
27
US
Hi,

I'm new to CISCO firewalls and I would totally appreciate any help you can give me.

My question is this: on a PIX 501 can I have a public web server, public email server, and public dns server?

I've got it so that the web server works, but I can't get smtp and pop3 to go to the email server, etc. Is this even possible on a 501?

Thanks!
 
Sort by date Sort by votes
you should be able to do it on a PIX 501. This is just PORT redirection. Basically, you use the static (inside,outside) command and assign ports to specific IP's internally. Post a copy of your config and we'll straighten this out.
 
Upvote 0 Downvote
Thanks Bell!

Here is the config so far:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password **************** encrypted

passwd ******************* encrypted

hostname ***************

domain-name *********************

fixup protocol http 80

no fixup protocol rsh 514

no fixup protocol sip 5060

no fixup protocol skinny 2000

no fixup protocol sqlnet 1521

no fixup protocol rtsp 554

no fixup protocol h323 1720

no fixup protocol ftp 21

fixup protocol smtp 25

names

name 192.168.1.29
name 64.81.96.0 extRouteToRouter

name 192.168.1.36 mailserver

pager lines 24

logging on

logging buffered warnings

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 69.xxx.xxx.xxx 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

pdm location 255.255.255.255 inside

pdm location 192.168.55.36 255.255.255.255 inside

pdm location 192.168.55.0 255.255.255.0 inside

pdm logging warnings 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.1.6.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) interface 192.168.1.0 netmask 255.255.255.255 0 0

conduit permit tcp host 69.xxx.xxx.xxx eq pop3 any

conduit permit tcp host 69.xxx.xxx.xxx eq smtp any

conduit permit tcp host 69.xxx.xxx.xxx eq
conduit permit tcp host mailserver eq pop3 any

route outside 0.0.0.0 0.0.0.0 64.81.96.1 1

route inside 255.255.255.255 192.168.1.1 1

route inside 192.168.55.0 255.255.255.0 192.168.1.1 1

route inside 192.168.55.36 255.255.255.255 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.10-192.168.1.15 inside

dhcpd dns 64.81.111.2

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80


Like I said, I'm an idiot, so please let me know if anything looks funny. I think I'm starting to get the port redirection stuff but it's not working...

Thanks a bunch!
 
Upvote 0 Downvote
Here's some recommendations:

First, conduits aren't being used that much anymore. Replace the conduit commands with an access-list:

replace:
conduit permit tcp host 69.xxx.xxx.xxx eq pop3 any

with:
access-list ALLOWED_TRAFFIC permit tcp any host 69.x.x.x eq pop3

replace:
conduit permit tcp host 69.xxx.xxx.xxx eq smtp any

with:
access-list ALLOWED_TRAFFIC permit tcp any host 69.x.x.x eq smtp

replace:
conduit permit tcp host 69.xxx.xxx.xxx eq
with:
access-list ALLOWED_TRAFFIC permit tcp any host 69.x.x.x eq www

conduit permit tcp host mailserver eq pop3 any
(This last conduit can be removed altogether)

add:
access-group ALLOWED_TRAFFIC in interface outside
static (inside, outside) tcp 69.1.1.1 80 192.168.1.29 80 netmask 255.255.255.255
static (inside, outside) tcp 69.1.1.1 25 192.168.1.36 25 netmask 255.255.255.255
static (inside, outside) tcp 69.1.1.1 110 192.168.1.36 110 netmask 255.255.255.255

Secondly, I see that you have a default route point to 64.81.96.1. Is this correct. It should point to the PIX's outside interfaces's neighbor (the router). Which should be a 69.x.x.x address.

Try this and let's go from here.
 
Upvote 0 Downvote
thanks, Bell. Ok, I added the access-list entries. In the static entries, you have 69.1.1.1 -- is this supposed to be the interface ip? I'm getting an overlap error:

static overlaps with 69.xxx.xxx.xxx to 192.168.1.0
 
Upvote 0 Downvote
Alright, time for some corrections:

1. Replace the IP address 69.1.1.1 in the "static" command with the word "interface".

so it should look like this:

static (inside, outside) tcp interface 80 192.168.1.29 80 netmask 255.255.255.255
static (inside, outside) tcp interface 25 192.168.1.36 25 netmask 255.255.255.255
static (inside, outside) tcp interface 110 192.168.1.36 110 netmask 255.255.255.255

2. In the access-list "ALLOWED_TRAFFIC" the 69.x.x.x should be the IP address of the PIX outside IP address.

Let me how this works.
 
Upvote 0 Downvote
Hey Bell,

now I'm getting a portmap translation creation failed for udp src inside:mailserver/2002 dst out
side:69.xxx.xxx.xxx/53 where the 69.xxx.xxx.xxx number is the ip of the external dns server.

Obviously I'm not allowing dns queries to go out. Right? How to fix?

thanks a ton for your help so far.
 
Upvote 0 Downvote
Ok, I figured it out -- had to clear xlate.

Thanks again for all your help, Bell.
 
Upvote 0 Downvote
It appears that you are getting an error message indicating that the PIX can not create a translation thru the PIX (from inside to outside) using UDP port 53. Which is strange considering that you haven't configured UDP port 53 on the PIX.

I did some research and it might come down to 2 things:

First do a "clear xlate" - this will clear the translations

See if it works now. If not, then add the following:

"fixup protocol dns"

Let me know how it goes.
 
Upvote 0 Downvote
Disregard my last message. I sent it before I read your last one. I appears all is well and your up and running.

Thanks for the Star......
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
208
xwray
xwray
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
257
kythri
kythri
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
848
intel233
intel233
raist3001
  • Locked
  • Question
Unable to remote into PBX behind Sonicwall TZ-190
Replies
1
Views
229
fojin
fojin
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
260
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top