I have a config here but everything is not working the way I need it to.
1) Users make MS-VPN (PPTP) connection to site internal Win2003 host (name=dns1) this does not work the way I have it I have acl for 1723/tcp and gre, acl-group and static2) SMTP is Echange2003 host inside (name=email) this works outbound but not inbound I have "no fixup" for smtp I have acl for smtp, acl-group and static
3) Outlook Web Access is allowed from the world (I know, I know) this does not work I have acl for 9090, 20000 and 20001, acl-group and staticThe service network has a loopback only and I am setting the ACLs and stuff in advance.
I am not 100% sure of static statements.
I only have one external ip address (yy.yy.yy.yy).
Any help would be appreciated.
begin "sho runn"
sho runn : Saved : PIX Version 6.3(4) interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 service security50 enable password EiQBnSVGNNsNqN69 encrypted passwd kUKNsfvh5WzbVbbE encrypted hostname area51 domain-name zzz.net clock timezone CST -6 clock summer-time CDT recurring fixup protocol dns fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol icmp error fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.1.94 email name 192.168.1.200 dns1 name 192.168.1.201 dns2 name 10.9.8.21 ftpserver name 10.9.8.53 authdns2 name xx.xx.228.138 prodmail access-list outside permit icmp any any echo-reply access-list outside permit icmp any any time-exceeded access-list outside permit icmp any any unreachable access-list outside permit tcp any host yy.yy.yy.yy eq smtp access-list outside permit tcp host prodmail host yy.yy.yy.yy eq pop3 access-list outside permit tcp any host yy.yy.yy.yy eq 9090 access-list outside permit udp any host yy.yy.yy.yy eq 9090 access-list outside permit tcp any host yy.yy.yy.yy range 20000 20001 access-list outside permit udp any host yy.yy.yy.yy range 20000 20001 access-list outside permit udp any host yy.yy.yy.yy eq domain access-list outside permit tcp any host yy.yy.yy.yy eq domain access-list outside permit udp any host dns1 eq domain access-list outside permit udp any host dns2 eq domain access-list outside permit gre any host dns1 access-list outside permit tcp any host dns1 eq pptp access-list tunnel permit ip 192.168.0.0 255.255.255.0 192.168.1.0
255.255.255.0 access-list service permit tcp any host ftpserver eq ftp access-list service permit tcp any host authdns2 eq domain access-list service permit udp any host authdns2 eq domain pager lines 24 logging on logging timestamp logging monitor debugging logging buffered debugging logging trap debugging logging facility 23 logging queue 8094 icmp permit any echo-reply outside icmp permit any echo outside icmp permit 192.168.1.0 255.255.255.0 inside icmp permit any echo inside icmp permit any echo-reply inside mtu outside 1500 mtu inside 1500 mtu service 1500 ip address outside yy.yy.yy.yy 255.255.255.252 ip address inside 192.168.1.1 255.255.255.0 ip address service 10.9.8.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool bigpool 192.168.1.214-192.168.1.249 no pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list tunnel nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (service) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface smtp email smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp prodmail pop3 email pop3 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 9090 email 9090 netmask 255.255.255.255 0 0 static (inside,outside) udp interface 9090 email 9090 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 20000 email 20000 netmask 255.255.255.255 0 0 static (inside,outside) udp interface 20000 email 20000 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 20001 email 20001 netmask 255.255.255.255 0 0 static (inside,outside) udp interface 20001 email 20001 netmask 255.255.255.255 0 0 static (service,outside) tcp interface ftp ftpserver ftp netmask 255.255.255.255 0 0 static (service,outside) tcp interface domain authdns2 domain netmask 255.255.255.255 0 0 static (service,outside) udp interface domain authdns2 domain netmask 255.255.255.255 0 0 access-group outside in interface outside access-group service in interface service route outside 0.0.0.0 0.0.0.0 66.37.239.13 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside snmp-server location 10842_Farnam_Dr snmp-server contact snipped-for-privacy@whatever.com snmp-server community not_known snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set goliath esp-3des esp-md5-hmac crypto map whse_map 1 ipsec-isakmp crypto map whse_map 1 match address tunnel crypto map whse_map 1 set peer qq.qq.qq.qq crypto map whse_map 1 set transform-set goliath isakmp enable outside isakmp key ******** address qq.qq.qq.qq netmask 255.255.255.255 isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 1000 telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh dd.dd.dd.dd 255.255.255.255 outside ssh 192.168.1.0 255.255.255.0 inside ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:3812dd63622b50ca883e2fdca5ea25f5 : end