PIX 501 static route for POP3

Can anyone out there tell me why POP3 is not forwarded to PRISRV??? Port scan from outside shows POP3 being closed.

I know it's a messy config but have to work with it for now. Please help.

Note: xxx.xxx.xxx.xxx - WAN IP yyy.yyy.yyy.yyy - WAN Gateway

PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ZXps25JK0mK.30PT encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall domain-name domain.local clock timezone PST -8 clock summer-time PDT recurring fixup protocol dns maximum-length 512 fixup protocol esp-ike fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.100.252 pri1 name 192.168.100.250 pritermsrv name 192.168.100.254 PRISRV name 192.168.100.13 karind_pc name 192.168.100.84 pp_goldmine object-group service PRISRV tcp description Oen ports for PRISRV port-object range 45999 45999 port-object eq pptp port-object eq https port-object eq smtp port-object eq www port-object range 3389 3389 port-object range 4125 4125 port-object eq daytime port-object eq pop3 access-list inside_access_in permit ip any any access-list inside_outbound_nat0_acl permit ip any 192.168.100.0

255.255.255.0 access-list outside_access_in permit udp host nortelvpn1 eq isakmp any eq isakmp access-list outside_access_in permit udp host nortelvpn2 eq isakmp any eq isakmp access-list outside_access_in permit udp host nortelvpn3 eq isakmp any eq isakmp access-list outside_access_in permit esp host nortelvpn1 any access-list outside_access_in permit esp host nortelvpn2 any access-list outside_access_in permit esp host nortelvpn3 any access-list outside_access_in permit ah host nortelvpn1 any access-list outside_access_in permit ah host nortelvpn2 any access-list outside_access_in permit ah host nortelvpn3 any access-list outside_access_in remark RDP to PRI1 access-list outside_access_in permit tcp any interface outside eq 3389 access-list outside_access_in permit tcp any interface outside eq https access-list outside_access_in permit tcp any interface outside eq 4125 access-list outside_access_in remark RDP to PRISRV. access-list outside_access_in remark (if removed change default RDP port in registry of PRISRV) access-list outside_access_in permit tcp any interface outside eq 49555 access-list outside_access_in remark Goldmine sync port for Pacific Properties access-list outside_access_in permit tcp any interface outside eq 5993 access-list outside_access_in remark RDP access to Pacific Properties goldmine PC. access-list outside_access_in remark (if removed change default RDP port in registry of PC) access-list outside_access_in permit tcp any interface outside eq 4040 access-list outside_access_in remark RDP access to Karin's workstation to use app. access-list outside_access_in remark (if removed change default RDP port in registry of Karin's PC) access-list outside_access_in permit tcp any interface outside eq 55999 access-list outside_access_in remark RDP access to Francis's workstation for remote desktop connection access-list outside_access_in remark (if removed change default RDP port in registry of Francis's PC) access-list outside_access_in permit tcp any interface outside eq 47999 access-list outside_access_in permit tcp any interface outside eq pop3 access-list outside_access_in remark RDP to PRI1 access-list outside_access_in remark Email to PRI1 access-list outside_access_in permit tcp any interface outside eq smtp access-list outside_access_in remark OWA access to PRI1 access-list outside_access_in permit tcp any interface outside eq www access-list outside_access_in permit tcp any interface outside eq 444 access-list outside_access_in remark VPN to PRI1 access-list outside_access_in permit tcp any interface outside eq pptp access-list outside_access_in remark RDP to PRISRV. access-list outside_access_in remark (if removed change default RDP port in regi access-list outside_access_in remark Goldmine sync port for Pacific Properties access-list outside_access_in remark RDP access to Pacific Properties goldmine P access-list outside_access_in remark (if removed change default RDP port in regi access-list outside_access_in remark RDP access to Karin's workstation to use Ex access-list outside_access_in remark (if removed change default RDP port in regi no pager logging on logging timestamp logging trap errors logging host inside pri1 mtu outside 1500 mtu inside 1500 ip address outside xxx.xxx.xxx.xxx 255.255.255.248 ip address inside 192.168.100.2 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool VPNUsers 192.168.100.30-192.168.100.49 pdm location pri1 255.255.255.255 inside pdm location nortelvpn1 255.255.255.255 outside pdm location nortelvpn2 255.255.255.255 outside pdm location nortelvpn3 255.255.255.255 outside pdm location 192.168.100.0 255.255.255.0 inside pdm location jpalmerhomeip 255.255.255.255 outside pdm location 192.168.100.0 255.255.255.0 outside pdm location 192.168.100.0 255.255.255.192 outside pdm location 192.168.100.163 255.255.255.255 inside pdm location pritermsrv 255.255.255.255 inside pdm location pp_goldmine 255.255.255.255 inside pdm location PRISRV 255.255.255.255 inside pdm location karind_pc 255.255.255.255 inside pdm location 192.168.100.139 255.255.255.255 inside pdm logging warnings 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 192.168.100.0 255.255.255.0 0 0 static (inside,outside) tcp interface 3389 pri1 3389 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface smtp PRISRV smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 447 pri1 447 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 444 pri1 444 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 8825 pri1 8825 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5993 pp_goldmine 5993 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 4040 pp_goldmine 4040 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 55999 karind_pc 55999 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface https PRISRV https netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 49555 PRISRV 49555 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 47999 192.168.100.139 47999 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface pptp pri1 pptp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 4125 PRISRV 4125 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface pop3 PRISRV pop3 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface www pri1 www netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 yyy.yyy.yyy.yyy 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable http 192.168.100.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-pptp crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map inside_map interface inside isakmp identity address vpngroup PRIVPN address-pool VPNUsers vpngroup PRIVPN dns-server pri1 4.2.2.2 vpngroup PRIVPN wins-server pri1 vpngroup PRIVPN default-domain domain.local vpngroup PRIVPN idle-time 1800 vpngroup PRIVPN password ******** telnet 0.0.0.0 0.0.0.0 outside telnet 192.168.100.0 255.255.255.0 inside telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh 192.168.100.0 255.255.255.0 inside ssh timeout 20 console timeout 0 vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required vpdn group PPTP-VPDN-GROUP client configuration address local VPNUsers vpdn group PPTP-VPDN-GROUP client configuration dns pri1 4.2.2.2 vpdn group PPTP-VPDN-GROUP client configuration wins pri1 vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS vpdn group PPTP-VPDN-GROUP client accounting RADIUS vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn enable outside dhcpd lease 3600 dhcpd ping_timeout 750 dhcprelay server PRISRV inside dhcprelay enable outside terminal width 80 Cryptochecksum:1cff6dd4863e0a2ee08503a05aada858 : end

-- Posted via NewsDemon.com - Premium Uncensored Newsgroup Service ------->>>>>>

formatting link

Reply to
Ian McKellan
Loading thread data ...

In article , Ian McKellan wrote: :Can anyone out there tell me why POP3 is not forwarded to PRISRV??? Port :scan from outside shows POP3 being closed.

You should upgrade to at least 6.3(4) in order to fix known security problems.

Your VPN client IP pool needs to be a different address range than your inside IP range. Otherwise, you get routing problems and nat problems.

You -might- also have to use a different pool for vpngroup than for vpdn group -- I have not investigated that particular point.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.