I have a new PIX 515R DMZ and I would like some pointers on setting up our config. I am new to Cisco / Pix. I have the pix setup to allow outbound traffic and also VPN coming in. I would like to enable access from the outside to inside to our mailserver for smtp and https but am not quite sure how this should be done.
pix is on IP outside x.x.x.165. mailserver is on inside 192.168.1.x. Would like to use outside x.x.x.166 for mailserver. What is involved in allowing the traffic and routing it to the inside network ? Does anyone have any sample configs.
ip access-list out2in extended permit tcp any host x.x.x.166 eq smtp ip access-list out2in extended permit tcp any host x.x.x.166 eq https
access-group out2in in interface outside
(the syntax for the access-group command might have changed.)
There are a fair number of configuration examples on cisco.com
There is more that could be added to the above, especially if you want to support ESMTP, but I would have to look those up. If you search groups.google.com for this newsgroup, within the last couple of weeks someone posted the setup -- search for PIX together with "inspect esmtp".
Thanks for your reply and help. I have applied the commands etc and it all looks fine but I still do not have any access from the outside on https or smtp. I am new to Cisco PIX and so have not yet fully grasped the setup etc.
Basically we have an oustide ip range from x.x.x.161 to x.x.x.173. Our DSL router operates on 161 and we have other equipment currently running on 162 - 164.
I would like to set the PIX 515R up on x.x.x.165. Initially I need to allow traffic in to our mailserver (SMTP) and (HTTPS). This is on the internal network on x.x.x.6. I also need the VPN open so we can allow users to connect in via VPN. Moving on from that we will be setting up a webserver on a DMZ (the pix is a 515R-DMZ).
At present the PIX is working and traffic is flowing out correctly. We can also connect in via the VPN fine. But no traffic is coming in on HTTPS or SMTP. One question I have is regarding the IP's. Our PIX has an outside of x.x.x.165. Can we setup to be picked up on x.x.x.166 even though there is only one outside interface ? Or does the traffic need to come in on 165 ?
I have posted my current config below - any help would be greatly appreciated ?
-------- Show Config ----------------
: Saved : Written by enable_15 at 10:22:02.021 UTC Tue Jan 19 1993 ! PIX Version 7.0(5) ! hostname carouselpix domain-name gateway.local enable password 8Ry2YjIyt7RRXU24 encrypted names name x.x.1.6 mailserver name x.x.138.166 mailserveroutside dns-guard ! interface Ethernet0 nameif outside security-level 0 ip address x.x.138.165 255.255.255.240 ! interface Ethernet1 nameif inside security-level 100 ip address x.x.1.22 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive access-list outside_access_in extended permit tcp any eq https any eq https access-list inside_nat0_outbound extended permit ip any x.x.5.96
255.255.255.240 access-list out2in extended permit tcp any host x.x.138.166 eq smtp access-list out2in extended permit tcp any host x.x.138.166 eq https pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool VPN x.x.5.100-x.x.5.110 mask 255.255.255.0 asdm image flash:/asdm asdm location mailserveroutside 255.255.255.255 outside no asdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 10 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface smtp mailserver smtp netmask
255.255.255.255 static (inside,outside) tcp interface https mailserver https netmask
255.255.255.255 static (outside,> > >I have a new PIX 515R DMZ and I would like some pointers on setting up
Your statics are all kindsa messed up messed.... remove the static (outside,inside) one...it's backwards, your other ones are using your outside interfaces IP which is .165, your acl and your name says you want to use .166 for your mail.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.