problems with smtp traffice on 515e

[jmconsulting]

I am trying to set up exchange server in a dmz.

The server will be dual honed, one adapter with a static entry in the 515 for address translation to the public ip address, the other connected to the private network.

When I try to add the following entries, my internal network stops working (internally externally),

interface ethernet2 auto
nameif ethernet2 dmz security50
access-list smtp permit tcp any host "Public IP" eq smtp
ip address dmz "static ip on pc's network card"
static (dmz,outside) "Public IP" "Private IP" netmask 255.255.255.255
access-group smtp in interface outside

Any suggestions?

 

[ChrisAC]

Firstly, if you connect one network card to the DMZ and one network card to the inside network then your outside > inside security has just gone out of the window! You don't connect the DMZ to the inside network. I'm not sure why you are doing this.

Secondly,

ip address dmz "static ip on pc's network card"

You can't give the Pix the same IP address as that which is configured on the server.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[jmconsulting]

Yes, the IP that I assigned to the dmz is .1 and PC's is .10

I am trying to set up the exchange server to get the smtp mail traffic from a static public ip but still remain part of the network for internal apps.

 

[ChrisAC]

You'd be better off with an SMTP relay in the DMZ and your exchange server on the LAN but that's a matter of network design.

With regard to your outbound connections problem, I can't see why configuring the DMZ should prevent outbound access from the LAN. Have you checked the logs when this happens? Can you see xlate's and connections (sh xlate, sh conn)?

Can you post the full config?

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[jmconsulting]

I can see them right now. I am not sure when the command lines are added back in if they are present or not.

I have a feeling there is a problem with access lists. Currently, we only have access thru the firewall for VPN clients and a VPN tunnel to a remote site.

Not sure why adding a list for smtp would shut the whole network down through.

It's got to be a major config problem because it even took down the tunnel.

 

[jmconsulting]

Here is the full config.....lines between astericks are what was added

PIX Version 6.3(3)

interface ethernet0 auto
interface ethernet1 auto
**
interface ethernet2 auto
**
nameif ethernet0 outside security0
nameif ethernet1 inside security100
**
nameif ethernet2 dmz security50
**
enable password 9jNfZuG3TC5tCVH0 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

names

object-group network SunnysideRemote network-object 192.191.140.128 255.255.255.192

access-list inside_outbound_nat0_acl permit ip 192.191.140.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.191.140.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.20.128 255.255.255.192
access-list outside_cryptomap_20 permit ip 192.191.140.0 255.255.255.0 192.168.10 255.255.255.0
access-list splitunnel permit ip 192.191.140.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.20.128 255.255.255.192
access-list acl-out permit icmp any any
**
access-list smtp permit tcp any host 155.212.78.11 eq smtp
**
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500

ip address outside 155.212.78.10 255.255.255.248
ip address inside 192.191.140.24 255.255.255.0
**
ip address dmz 192.168.1.1 255.255.255.0
**
ip audit info action alarm
ip audit attack action alarm
ip local pool RP001 192.168.20.151-192.168.20.175

pdm location 192.191.140.1 255.255.255.255 inside
pdm location 171.68.225.212 255.255.255.255 outside
pdm location 192.191.140.128 255.255.255.192 outside
pdm location 192.168.20.0 255.255.255.0 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.191.140.0 255.255.255.0 inside
pdm location 192.168.20.128 255.255.255.192 outside
pdm group SunnysideRemote outside
pdm logging informational 100
pdm history enable

arp timeout 14400

global (outside) 1 interface
global (outside) 1 155.212.78.9

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.191.140.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
**
static (dmz,outside) 155.212.78.11 192.168.10.10 netmask 255.255.255.255 0 0
**
access-group acl-out in interface outside
**
access-group smtp in interface outside
**
route outside 0.0.0.0 0.0.0.0 155.212.78.9 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

http server enable
http 192.191.140.0 255.255.255.0 inside

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps

floodguard enable
sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 24.75.246.230
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

rest I believe is irrelevant

I inherited this firewall, not an expert on Cisco products, so any suggestions/directions will be greatly appreciated.

 

[jmconsulting]

Is there anyone in the so NH or no MA area that would be interested in subing out to repair this problem?

Respond to this thread and we will make arangements....

thanks

 

[ChrisAC]

What stops working when you apply the changes to the DMZ? ALL outbound access, VPN access or just icmp?

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[ChrisAC]

You do have a problem with your inside NAT config.

nat (inside) 1 192.191.140.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 1 interface
global (outside) 1 155.212.78.9

The command "global (outside) 1 interface" NAT's outgoing traffic to the IP address of the outside interface, in this case 155.212.78.10. You should only have one "nat (inside) 1" and "global (outside) 1". Why you have two I don't know and it could cause you issues.

You can't use "global (outside) 1 155.212.78.9" as you don't want to be NATing traffic to the IP address of your router in front of the firewall. Any replies to that traffic would only get as far as the router and not the firewall. Remove the offending NAT and global statements so that you only have;

nat (inside) 1 192.191.140.0 255.255.255.0 0 0
global (outside) 1 interface

Chris.


**********************
Chris A.C, CCNA, CCSA
**********************

 

[jmconsulting]

Chris,

Thanks for the info. I'll give it a try and post the results. As for the failing traffic, all traffic gets halted when command is applied. No internal or external at all.

 

[jmconsulting]

Chris,

What about the other nat statement? nat (inside) 0, should I remove this one as well?

 

[ChrisAC]

No, don't remove this.

nat (inside) 0 access-list inside_outbound_nat0_acl
access-list inside_outbound_nat0_acl permit ip 192.191.140.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.191.140.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.20.128 255.255.255.192

This is to ensure that traffic between VPN encryption domains is not NATed, or rather it's NATed to the same IP address. Don't remove this.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[jmconsulting]

That is what I thought, but I wanted to verify first.

Thanks for the info.

 

[jmconsulting]

Chris,

By the way, I read another thread that you posted a response to and recommended the book put out by syngress on cisco pix firwalls. I bought it online this morning and reading it now. It has some valuable info. Thanks for the tip.

Jim

 

[jmconsulting]

Chris,

Thanks a bunch, it appears the global and nat statements were causing the issues. Once removed, I was able to insert the appropriate commands for the mail server without incident.

Again, thanks alot for your assistance.

 

[ChrisAC]

Cool. I'm pleased that it solved your problem.

Chris.


**********************
Chris A.C, CCNA, CCSA
**********************