neutec
Technical User
- Apr 26, 2003
- 343
Hello,
I have been trying to foward SMTP traffic to a specific server within my network and cant seem open the port. does the config look correct below or have I missed something?
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password d7L.PzEqtHrOrpUF encrypted
passwd BVxvtJLyf4xOJxZu encrypted
hostname pixfirewall
domain-name ceinc.us
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit gre any any
access-list outside permit ip any host 208***.***.169
access-list outside permit tcp any host 208***.***.169
access-list outside permit udp any host 208***.***.169
access-list outside permit udp any any eq 1701
access-list outside permit tcp any host 208.***.***.168 eq smtp
snmp-server com
isakmp identity
access-list outside permit tcp any host 208.***.***.168 eq www
snmp-
isakmp nat-traversal 20dp 0:02:00 rpc 0:10
access-list inside permit ip host 10.0.0.25 anykmp policy 10 authentication pre-sharenection p
access-list inside permit ip host 10.0.0.2 any
access-list inside permit ip host 10.0.0.24 anyn 3dest-l2tp0 sip 0:30:00 sip_media 0:
access-list inside permit ip any any
isakmp policy 10
access-list inside permit gre any anyisakmp policy 10 group 1set myset esp
access-list inside permit ip host 10.0.0.22 any
isakmp policy 10 lifetime 86400a-se
access-list inside permit ip host 10.0.0.100 any
c
ip address outside 208***.***.168 255.255.255.192mp policy 20 lifetime 86400e-server locationside
ip address inside 10.0.0.1 255.255.255.0
isakmp i
vpngroup vpn
ip audit info action alarm
ip audit attack action alarml 20rver comm
ip local pool vpn 172.16.1.1-172.16.1.254erver 10.0.0.2ication pre-shareenable tra
pdm logging informational 100
pdm history enable
vpngroup
arp timeout 14400
global (outside) 1 interfaceicy 20 encryp
management-access inside
c
isakmp polic
255 0 0e
static (inside,outside) tcp 208***.***.168 smtp 10.0.0.3 smtp netmask 255.255.25dth 80nclient address-p
Cryptochecksum:6df6439
5.255 0 0d3af95672
static (inside,outside) 208.***.***.169 10.0.0.42 dns netmask 255.255.255.255 0 0
: end 0 0
static (inside,outside) 208.***.***.171 10.0.0.24 netmask 255.255.255.255 0 0
stat
i
pixfirewall(config)# fixup pro
static (inside,outside) 208.**.***.170 10.0.0.100 netmask 255.255.255.255 0 0
isakmp policy 10 hash m
pixfirewall(c
access-group outside in interface
:*
http 10.0.0.0 255.255.255.0 inside14inside
no snmp-server location
fixup protoco
no snmp-server contact
snmp-server community cei
fixup protocol si
snmp-server enable traps
floodguard enable
crypto map vpn 10 ipsec-isakmp dynamic dynmapp a
access-li
crypto map vpn interface outside
i
isakmp enable outside
f
isakmp identity addressaccess-list inside perm
isakmp nat-traversal 2057.101.169tp 25n
isakmp policy 10 authentication pre-share
access-list inside permit
isakmp policy 10 encryption 3desrmit udp any any eq 170169
isakmp policy 10 hash md5
isakmp policy 10 group 1
access-list inside p
isakmp policy 10 lifetime 86400de permit
logging buffered debuggingde perm
vpngroup vpnclient dns-server 10.0.0.2
loggi
vpngroup vpnclient wins-server 10.0.0.2
vpngroup vpnclient default-domain ceinc.local10.0.0.2 any6
vpngroup vpnclient split-tunnel 101t any outsidet udp any any eq
vpngroup vpnclient idle-time 1800
mtu outside 1500
vpngroup vpnclient password ******** action alarmst inside deny tcp any
telnet timeout 5
ssh 66.215.191.146 255.255.255.255 outsidevpn 172.16.1.1-172.16.1.25410.0.0.22 anyli
ssh timeout 60
management-access i
: end3
pixfirewall(config)# sh ru00cc
ac
: Savedt 10
:
PIX Version 6.3(3)tside) 1 interface
interface ethernet0 auto255
interface ethernet1 auto
nat (inside)
nameif ethernet0 outside security0host 10.0.0.
nameif ethernet1 inside security100
nat (inside) 1 0.0.0.0 0.0.0.0 0
enable password d7L.PzEqtHrOrpUF encrypted
logging buffered debuggin
passwd BVxvtJLyf4xOJxZu encryptedside) tcp 208.***.***.168 hostname pixfirewall255.255.host inside
domain-name ceinc.us
fixup protocol dns maximum-length 512
passwd
fixup protocol ftp 21outsideted
fixup protocol h323 h225 1720
static (inside
fixup protocol h323 ras 1718-171910.0.
fixup protoc
fixup protocol sip udp 506057.101.171
fixup protocol skinny 2000
http se
fixup protocol smtp 25255 0
fixup protocol sqlnet 15210.0.0 255.255.255.0 inside
fixup protocol tftp 69
access-li
names
no
access-list outside permit gre any any1.170
access-list outside permit ip any host 208.***.***.169mask
snmp
access-list outside permit tcp any host 208.***.***.169
snmp-server enable trapsss-group out
access-list outside permit udp any host 208.***.***.169
floodguard enablee) 208.***.***.170
access-list outside permit udp any any eq 1701psecde 0.0.0.0 0.0.0.0 208.5
access-list inside permit ip any anyynamic dynmap.16.1
access-list inside permit gre any anyut uauth 0:05:00 absol
access-list inside permit ip host 10.0.0.22 anylicy 10 authentication pre-share10.0.0.0 255.25
access-list inside permit ip host 10.0.0.100 any
access-list 101 permit ip 10.0.0.0 255.255.255.0 172.16.1.0 255.255.255.0oc
logging trap debugging 10.0.0.0 255.255.2
logging host inside 10.0.0.2
isakmp poli
icmp permit any outsidenfo actio
mtu outside 1500
no
mtu inside 1500
floodgu
ip address outside 208.***.***.168 255.255.255.192it-ipsec
ip address inside 10.0.0.1 255.255.255.0mp policy 20 encryption 3destp
ip audit info action alarm snmp-server
ip audit attack action alarmional 100
ip local pool vpn 172.16.1.1-172.16.1.254isakmp policy 20 group 2myset esp-3des es
pdm logging informational 100
isa
pdm history enableime 86400
arp timeout 14400
sysopt conne
global (outside) 1 interface
crypt
vpngroup vpnc
nat (inside) 0 access-list 101etp insidelist 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
fixup
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00nagement-access insidet pa
fixup protocol http 80
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
fixup protocol ils 389th 80server cont
timeout uauth 0:05:00 absoluteup protocol pptp 1723787e0262d
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
ssh timeout 60
aaa-server LOCAL protocol local 554(config)# snmp-server
http server enable
no snmp-server location
no snmp-server contact
snmp-server community ceisum:
snmp-server enable traps
floodguard enableopt no
sysopt connection permit-ipsecmtp 25thernet0 auto
sysopt connection permit-l2tpre
sysopt noproxy
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpnclient address-pool vpn
vpngroup vpnclient dns-server 10.0.0.2
vpngroup vpnclient wins-server 10.0.0.2
vpngroup vpnclient default-domain ceinc.local
vpngroup vpnclient split-tunnel 101
vpngroup vpnclient idle-time 1800
vpngroup vpnclient password ********
telnet timeout 5
ssh 66.215.***.146 255.255.255.255 outside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:968f43b409836d3baf5526c320c6628f
: end
pixfirewall(config)#
I have been trying to foward SMTP traffic to a specific server within my network and cant seem open the port. does the config look correct below or have I missed something?
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password d7L.PzEqtHrOrpUF encrypted
passwd BVxvtJLyf4xOJxZu encrypted
hostname pixfirewall
domain-name ceinc.us
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit gre any any
access-list outside permit ip any host 208***.***.169
access-list outside permit tcp any host 208***.***.169
access-list outside permit udp any host 208***.***.169
access-list outside permit udp any any eq 1701
access-list outside permit tcp any host 208.***.***.168 eq smtp
snmp-server com
isakmp identity
access-list outside permit tcp any host 208.***.***.168 eq www
snmp-
isakmp nat-traversal 20dp 0:02:00 rpc 0:10
access-list inside permit ip host 10.0.0.25 anykmp policy 10 authentication pre-sharenection p
access-list inside permit ip host 10.0.0.2 any
access-list inside permit ip host 10.0.0.24 anyn 3dest-l2tp0 sip 0:30:00 sip_media 0:
access-list inside permit ip any any
isakmp policy 10
access-list inside permit gre any anyisakmp policy 10 group 1set myset esp
access-list inside permit ip host 10.0.0.22 any
isakmp policy 10 lifetime 86400a-se
access-list inside permit ip host 10.0.0.100 any
c
ip address outside 208***.***.168 255.255.255.192mp policy 20 lifetime 86400e-server locationside
ip address inside 10.0.0.1 255.255.255.0
isakmp i
vpngroup vpn
ip audit info action alarm
ip audit attack action alarml 20rver comm
ip local pool vpn 172.16.1.1-172.16.1.254erver 10.0.0.2ication pre-shareenable tra
pdm logging informational 100
pdm history enable
vpngroup
arp timeout 14400
global (outside) 1 interfaceicy 20 encryp
management-access inside
c
isakmp polic
255 0 0e
static (inside,outside) tcp 208***.***.168 smtp 10.0.0.3 smtp netmask 255.255.25dth 80nclient address-p
Cryptochecksum:6df6439
5.255 0 0d3af95672
static (inside,outside) 208.***.***.169 10.0.0.42 dns netmask 255.255.255.255 0 0
: end 0 0
static (inside,outside) 208.***.***.171 10.0.0.24 netmask 255.255.255.255 0 0
stat
i
pixfirewall(config)# fixup pro
static (inside,outside) 208.**.***.170 10.0.0.100 netmask 255.255.255.255 0 0
isakmp policy 10 hash m
pixfirewall(c
access-group outside in interface
:*
http 10.0.0.0 255.255.255.0 inside14inside
no snmp-server location
fixup protoco
no snmp-server contact
snmp-server community cei
fixup protocol si
snmp-server enable traps
floodguard enable
crypto map vpn 10 ipsec-isakmp dynamic dynmapp a
access-li
crypto map vpn interface outside
i
isakmp enable outside
f
isakmp identity addressaccess-list inside perm
isakmp nat-traversal 2057.101.169tp 25n
isakmp policy 10 authentication pre-share
access-list inside permit
isakmp policy 10 encryption 3desrmit udp any any eq 170169
isakmp policy 10 hash md5
isakmp policy 10 group 1
access-list inside p
isakmp policy 10 lifetime 86400de permit
logging buffered debuggingde perm
vpngroup vpnclient dns-server 10.0.0.2
loggi
vpngroup vpnclient wins-server 10.0.0.2
vpngroup vpnclient default-domain ceinc.local10.0.0.2 any6
vpngroup vpnclient split-tunnel 101t any outsidet udp any any eq
vpngroup vpnclient idle-time 1800
mtu outside 1500
vpngroup vpnclient password ******** action alarmst inside deny tcp any
telnet timeout 5
ssh 66.215.191.146 255.255.255.255 outsidevpn 172.16.1.1-172.16.1.25410.0.0.22 anyli
ssh timeout 60
management-access i
: end3
pixfirewall(config)# sh ru00cc
ac
: Savedt 10
:
PIX Version 6.3(3)tside) 1 interface
interface ethernet0 auto255
interface ethernet1 auto
nat (inside)
nameif ethernet0 outside security0host 10.0.0.
nameif ethernet1 inside security100
nat (inside) 1 0.0.0.0 0.0.0.0 0
enable password d7L.PzEqtHrOrpUF encrypted
logging buffered debuggin
passwd BVxvtJLyf4xOJxZu encryptedside) tcp 208.***.***.168 hostname pixfirewall255.255.host inside
domain-name ceinc.us
fixup protocol dns maximum-length 512
passwd
fixup protocol ftp 21outsideted
fixup protocol h323 h225 1720
static (inside
fixup protocol h323 ras 1718-171910.0.
fixup protoc
fixup protocol sip udp 506057.101.171
fixup protocol skinny 2000
http se
fixup protocol smtp 25255 0
fixup protocol sqlnet 15210.0.0 255.255.255.0 inside
fixup protocol tftp 69
access-li
names
no
access-list outside permit gre any any1.170
access-list outside permit ip any host 208.***.***.169mask
snmp
access-list outside permit tcp any host 208.***.***.169
snmp-server enable trapsss-group out
access-list outside permit udp any host 208.***.***.169
floodguard enablee) 208.***.***.170
access-list outside permit udp any any eq 1701psecde 0.0.0.0 0.0.0.0 208.5
access-list inside permit ip any anyynamic dynmap.16.1
access-list inside permit gre any anyut uauth 0:05:00 absol
access-list inside permit ip host 10.0.0.22 anylicy 10 authentication pre-share10.0.0.0 255.25
access-list inside permit ip host 10.0.0.100 any
access-list 101 permit ip 10.0.0.0 255.255.255.0 172.16.1.0 255.255.255.0oc
logging trap debugging 10.0.0.0 255.255.2
logging host inside 10.0.0.2
isakmp poli
icmp permit any outsidenfo actio
mtu outside 1500
no
mtu inside 1500
floodgu
ip address outside 208.***.***.168 255.255.255.192it-ipsec
ip address inside 10.0.0.1 255.255.255.0mp policy 20 encryption 3destp
ip audit info action alarm snmp-server
ip audit attack action alarmional 100
ip local pool vpn 172.16.1.1-172.16.1.254isakmp policy 20 group 2myset esp-3des es
pdm logging informational 100
isa
pdm history enableime 86400
arp timeout 14400
sysopt conne
global (outside) 1 interface
crypt
vpngroup vpnc
nat (inside) 0 access-list 101etp insidelist 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
fixup
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00nagement-access insidet pa
fixup protocol http 80
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
fixup protocol ils 389th 80server cont
timeout uauth 0:05:00 absoluteup protocol pptp 1723787e0262d
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
ssh timeout 60
aaa-server LOCAL protocol local 554(config)# snmp-server
http server enable
no snmp-server location
no snmp-server contact
snmp-server community ceisum:
snmp-server enable traps
floodguard enableopt no
sysopt connection permit-ipsecmtp 25thernet0 auto
sysopt connection permit-l2tpre
sysopt noproxy
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpnclient address-pool vpn
vpngroup vpnclient dns-server 10.0.0.2
vpngroup vpnclient wins-server 10.0.0.2
vpngroup vpnclient default-domain ceinc.local
vpngroup vpnclient split-tunnel 101
vpngroup vpnclient idle-time 1800
vpngroup vpnclient password ********
telnet timeout 5
ssh 66.215.***.146 255.255.255.255 outside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:968f43b409836d3baf5526c320c6628f
: end
pixfirewall(config)#