PIX 501 need help setting up internal e-mail

[edwerg]

I need help in configuring the PIX so we can setup an internal e-mail server. I am a network person, this is my first crack at firewalls / routers so please bear with my lack of knowledge.
This is my current configuration:

PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 0bLHzEQcFg83IiBA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 162.107.224.135 255.255.255.252
ip address inside 192.168.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 162.107.224.134 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.10-192.168.1.129 inside
dhcpd dns 192.168.1.4 166.107.165.11
dhcpd wins 192.168.1.4 192.168.1.4
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain mud25.com
dhcpd auto_config outside
dhcpd enable inside
username edwerg password J9HtfVVj9jLOSXtc encrypted privilege 15
terminal width 80
Cryptochecksum:2a92a857f8cf396ce625032dae0d6187

I have tried the following:

Static (inside, outside) 162.107.224.135 192.168.1.5 netmask 255.255.255.255 0 0
Access-List 101 permit tcp any host 162.107.224.135 eq 25
Access-group 101 in interface outside
Static (inside, outside) tcp interface smtp 192.168.1.5 smtp netmask 255.255.255.255

I keep running into two problems: 1) After typing in the first static command I lose internet connection and 2) It does not allow me to type in the second Static line at all.

Any information you all can give would be great.
Thank you

 

[boymarty24]

Dont use the first static statement.

This is enough.

Static (inside, outside) tcp 162.107.224.135 smtp 192.168.1.5 smtp

 

[FWHATER]

Doesn't turning up both interfaces to 100full kill your connectivity to the outside. I thought the inside was 100full and the outside was auto ? At least that's what happened to me.

 

[edwerg]

What do you all think about the following?

Static (inside, outside) tcp 162.107.224.135 smtp 192.168.1.5 smtp netmask 255.255.255.255

Static (inside, outside) tcp 162.107.224.135 pop3 192.168.1.5 pop3 netmask 255.255.255.255

Access-list 101 permit tcp any host 162.107.224.135 eq smtp

Access-group 101 in interface outside

Don't I need the netmask staement? Will the second static staement open pop3 so my users can get e-mail from outside the office? Do I need the access-*** statements? I really want this to work the first time, they are mad enough at me for the first go-round.

Thanks for all of you help

 

[LloydSev]

Doesn't turning up both interfaces to 100full kill your connectivity to the outside. I thought the inside was 100full and the outside was auto ? At least that's what happened to me.

No. It will only "kill" the connection if it is connected to a device that does not support that link speed.

For instance, Cisco recommends NOT using Auto, as the PIX does not auto-negotiate with some network equipment well.

Computer/Network Technician
CCNA

 

[edwerg]

Thank you LloydSev, no I know not to mess with the auto-negotiate. That part seems to be working fine.

 

[LloydSev]

Don't I need the netmask staement? Will the second static staement open pop3 so my users can get e-mail from outside the office? Do I need the access-*** statements? I really want this to work the first time, they are mad enough at me for the first go-round.

Yes that would open up pop3.

however understand as you wrote above.. you NEED the access list to allow pop3 and smtp access from the outside to the inside. Since it is not being initiated from the inside, it must be explicitly allowed.

Computer/Network Technician
CCNA

 

[edwerg]

Thank you all, you have been very helpfull. I will try this configuration later this week and I will post back here if it works.

 

[janroc]

After that, clear xlate once to get it to notice the new static.

//Jan

 

[edwerg]

How do I clear xlate? and what is it?

 

[LloydSev]

How do I clear xlate? and what is it?

type "Clear Xlate" from the CLI (Command Line Interface)

Computer/Network Technician
CCNA

 

[danlanwanman]

I need help with the next step to configure my Exchange mail server to receive/send mail. I have tried unsuccessfully to make this happen so you will see my previous attempt. We have a pool of public IPs and previously we only used one IP for the Watchguard firewall and using a one-to-one NAT we were able to direct mail to HQ(our Exchange server). When that firebox died I substituted a SOHO6 and had it up in 5 minutes. This PIX501 is going on 3 hours!

All traffic is routing out just fine right now.

Router IP xxx.188.231.98
Internal IP 10.10.1.0-
Internal IP (HQ) 10.10.1.250

QUESTIONS:
In theory, do I need to use the public IP pool at all or can I just use the one IP?
Do I need to use a public IP on my mail server?


PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

hostname pixfirewall
domain-name ourdomain.org
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.10.1.0 ourdomain.org
name 10.10.1.250 HQ
access-list inbound permit tcp any any eq smtp
access-list inbound permit tcp any any eq www
access-list inbound permit tcp any any eq https
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.188.231.98 255.255.255.240
ip address inside 10.10.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location HQ 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 xxx.188.231.99-xxx.188.231.109
global (outside) 1 xxx.188.231.110
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp HQ smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface

http://www HQ

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp interface https HQ https netmask 255.255.255.255 0 0
static (inside,outside) HQ HQ netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.188.65.97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http ourdomain.org 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:05afeefc639cfc2e23b2cb4303d007ed

Dan
lost in IOSland!