Email/ VPN using PIX 506

Hi,

I'm new to using PIX and was wondering if anyone could help me with a question I have. I'm looking at the PIX config that has been left by a network admin and cleaned up by myself, and have a few questions. Would be really grateful if anyone could help me here - :)

y=external IP address range x=internal IP address range

Our internet MASQ is y.243 and all email is sent out straight to the internet. Incoming mail goes to an SMTP gateway on x.8. There is a translation on the PIX for the SMTP gateway that NATS it to y.241 There is also a rule on the PIX that directs port 25 traffic to x.8

We are currently experiencing problems sending emails to a certain domain because the A record for mail.domain.com (where our MX record points to) is y.241 - not y.243 where the mail originates from.

My question is this - if I tell our ISP to change the A record to y.243, will this affect our ability to recieve mails? Surely since all SMTP traffic is directed to the SMTP gateway when it hits the firewall this shouldn't matter, and we don't really need the translation for the Gateway?

Additionally, when I try and VPN to the network from the outside, I can authenticate and get in, but cannot seem to reach any of the servers.

I've posted the Access lists config below -

access-list outside_access_in remark Allow Mail delivery access-list outside_access_in permit tcp any any eq smtp access-list outside_access_in remark Allow Office1 Connectivity access-list outside_access_in permit ip Office1 255.255.252.0 any access-list outside_access_in permit tcp any eq smtp host mail_outside eq smtp access-list outside_access_in remark Allow IPsec Traffic access-list outside_access_in permit udp host ARCPHC host y.243 eq isakmp access-list outside_access_in remark Allow IPsec Traffic access-list outside_access_in permit ah host ARCPHC host y.243 access-list outside_access_in remark Allow IPsec Traffic access-list outside_access_in permit esp host ARCPHC host y.243 access-list outside_access_in permit tcp any object-group LANGlobal y.0

255.255.255.0 object-group LANGlobal access-list outside_access_in remark Web Access access-list outside_access_in permit tcp any host y.242 eq www access-list outside_access_in permit icmp Office1 255.255.0.0 y.0 255.255.255.0 access-list outside_access_in deny udp any eq 1434 any access-list outside_access_in remark Allow ICMP access-list outside_access_in permit icmp any any access-list outside_access_in remark User1- PC Anywhere access-list outside_access_in permit tcp host User1_IP host y.245 eq pcanywhere-data access-list outside_access_in remark User1 PCAnywhere access-list outside_access_in permit udp host NAME host y.245 eq pcanywhere-status access-list outside_access_in deny tcp any any access-list outside_access_in remark Block everything to come in. access-list inside_access_in permit ip any any access-list inside_access_in permit icmp 192.168.1.0 255.255.255.0 Office1 255.255.0.0 access-list inside_access_in deny udp any eq 1434 any access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 Office1 255.255.252.0 access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 Office1 255.255.252.0 pager lines 24 icmp permit any outside mtu outside 1500 mtu inside 1500 ip address outside y.243 255.255.255.240 ip address inside 192.168.1.5 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpn_pool 192.168.1.200-192.168.1.210 ip local pool VPN_Pool2 192.168.2.200-192.168.2.210 ip local pool VPN_Pool3 10.10.0.1-10.10.0.10 pdm location mail_outside 255.255.255.255 outside pdm location 192.168.1.192 255.255.255.224 outside pdm location srvroom 255.255.255.255 inside pdm location inbound_SMTP 255.255.255.255 inside pdm location Server1 255.255.255.255 inside pdm location Office1 255.255.252.0 outside pdm location PIX 255.255.255.255 outside pdm location ARCPHC 255.255.255.255 outside pdm location PIX 255.255.255.255 inside pdm location Office1 255.255.0.0 outside pdm location mailserv 255.255.255.255 inside pdm location DC 255.255.255.255 inside pdm location fileserv 255.255.255.255 inside pdm location 192.168.1.2 255.255.255.255 inside pdm location 192.168.1.7 255.255.255.255 inside pdm location VPN_Pool 255.255.255.0 outside pdm location User2 255.255.255.255 outside pdm location User10 255.255.255.255 outside pdm location User3 255.255.255.255 outside pdm location User4 255.255.255.255 outside pdm location User5 255.255.255.255 outside pdm location User6 255.255.255.255 outside pdm location 192.169.1.51 255.255.255.255 inside pdm location User1 255.255.255.255 inside pdm location User2 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (inside,outside) mail_outside inbound_SMTP netmask 255.255.255.255 0 0 static (inside,outside) y.242 fileserv netmask 255.255.255.255 0 0 static (inside,outside) y.246 192.168.1.7 netmask 255.255.255.255 0 0 static (inside,outside) y.245 Computer1 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 y.254 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http srvroom 255.255.255.255 inside http server1 255.255.255.255 inside http mailserv 255.255.255.255 inside http DC 255.255.255.255 inside http fileserv 255.255.255.255 inside http 192.168.1.7 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer ARCPHC crypto map outside_map 20 set transform-set ESP-DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address ARCPHC netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet srvroom 255.255.255.255 inside telnet mailserv 255.255.255.255 inside telnet fileserv 255.255.255.255 inside telnet 192.168.1.7 255.255.255.255 inside telnet timeout 5 ssh timeout 5 console timeout 10 vpdn group VPN accept dialin pptp vpdn group VPN ppp authentication mschap vpdn group VPN client configuration address local VPN_Pool2 vpdn group VPN client configuration dns DC vpdn group VPN client configuration wins mailserv vpdn group VPN pptp echo 60 vpdn group VPN client authentication local vpdn username VPNUser1 password ********* vpdn username VPNUser2 password ********* vpdn username VPNUser3 password ********* vpdn username VPNUser4 password ********* vpdn username VPNUser5 password ********* vpdn username VPNUser6 password ********* vpdn enable outside dhcprelay server DC inside dhcprelay enable outside dhcprelay setroute outside username AdminUser2 password X encrypted privilege 15 username AdminUser1 password XX encrypted privilege 15 terminal width 80 banner exec Authorised access only banner exec This system is the property of Me banner exec Disconnect IMMEDIATELY if you are not an authorised user ! banner exec Contact support@x or tel for help. banner exec User Access Verification banner login Welcome Cryptochecksum:XXX : end [OK]

Would be grateful for any help.

Thanks Dilan

Reply to
dilan.weerasinghe
Loading thread data ...

yes, mail server likes to be able to reverse DNS the IP.

No, the A record is simply a hostname record. and the MX is for Mail-eXchange They can be the same or be two different - doesnt matter, from a DNS P.O.V.

in regards to your VPN - Get 3DES running and enable isakmp nat-t command and if you are not on 6.3.x - get there.

HTH Martin Bilgrav

Reply to
Martin Bilgrav

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.