PIX 515E Trouble with Inbound Connections

[EmperorBox]

Hi, im having trouble with inbound connections. It seems a lot of the time when we receive emails, we are getting Status 4.0.0 Connection timed out. This all started when we got this firewall 3 months ago. Email now takes forever and are receiving Warnings that our recipient server did not respond. Here is the config:

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **** encrypted
passwd **** encrypted
hostname "pixfirewall"
domain-name MYDOMAIN.COM
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 7021
fixup protocol ftp 9021
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.0.0 255.255.0.0 192.168.106.0 255.255.255.0
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq www
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq https
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq ftp
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq smtp
access-list outbound permit udp 192.168.0.0 255.255.0.0 any eq isakmp
access-list outbound permit udp 192.168.0.0 255.255.0.0 any eq domain
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq imap4
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq pop3
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq ldap
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq 102
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq aol
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq 1755
access-list outbound permit icmp any any
access-list outbound permit udp 192.168.0.0 255.255.0.0 any eq ntp
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq 9021
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq 7021
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq 5900
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq telnet
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq 27000
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq 27001
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq 27002
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq 27003
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq 27004
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq 27005
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq 27006
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq 27007
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq 27008
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq 27009
access-list outbound permit tcp 192.168.0.0 255.255.0.0 any eq 27010
no pager
logging on
mtu outside 1500
mtu inside 1500
ip address outside MY.DOMAIN.NET 255.255.255.0
ip address inside 192.168.104.20 255.255.254.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.106.1-192.168.106.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 MY.DOMAIN.NET netmask 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 1 192.168.101.0 255.255.255.0 0 0
nat (inside) 1 192.168.102.0 255.255.255.0 0 0
nat (inside) 1 192.168.103.0 255.255.255.0 0 0
nat (inside) 1 192.168.104.0 255.255.254.0 0 0
nat (inside) 1 192.168.108.0 255.255.254.0 0 0
static (inside,outside) MY.DOMAIN.NET 192.168.104.1 netmask 255.255.255.255 0 0
static (inside,outside) MY.DOMAIN.NET 192.168.104.23 netmask 255.255.255.255 0 0
access-group outbound in interface inside
conduit permit icmp any any
conduit permit tcp host MY.DOMAIN.NET eq pop3 any
conduit permit tcp host MY.DOMAIN.NET eq imap4 any
conduit permit tcp host MY.DOMAIN.NET eq ldap any
conduit permit tcp host MY.DOMAIN.NET eq 522 any
conduit permit tcp host MY.DOMAIN.NET eq 1503 any
conduit permit tcp host MY.DOMAIN.NET eq h323 any
conduit permit tcp host MY.DOMAIN.NET eq 1731 any
conduit permit tcp host MY.DOMAIN.NET eq smtp host x.x.x.x
conduit permit tcp host MY.DOMAIN.NET eq smtp host x.x.x.x
conduit permit tcp host MY.DOMAIN.NET smtp host x.x.x.x
conduit permit tcp host MY.DOMAIN.NET smtp host x.x.x.x
conduit permit tcp host MY.DOMAIN.NET smtp host x.x.x.x
conduit permit tcp host MY.DOMAIN.NET smtp host x.x.x.x
conduit permit tcp host MY.DOMAIN.NET smtp host x.x.x.x
conduit permit tcp host MY.DOMAIN.NET smtp host x.x.x.x
conduit permit tcp host MY.DOMAIN.NET smtp host x.x.x.x
conduit permit tcp host MY.DOMAIN.NET eq smtp host x.x.x.x
route outside 0.0.0.0 0.0.0.0 MY.DOMAIN.NET 1
route inside 192.168.101.0 255.255.255.0 192.168.104.2 1
route inside 192.168.102.0 255.255.255.0 192.168.104.2 1
route inside 192.168.103.0 255.255.255.0 192.168.104.2 1
route inside 192.168.108.0 255.255.254.0 192.168.104.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.104.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt ipsec pl-compatible
crypto ipsec transform-set pc esp-3des esp-sha-hmac
crypto dynamic-map cisco 1 set transform-set pc
crypto map dyn 10 ipsec-isakmp dynamic cisco
crypto map dyn interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash sha
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400
telnet 192.168.104.254 255.255.255.255 inside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80

Im fairly new with Cisco PIX Firewalls. Any help would be appreciated.

 

[dopehead]

Hmm, 3 months ago and 6.3(4) sw and then someone configured conduits on it, shame on that person you should do those over as acl's instead. Mixing acls and conduits can have funny effects sometimes.

As for your problem, once you have done the acls, try things like "no fixup protocol smtp 25" if you are using an exchange server. Oh and remember a clear xlate when trying out different things, this will kill nat translations and sessions through the firewall, which otherwise can fool you with regards to test results.

Here's a few things in need of some thought

global (outside) 1 MY.DOMAIN.NET netmask 255.255.255.0
are you using an entire c-class scope for nat'ing ? otherwise this should be just one address and then 255.255.255.255

static (inside,outside) MY.DOMAIN.NET 192.168.104.1 netmask 255.255.255.255 0 0
static (inside,outside) MY.DOMAIN.NET 192.168.104.23 netmask 255.255.255.255 0 0

is one of these your mail server, and if so, you haven't used the same adress as the outside interface in these statics right ?

ssh 0.0.0.0 0.0.0.0 outside
not a good idea, anyone can see that port now, almost never needed from everywhere.

http 0.0.0.0 0.0.0.0 outside
even worse (unencrypted)

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec
Check the danish Cisco CSA Forum here :

http://www.csaforum.dk

 

[EmperorBox]

Thanks for the response Dopehead. I just moved into this position, so the exact reasonings for some of this settings I have yet to find out.

Now im assuming I can just remove all those ACL entries and input those in as conduits as live above?

I have tried the no fixup protocol smtp 25 as shown above.

We have the entire C class scope so we can hookup many IP devices to give a standard IP address to.

I have no explanation for the SSL, besides we have a lot of remote offices and people that need to gain access fairly quickly.

No clue on the HTTP.

Any more help would be appreciated, thanks.

Matt

 

[dopehead]

1. no, you need to remove the conduits and then do acls instead, not the other way around.
2.ok
3.if you do global (outside) 1 MY.DOMAIN.NET netmask 255.255.255.0 it will just dynamically use those as 1-to-1 nat for adresses that don't have a static defined, so you really don't need that in my opinion. If an adress on the inside is to have a specific adress on the outside you need a static otherwise it will change from time to time.

Network Systems Engineer
CCNA/CQS/CCSP/Infosec
Check the danish Cisco CSA Forum here :

http://www.csaforum.dk

 

[ixleplix]

I have no explanation for the SSL, besides we have a lot of remote offices and people that need to gain access fairly quickly."

Do the people at these remote offices all need ssh access to the firewall?

Even if they do, you should lock this down. You can have multiple ssh statements in the config.
I'd create one for each site that has a person who needs access.
Example:
ssh 210.32.1.6 255.255.255.255 outside
ssh 101.2.3.6 255.255.255.255 outside


"No clue on the HTTP"
Dump it:
no http 0.0.0.0 0.0.0.0 outside
will do the trick.

The only things the ssh & http commands do is control who can access the PIX for management purposes.

Roland

What's ADD again?