Pix 501 NAT problems with Web and Exchange server

["William A. May" <alan () aldorian com>]

I read through the postings about inbound NAT problems with the PIX 501
posted in February 2005 and tried to configure my new PIX 501
accordingly but with little luck.  What I trying to do is replace my
Linksys WRT54G with a PIX 501.  I have a Web server and an Exchange
Server 2003 on my internal network and I want to be able to have my web
page accessed from the outside and I also want to be able to continue to
receive my email.  Currently I can view web pages and send email.
Listed below is my current configuration, with certain marked changes,
please let me know where I'm going wrong?

 

Thanks,

 

Alan

 

: Saved

: Written by enable_15 at 19:49:11.582 UTC Sat Nov 25 2006

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password <deleted> encrypted

passwd <deleted> encrypted

hostname pixfirewall <changed>

domain-name ciscopix.com <changed>

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 172.16.10.0 LAN <changed>

name 172.16.10.11 Web-Exch-Server <changed>

access-list outside_access_in permit tcp any eq www interface outside eq
www 

access-list outside_access_in permit tcp any eq https interface outside
eq https 

access-list outside_access_in permit tcp any eq smtp interface outside
eq smtp 

access-list outside_access_in permit icmp any any echo-reply 

access-list outside_access_in permit icmp any any traceroute 

access-list outside_access_in permit icmp any any time-exceeded 

access-list inside_access_in permit icmp any any 

access-list inside_access_in permit ip LAN 255.255.255.0 any 

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 172.16.10.1 255.255.255.0 <changed>

ip audit info action alarm

ip audit attack action alarm

pdm location LAN 255.255.255.0 inside

pdm location Web-Exch-Server 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www Web-Exch-Server www netmask
255.255.255.255 0 0 

static (inside,outside) tcp interface https Web-Exch-Server https
netmask 255.255.255.255 0 0 

static (inside,outside) tcp interface smtp Web-Exch-Server smtp netmask
255.255.255.255 0 0 

access-group outside_access_in in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server LOCAL protocol local 

http server enable

http LAN 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

terminal width 80

Cryptochecksum:8069dd3a26bd7570990dfe55c7c7064e

: end

 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards