having a hard time with pix515

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View


Could someone look over the config parts I have been staring at for a
whole week and making attempts after-hours to get this thing to work? I
must be missing something but can't figure it out.

!
! negate this fixup to pass Microsoft's stupid SMTP
!
no fixup protocol smtp 25
!
! there is only one external addr xx.xx.239.14
! only one external host gets pop3 for web app
! we allow outlook web on 9090 tcp/udp and 20000/20001
! I think domain is needed for internal dns cache to do lookups
! also we allow MS-VPN clients into an internal for auth
! there will soon be a service net for public ftp and auth dns
!
access-list outside permit icmp any any echo-reply
access-list outside permit icmp any any time-exceeded
access-list outside permit icmp any any unreachable
access-list outside permit tcp any host xx.xx.239.14 eq smtp
access-list outside permit tcp host prodmail host 66.37.239.14 eq pop3
access-list outside permit tcp any host xx.xx.239.14 eq 9090
access-list outside permit udp any host xx.xx.239.14 eq 9090
access-list outside permit tcp any host xx.xx.239.14 range 20000 20001
access-list outside permit udp any host xx.xx.239.14 range 20000 20001
access-list outside permit udp any host xx.xx.239.14 eq domain
access-list outside permit tcp any host xx.xx.239.14 eq domain
access-list outside permit udp any host dns1 eq domain
access-list outside permit udp any host dns2 eq domain
access-list outside permit gre any host dns1
access-list outside permit tcp any host dns1 eq pptp
access-list tunnel permit ip 192.168.0.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list service permit tcp any host ftpserver eq ftp
access-list service permit tcp any host authdns2 eq domain
access-list service permit udp any host authdns2 eq domain
!
global (outside) 1 interface
nat (inside) 0 access-list tunnel
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (service) 1 0.0.0.0 0.0.0.0 0 0
!
! statics to provide connection between outside int and internal
!
static (inside,outside) tcp interface smtp email smtp netmask
255.255.255.255 0 0
static (inside,outside) tcp prodmail pop3 email pop3 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 9090 email 9090 netmask
255.255.255.255 0 0
static (inside,outside) udp interface 9090 email 9090 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 20000 email 20000 netmask
255.255.255.255 0 0
static (inside,outside) udp interface 20000 email 20000 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 20001 email 20001 netmask
255.255.255.255 0 0
static (inside,outside) udp interface 20001 email 20001 netmask
255.255.255.255 0 0
static (inside,outside) interface dns1 netmask 255.255.255.255 0 0
!
! apply access-list from above
!
access-group outside in interface outside
access-group service in interface service


Something is not working. I get web browsing from inside, but mail
seemed pokey. I could not do MS-VPN or OWA and the pop3 application did
not work. Something like routing or the statics are not correct.

--
"Never have so many understood so little about so much."
                              -- James Burke


Re: having a hard time with pix515


dude, this configs and infos you're providing are incomplete and
confusing.

tell more which works from what to where
tell more which did not work from where to what

example : outside access to pop on the inside ?

BUT, from what I see, you probably having trouble with the "service"
access-list/group

shouldn't it be like this : " access-group service in interface inside
" ?



Site Timeline