Firewall Wizards mailing list archives
Re: Pix 501 NAT problems with Web and Exchange server
From: "William A. May" <alan () aldorian com>
Date: Tue, 28 Nov 2006 13:17:49 -0500
Thanks a lot John, that fixed the problem. I had also figured that out before I read your email since I taking an IPS class this week I asked our instructor, a CCIE, and he showed me where the problem was too. Thanks again. Alan ________________________________ From: firewall-wizards-bounces () listserv icsalabs com on behalf of Crissup, John (MBNAP it) Sent: Mon 11/27/2006 1:02 PM To: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] Pix 501 NAT problems with Web and Exchange server The most glaring problem that immediately shows up is your access list assuming that all traffic destined for port 80 (for example) will also be sourced from port 80. Quoting a couple of your lines below...
access-list outside_access_in permit tcp any eq www interface outside eq www
access-list outside_access_in permit tcp any eq https interface outside eq https
access-list outside_access_in permit tcp any eq smtp interface outside eq smtp
These should be changed to... access-list outside_access_in permit tcp any interface outside eq www access-list outside_access_in permit tcp any interface outside eq https access-list outside_access_in permit tcp any interface outside eq smtp -- John ________________________________ From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of William A. May Sent: Saturday, November 25, 2006 7:51 PM To: firewall-wizards () listserv icsalabs com Subject: [fw-wiz] Pix 501 NAT problems with Web and Exchange server I read through the postings about inbound NAT problems with the PIX 501 posted in February 2005 and tried to configure my new PIX 501 accordingly but with little luck. What I trying to do is replace my Linksys WRT54G with a PIX 501. I have a Web server and an Exchange Server 2003 on my internal network and I want to be able to have my web page accessed from the outside and I also want to be able to continue to receive my email. Currently I can view web pages and send email. Listed below is my current configuration, with certain marked changes, please let me know where I'm going wrong? Thanks, Alan : Saved : Written by enable_15 at 19:49:11.582 UTC Sat Nov 25 2006 PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password <deleted> encrypted passwd <deleted> encrypted hostname pixfirewall <changed> domain-name ciscopix.com <changed> fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 172.16.10.0 LAN <changed> name 172.16.10.11 Web-Exch-Server <changed> access-list outside_access_in permit tcp any eq www interface outside eq www access-list outside_access_in permit tcp any eq https interface outside eq https access-list outside_access_in permit tcp any eq smtp interface outside eq smtp access-list outside_access_in permit icmp any any echo-reply access-list outside_access_in permit icmp any any traceroute access-list outside_access_in permit icmp any any time-exceeded access-list inside_access_in permit icmp any any access-list inside_access_in permit ip LAN 255.255.255.0 any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 172.16.10.1 255.255.255.0 <changed> ip audit info action alarm ip audit attack action alarm pdm location LAN 255.255.255.0 inside pdm location Web-Exch-Server 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface www Web-Exch-Server www netmask 255.255.255.255 0 0 static (inside,outside) tcp interface https Web-Exch-Server https netmask 255.255.255.255 0 0 static (inside,outside) tcp interface smtp Web-Exch-Server smtp netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http LAN 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside terminal width 80 Cryptochecksum:8069dd3a26bd7570990dfe55c7c7064e : end ==================================================== This email is confidential and intended solely for the use of the individual or organization to whom it is addressed. Any opinions or advice presented are solely those of the author and do not necessarily represent those of the Millward Brown Group of Companies. If you are not the intended recipient of this email, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error please notify the sender and delete this email from your system. Although this email has been checked for viruses and other defects, no responsibility can be accepted for any loss or damage arising from its receipt or use. ====================================================
<<winmail.dat>>
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Pix 501 NAT problems with Web and Exchange server William A. May (Nov 26)
- Re: Pix 501 NAT problems with Web and Exchange server Rob Gills (Nov 27)
- <Possible follow-ups>
- Re: Pix 501 NAT problems with Web and Exchange server Crissup, John (MBNAP it) (Nov 27)
- Re: Pix 501 NAT problems with Web and Exchange server William A. May (Nov 28)