Sign in with
Sign up | Sign in
Your question

PIX506E: Cisco insists that this configuration is correct,..

Tags:
  • Firewalls
  • Exchange Server
  • Configuration
  • Networking
Last response: in Networking
Share
Anonymous
June 25, 2004 9:46:21 PM

Archived from groups: comp.security.firewalls (More info?)

Hi all,

I have a bit of a problem. We just upgraded our PIX506 Firewall to a
PIX506E which, as you can see by the config file below is using
software version 6.3(3).

The problem I am having is this:

We have our Exchange server behind a Barracuda firewall which resides
behind the PIX506E. The Exchange server is on IP address 192.168.0.12,
the Barracuda is on IP address 192.168.0.11. The Barrracuda filters
ONLY on port 25 and blocks all of the other ports. I am trying to map
the other ports (80, 110 as well as a few others) to the Exchange
server at 192.168.0.12. The external IP address of the Exchange server
is, as you can see XX.XXX.189.179.

The PIX506E is supposed to be using PAT to route the other ports
(110, 80, etc.) around the Barracuda, however, this does not appear to
be the case and it is definitely NOT working. Thus, we do not have any
access to the Exchange server with an email client or OWC outside of
our network.

I temporarily changed the static mapping so that the external IP
address was mapped to the Exchange server and then mapped the smtp
port to the Barracuda IP address. Everything worked except for the
fact that the Barracuda was taken out of the equation and we started
receiving SPAM and Norton AV was catching a hell of a lot of viruses,
so I quickly changed things back. Does any one have any idea where I
went wrong with the configuration?

The Cisco Technician insists that this configuration is correct, yet
it doesn't work!

Any help would be greatly appreciated since Cisco Tech Support is no
help at all! In fact I have sent them several emails after their
initial response to my TAC and have not heard back from them in over
two days.

Thanks,
Don Beaulieu



: Saved
: Written by enable_15 at 17:47:52.200 UTC Wed Jun 23 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password saw8oIdUMkaJPE6k encrypted
passwd saw8oIdUMkaJPE6k encrypted
hostname Valhalla
domain-name ourdomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit tcp any host xx.xxx.189.179 eq smtp
access-list acl_out permit tcp any host xx.xxx.189.180 eq citrix-ica
access-list acl_out permit tcp any host xx.xxx.189.181 eq citrix-ica
access-list acl_out permit tcp any host xx.xxx.189.182 eq citrix-ica
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host xx.xxx.189.182 eq www
access-list acl_out permit tcp any host xx.xxx.189.179 eq domain
access-list acl_out permit tcp any host xx.xxx.189.179 eq echo
access-list acl_out permit tcp any host xx.xxx.189.179 eq imap4
access-list acl_out permit tcp any host xx.xxx.189.179 eq 123
access-list acl_out permit tcp any host xx.xxx.189.179 eq 2703
access-list acl_out permit tcp any host xx.xxx.189.179 eq 6277
access-list acl_out permit tcp any host xx.xxx.189.179 eq 6947
access-list acl_out permit tcp any host xx.xxx.189.179 eq netbios-ssn
access-list acl_out permit tcp any host xx.xxx.189.179 eq ldaps
access-list acl_out permit tcp any host xx.xxx.189.179 eq 993
access-list acl_out permit udp any host xx.xxx.189.179 eq echo
access-list acl_out permit udp any host xx.xxx.189.179 eq 25
access-list acl_out permit udp any host xx.xxx.189.179 eq domain
access-list acl_out permit udp any host xx.xxx.189.179 eq 2703
access-list acl_out permit udp any host xx.xxx.189.179 eq 6277
access-list acl_out permit udp any host xx.xxx.189.179 eq 6947
access-list acl_out permit udp any host xx.xxx.189.179 eq ntp
access-list acl_out permit udp any host xx.xxx.189.179 eq www
access-list acl_out permit tcp any host xx.xxx.189.179 eq 135
access-list acl_out permit tcp any host xx.xxx.189.179 eq www
access-list acl_out permit tcp any host xx.xxx.189.179 eq pop3
access-list acl_out permit tcp any host xx.xxx.189.179 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xx.xxx.189.178 255.255.255.240
ip address inside 192.168.0.20 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.255.255 inside
pdm location 192.168.0.11 255.255.255.255 inside
pdm location 192.168.0.12 255.255.255.255 inside
pdm location 192.168.0.13 255.255.255.255 inside
pdm location 192.168.0.14 255.255.255.255 inside
pdm location 192.168.0.15 255.255.255.255 inside
pdm location 192.168.0.20 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 xx.xxx.189.184-xx.xxx.189.188
global (outside) 1 xx.xxx.189.189
global (outside) 1 xx.xxx.189.179
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xx.xxx.189.179 smtp 192.168.0.11 smtp
netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.189.179 pop3 192.168.0.12 pop3
netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.189.179 www 192.168.0.12 www
netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.189.178 192.168.0.20 netmask
255.255.255.255 0 0
static (inside,outside) xx.xxx.189.182 192.168.0.15 netmask
255.255.255.255 0 0
static (inside,outside) xx.xxx.189.181 192.168.0.14 netmask
255.255.255.255 0 0
static (inside,outside) xx.xxx.189.180 192.168.0.13 netmask
255.255.255.255 0 0

access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xxx.189.177 1
route inside 192.168.1.0 255.255.255.0 192.168.0.1 2
route inside 192.168.2.0 255.255.255.0 192.168.0.1 2
route inside 192.168.3.0 255.255.255.0 192.168.0.1 2
route inside 192.168.168.0 255.255.255.0 192.168.0.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:28103c870581d0630c6bf6369c359045

More about : pix506e cisco insists configuration correct

Anonymous
June 26, 2004 2:34:37 PM

Archived from groups: comp.security.firewalls (More info?)

cyberstitious@hotmail.com (dbeaulieu) wrote in message news:<1aab0d40.0406251646.2ed0a82a@posting.google.com>...
> Hi all,
>
> I have a bit of a problem. We just upgraded our PIX506 Firewall to a
> PIX506E which, as you can see by the config file below is using
> software version 6.3(3).
>
> The problem I am having is this:
>
> We have our Exchange server behind a Barracuda firewall which resides
> behind the PIX506E. The Exchange server is on IP address 192.168.0.12,
> the Barracuda is on IP address 192.168.0.11. The Barrracuda filters
> ONLY on port 25 and blocks all of the other ports. I am trying to map
> the other ports (80, 110 as well as a few others) to the Exchange
> server at 192.168.0.12. The external IP address of the Exchange server
> is, as you can see XX.XXX.189.179.
>
> The PIX506E is supposed to be using PAT to route the other ports
> (110, 80, etc.) around the Barracuda, however, this does not appear to
> be the case and it is definitely NOT working. Thus, we do not have any
> access to the Exchange server with an email client or OWC outside of
> our network.
>
> I temporarily changed the static mapping so that the external IP
> address was mapped to the Exchange server and then mapped the smtp
> port to the Barracuda IP address. Everything worked except for the
> fact that the Barracuda was taken out of the equation and we started
> receiving SPAM and Norton AV was catching a hell of a lot of viruses,
> so I quickly changed things back. Does any one have any idea where I
> went wrong with the configuration?
>
<snip>

Your ACLs are all inbound only. The barracuda device requires several
in AND out ACLs in order to operate correctly. See page 14 of the
barracuda user manual (or rtfm).
In fact you point to this yourself, as when you take the barracuda
device out of the equation and point your static map directly to the
exchange server everything works. Things only stop working when you
point the static map to the device infront of the exchange device.
Herein lies your problem.

Also, provide the configuration info of the barracuda device.
Important information will be things like the DNS configuration (of
the barracuda and the mx information), and the relay information
(allowed email recipients domain).

SysAdm
!