Email access through Pix 515
DComTalk.com Forum Index DComTalk.com
Discussion of VoIP, VPN, Video Conferencen, DSL and other data commucations.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web dcomtalk.com
Email access through Pix 515

 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Cisco
Author Message
Guest
Posted: Thu Dec 16, 2004 11:43 pm    Post subject: Email access through Pix 515 Reply with quote
So here is the problem. We have two different companies that are on
different subnets on a pix firewall. We have an exchange server (main
network)on the 10.10.0.0 network and and a Merck email server
10.150.0.0 network, which host many domains.. The problem we have is
that email cannot be sent for the Merck email server with ip address
10.150.0.15 to our email server on the 10.10.0.125 network. I'm pretty
sure its our pix firewall that is preventing this. Even though the
10.150.0.0 network has a lower security level than the 10.10.0.0
network. Do i need to create an access list for these two to talk?
Below is my configuration. Any help would be appreciated.


PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 failover security99
nameif ethernet3 intdmz security80
nameif ethernet4 dmz1 security40
nameif ethernet5 tmx-dmz security90
enable password sBAd.1uhKq2iz9x1 encrypted
passwd SO4sOY6dcrDPo8eI encrypted
hostname FD-PIX515
domain-name fiberdirect.net
clock timezone PDT -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 0.0.0.0 ANY
name 10.0.0.0 INSIDE
name 10.0.0.15 TLD
name 10.0.0.5 WNT_SA
name 10.0.0.6 MCT
name 10.100.0.0 INTDMZ
name 10.100.0.20 DC1
name 10.100.0.200 ACG_MAIN
name 10.100.0.25 DC2
name 10.100.0.50 SRS
name 10.150.0.0 NET0_DMZ1
name 10.150.0.10 NS1_DMZ1
name 10.150.0.11 NS2_DMZ1
name 10.150.0.15 MX20_DMZ1
name 10.150.0.18 MX30_DMZ1
name 10.150.0.19 MX01_DMZ1
name 10.150.0.20 EX_DMZ1
name 10.150.0.32 MX01SN1_DMZ1
name 10.150.10.30 WTMX_DMZ1
name 10.150.10.31 FTPTMX_DMZ1
name 10.150.11.0 IS11_DMZ1
name 10.150.12.0 IS12_DMZ1
name 10.150.13.0 IS13_DMZ1
name 10.150.2.0 ACG02_DMZ1
name 10.150.3.0 ACG03_DMZ1
name 10.150.4.0 ACG04_DMZ1
name 10.150.5.0 ACG05_DMZ1
name 10.150.6.0 ACG06_DMZ1
name 10.150.7.0 ACG07_DMZ1
name 10.150.8.0 ACG08_DMZ1
name 198.87.x.x
name 198.87.x.x NET36_OUT
name 198.87.x.x NS1_OUT
name 198.87.x.x NS2_OUT
name 198.87.x.x MX20_OUT
name 198.87.x.x MX30_OUT
name 198.87.x.x MX01_OUT
name 198.87.x.x EX_OUT
name 198.87.x.x ACG_OUT
name 198.87.x.x MCT_OUT
name 198.87.x.x SRS_OUT
name 198.87.x.x WTMX_OUT
name 198.87.x.x FTPTMX_OUT
name 198.87.x.x MX01SN1_OUT
name 198.87.x.x IS11_OUT
name 198.87.x.x IS12_OUT
name 198.87.x.x IS13_OUT
name 198.87.x.x ACG08_OUT
name 198.87.x.x ACG01_OUT
name 198.87.x.x ACG02_OUT
name 198.87.x.x ACG03_OUT
name 198.87.x.x ACG04_OUT
name 198.87.x.x ACG05_OUT
name 198.87.x.x ACG06_OUT
name 198.87.x.x ACG07_OUT
name 255.0.0.0 AM
name 255.255.0.0 BM
name 255.255.255.0 CM
name 255.255.255.224 SN224
name 255.255.255.255 HM
name 198.87.x.x SPS_OUT
name 10.150.0.64 SPS_DMZ1
name 198.87.x.x DC1_OUT
name 198.87.x.x RDS-US2_OUT
name 10.0.0.221 RDS-US2_IN
name 198.87.x.x RDS-US_OUT
name 10.0.0.220 RDS-US_INT
name 10.10.0.10 DMZ-DC01
name 10.10.0.0 TMX-DMZ
access-list acl_out permit udp any host NS1_OUT eq domain
access-list acl_out permit udp any host NS2_OUT eq domain
access-list acl_out permit tcp any host MX20_OUT eq smtp
access-list acl_out permit tcp any host MX20_OUT eq pop3
access-list acl_out permit tcp any host MX20_OUT eq www
access-list acl_out permit tcp any host WTMX_OUT eq www
access-list acl_out permit tcp any IS11_OUT 255.255.255.0 eq www
access-list acl_out permit tcp any IS12_OUT 255.255.255.0 eq www
access-list acl_out permit tcp any IS13_OUT 255.255.255.0 eq www
access-list acl_out permit tcp any ACG02_OUT 255.255.255.0 eq www
access-list acl_out permit tcp any ACG03_OUT 255.255.255.0 eq www
access-list acl_out permit tcp any ACG04_OUT 255.255.255.0 eq www
access-list acl_out permit tcp any ACG05_OUT 255.255.255.0 eq www
access-list acl_out permit tcp any ACG06_OUT 255.255.255.0 eq www
access-list acl_out permit tcp any ACG07_OUT 255.255.255.0 eq www
access-list acl_out permit tcp host isd.rdsbv.ro host ACG_OUT eq www
access-list acl_out permit tcp any host MX30_OUT eq smtp
access-list acl_out permit tcp any host MX30_OUT eq pop3
access-list acl_out permit tcp any host MX01_OUT eq smtp
access-list acl_out permit tcp any host MX01_OUT eq pop3
access-list acl_out permit icmp any any time-exceeded
access-list acl_out permit icmp any any echo-reply
access-list acl_out permit icmp any any unreachable
access-list acl_out permit tcp any host MX01_OUT eq https
access-list acl_out permit tcp host isd.rdsbv.ro host ACG_OUT eq 1433
access-list acl_out permit tcp any MX01SN1_OUT 255.255.255.224 eq smtp
access-list acl_out permit tcp any MX01SN1_OUT 255.255.255.224 eq pop3
access-list acl_out permit tcp any MX01SN1_OUT 255.255.255.224 eq 8888
access-list acl_out permit tcp any host MX01_OUT eq 8888
access-list acl_out permit tcp any MX01SN1_OUT 255.255.255.224 eq https
access-list acl_out permit tcp host 198.87.x.x host WTMX_OUT eq 1433
access-list acl_out permit tcp any host EX_OUT eq smtp
access-list acl_out permit tcp any host EX_OUT eq pop3
access-list acl_out permit tcp any host EX_OUT eq www
access-list acl_out permit tcp any host EX_OUT eq https
access-list acl_out permit tcp any host FTPTMX_OUT eq ftp
access-list acl_out permit tcp any host RDS-US_OUT eq 5500
access-list acl_out permit tcp any host RDS-US_OUT eq www
access-list acl_out permit tcp any host RDS-US_OUT eq https
access-list acl_out permit tcp host x.x.x. host EX_OUT eq 1433
access-list acl_out permit tcp any host RDS-US_OUT eq 5900
access-list acl_out permit tcp any host MX30_OUT eq https
access-list acl_out permit tcp any host MX30_OUT eq www
access-list acl_out permit tcp any host MX30_OUT eq 5222
access-list acl_out permit tcp any host MX30_OUT eq 465
access-list acl_out permit tcp any host MX30_OUT eq 5223
access-list acl_out permit tcp any host MX30_OUT eq imap4
access-list acl_out permit tcp any host MX30_OUT eq 993
access-list acl_out permit tcp any host MX30_OUT eq 995
access-list acl_out permit tcp any SPS_OUT 255.255.255.224 eq www
access-list acl_out permit tcp any host RDS-US2_OUT eq 5900
access-list acl_out permit tcp any host 198.87.x.x eq https
access-list acl_out permit tcp any host 198.87.x.x eq www
access-list acl_out permit gre any host 198.87.x.x
access-list acl_out permit tcp any host 198.87.x.x eq https
access-list acl_out permit tcp any host 198.87.x.x eq smtp
access-list acl_out permit tcp any host 198.87.x.x eq pop3
access-list acl_out permit gre any host 198.87.x.x
access-list acl_out permit tcp any host 198.87.x.x eq pptp
access-list acl_out permit tcp any host 198.87.x.x eq 3389
access-list acl_out permit udp host 193.231.x.x host 198.87.x.x eq
isakmp
access-list acl_out permit udp host 193.231.x.x host 198.87.x.x eq 4500
access-list acl_out permit udp host 193.231.x.xhost 198.87.x.x eq 1701
access-list acl_out compiled
access-list acl_nonat permit ip INSIDE 255.0.0.0 10.100.1.0
255.255.255.0
access-list acl_nonat permit ip TMX-DMZ 255.255.0.0 INTDMZ 255.255.0.0
access-list acl_nonat permit ip TMX-DMZ 255.255.0.0 NET0_DMZ1
255.255.0.0
pager lines 24
logging on
logging timestamp
logging standby
logging monitor notifications
logging buffered debugging
logging trap debugging
logging history debugging
logging host inside TLD
mtu outside 1500
mtu inside 1500
mtu failover 1500
mtu intdmz 1500
mtu dmz1 1500
mtu tmx-dmz 1500
ip address outside 198.87.x.x 255.255.252.0
ip address inside 10.0.0.1 255.255.255.0
ip address failover 10.250.250.250 255.255.255.0
ip address intdmz 10.100.0.1 255.255.255.0
ip address dmz1 10.150.0.1 255.255.0.0
ip address tmx-dmz 10.10.0.1 255.255.0.0
ip audit name drop attack action alarm drop
ip audit info action alarm
ip audit attack action alarm reset
ip local pool vpnpooll 10.100.1.1-10.100.1.10
failover
failover timeout 0:00:00
failover poll 15
failover replication http
failover ip address outside 198.87.x.x
failover ip address inside 10.0.0.3
failover ip address failover 10.250.250.253
failover ip address intdmz 10.100.0.3
failover ip address dmz1 10.150.0.3
failover ip address tmx-dmz 10.200.0.3
failover link failover
arp timeout 14400
global (outside) 1001 198.87.x.x-198.87.x.x
global (outside) 1100 198.87.x.x-198.87.x.x
global (outside) 1101 198.87.x.x-198.87.x.x
global (outside) 1100 198.87.x.x
global (dmz1) 1001 10.150.100.0-10.150.100.250 netmask 255.255.0.0
global (dmz1) 1100 10.150.110.0-10.150.110.250 netmask 255.255.255.0
global (tmx-dmz) 1101 10.10.0.2-10.10.0.250 netmask 255.255.0.0
nat (inside) 0 access-list acl_nonat
nat (inside) 1001 INSIDE 255.255.255.0 dns 300 100
nat (intdmz) 0 access-list acl_nonat
nat (intdmz) 1100 INTDMZ 255.255.0.0 dns 0 0
nat (dmz1) 0 access-list acl_nonat
nat (tmx-dmz) 0 access-list acl_nonat
nat (tmx-dmz) 1101 TMX-DMZ 255.255.0.0 0 0
alias (inside) ACG02_OUT ACG02_DMZ1 CM
alias (inside) ACG03_OUT ACG03_DMZ1 CM
alias (inside) ACG04_OUT ACG04_DMZ1 CM
alias (inside) ACG05_OUT ACG05_DMZ1 CM
alias (inside) ACG06_OUT ACG06_DMZ1 CM
alias (inside) ACG07_OUT ACG07_DMZ1 CM
alias (inside) IS11_OUT IS11_DMZ1 CM
alias (inside) IS12_OUT IS12_DMZ1 CM
alias (inside) IS13_OUT IS13_DMZ1 CM
alias (inside) MX01_OUT MX01_DMZ1 HM
alias (inside) MX01SN1_OUT MX01SN1_DMZ1 SN224
alias (inside) MX20_OUT MX20_DMZ1 HM
alias (inside) MX30_OUT MX30_DMZ1 HM
alias (inside) NS1_OUT NS1_DMZ1 HM
alias (inside) NS2_OUT NS2_DMZ1 HM
alias (inside) WTMX_OUT WTMX_DMZ1 HM
alias (inside) FTPTMX_OUT FTPTMX_DMZ1 HM
alias (inside) EX_OUT EX_DMZ1 HM
alias (inside) SPS_OUT SPS_DMZ1 SN224
static (inside,intdmz) INSIDE INSIDE netmask 255.255.255.0 200 50
static (dmz1,outside) ACG02_OUT ACG02_DMZ1 dns netmask 255.255.255.0
1000 100
static (dmz1,outside) ACG03_OUT ACG03_DMZ1 dns netmask 255.255.255.0
1000 100
static (dmz1,outside) ACG04_OUT ACG04_DMZ1 dns netmask 255.255.255.0
1000 100
static (dmz1,outside) ACG05_OUT ACG05_DMZ1 dns netmask 255.255.255.0
1000 100
static (dmz1,outside) ACG06_OUT ACG06_DMZ1 dns netmask 255.255.255.0
1000 100
static (dmz1,outside) ACG07_OUT ACG07_DMZ1 dns netmask 255.255.255.0
1000 100
static (dmz1,outside) ACG08_OUT ACG08_DMZ1 dns netmask 255.255.255.0
1000 100
static (dmz1,outside) IS11_OUT IS11_DMZ1 dns netmask 255.255.255.0 4000
400
static (dmz1,outside) IS12_OUT IS12_DMZ1 dns netmask 255.255.255.0 1000
100
static (dmz1,outside) IS13_OUT IS13_DMZ1 dns netmask 255.255.255.0 1000
100
static (dmz1,outside) NS1_OUT NS1_DMZ1 dns netmask 255.255.255.255 4000
500
static (dmz1,outside) NS2_OUT NS2_DMZ1 dns netmask 255.255.255.255 4000
500
static (dmz1,outside) MX01_OUT MX01_DMZ1 dns netmask 255.255.255.255
1000 100
static (dmz1,outside) MX01SN1_OUT MX01SN1_DMZ1 dns netmask
255.255.255.224 1000 100
static (dmz1,outside) MX20_OUT MX20_DMZ1 dns netmask 255.255.255.255
2000 400
static (dmz1,outside) MX30_OUT MX30_DMZ1 dns netmask 255.255.255.255
1000 100
static (dmz1,outside) FTPTMX_OUT FTPTMX_DMZ1 dns netmask
255.255.255.255 50 10
static (dmz1,outside) WTMX_OUT WTMX_DMZ1 dns netmask 255.255.255.255
400 50
static (dmz1,outside) EX_OUT EX_DMZ1 dns netmask 255.255.255.255 1000
100
static (dmz1,outside) SPS_OUT SPS_DMZ1 dns netmask 255.255.255.224 1000
100
static (intdmz,outside) DC1_OUT DC1 netmask 255.255.255.255 100 50
static (inside,outside) RDS-US2_OUT RDS-US2_IN netmask 255.255.255.255
10 5
static (inside,outside) RDS-US_OUT RDS-US_INT netmask 255.255.255.255
10 5
static (tmx-dmz,outside) 198.87.x.x 10.10.0.125 dns netmask
255.255.255.255 1000 100
static (tmx-dmz,outside) 198.87.x.x 10.10.0.125 dns netmask
255.255.255.255 1000 100
static (tmx-dmz,outside) 198.87.x.x 10.10.0.20 dns netmask
255.255.255.255 1000 100
static (tmx-dmz,dmz1) 10.10.0.125 10.10.0.125 netmask 255.255.255.255 0
0
access-group acl_out in interface outside
rip intdmz passive version 2
rip intdmz default version 2
route outside ANY ANY 198.87.36.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server TLD source inside prefer
ntp server 10.0.0.20 source inside
http server enable
http MCT 255.255.255.255 inside
http WNT_SA 255.255.255.255 inside
http DC1 255.255.255.255 intdmz
http DC2 255.255.255.255 intdmz
Back to top
Walter Roberson
Guest
Posted: Fri Dec 17, 2004 12:30 am    Post subject: Re: Email access through Pix 515 Reply with quote
In article <1103222610.518205.33240@c13g2000cwb.googlegroups.com>,
<nderose@hpl.com> wrote:
:So here is the problem. We have two different companies that are on
:different subnets on a pix firewall. We have an exchange server (main
:network)on the 10.10.0.0 network and and a Merck email server
:10.150.0.0 network, which host many domains.. The problem we have is
:that email cannot be sent for the Merck email server with ip address
:10.150.0.15 to our email server on the 10.10.0.125 network. I'm pretty
:sure its our pix firewall that is preventing this. Even though the
:10.150.0.0 network has a lower security level than the 10.10.0.0
:network. Do i need to create an access list for these two to talk?

Yes, the default is to block all connections from lower security
interfaces to higher security interfaces. If you want to
allow 10.150.0.0 at lower security to initiate connections to
10.10.0.0 at higher security, you *must* have an ACL applied
via an access-group command to the interface that has 10.150.0.0
behind it.


:Below is my configuration. Any help would be appreciated.

Looking through that config, I can see that you do not in fact
have any access-group applied to any interface other than the
outside interface. None of your other interfaces (other than
'outside') will be able to initiate connections to any higher
security interface.


:PIX Version 6.3(3)

There is a known security issue with 6.3(3), so it would be
better to upgrade to 6.3(4). That won't solve your email problem
but it will make your network slightly more secure.
--
Beware of bugs in the above code; I have only proved it correct,
not tried it. -- Donald Knuth
Back to top
 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Cisco All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




VoIP Solutions: Telephone Systems Electronics Satellite TV Tech & Gadgets
Powered by phpBB