Re: Pix 501 NAT problems with Web and Exchange server

["Crissup, John \(MBNAP it\)" <John.Crissup () us millwardbrown com>]

The most glaring problem that immediately shows up is your access list
assuming that all traffic destined for port 80 (for example) will also
be sourced from port 80.  Quoting a couple of your lines below...
 
> access-list outside_access_in permit tcp any eq www interface outside
eq www 

> access-list outside_access_in permit tcp any eq https interface
outside eq https 

> access-list outside_access_in permit tcp any eq smtp interface outside
eq smtp 

 
  These should be changed to...
 
access-list outside_access_in permit tcp any interface outside eq www 

access-list outside_access_in permit tcp any interface outside eq https 

access-list outside_access_in permit tcp any interface outside eq smtp 

 
-- 
John 
 

________________________________

From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of
William A. May
Sent: Saturday, November 25, 2006 7:51 PM
To: firewall-wizards () listserv icsalabs com
Subject: [fw-wiz] Pix 501 NAT problems with Web and Exchange server



I read through the postings about inbound NAT problems with the PIX 501
posted in February 2005 and tried to configure my new PIX 501
accordingly but with little luck.  What I trying to do is replace my
Linksys WRT54G with a PIX 501.  I have a Web server and an Exchange
Server 2003 on my internal network and I want to be able to have my web
page accessed from the outside and I also want to be able to continue to
receive my email.  Currently I can view web pages and send email.
Listed below is my current configuration, with certain marked changes,
please let me know where I'm going wrong?

 

Thanks,

 

Alan

 

: Saved

: Written by enable_15 at 19:49:11.582 UTC Sat Nov 25 2006

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password <deleted> encrypted

passwd <deleted> encrypted

hostname pixfirewall <changed>

domain-name ciscopix.com <changed>

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 172.16.10.0 LAN <changed>

name 172.16.10.11 Web-Exch-Server <changed>

access-list outside_access_in permit tcp any eq www interface outside eq
www 

access-list outside_access_in permit tcp any eq https interface outside
eq https 

access-list outside_access_in permit tcp any eq smtp interface outside
eq smtp 

access-list outside_access_in permit icmp any any echo-reply 

access-list outside_access_in permit icmp any any traceroute 

access-list outside_access_in permit icmp any any time-exceeded 

access-list inside_access_in permit icmp any any 

access-list inside_access_in permit ip LAN 255.255.255.0 any 

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 172.16.10.1 255.255.255.0 <changed>

ip audit info action alarm

ip audit attack action alarm

pdm location LAN 255.255.255.0 inside

pdm location Web-Exch-Server 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www Web-Exch-Server www netmask
255.255.255.255 0 0 

static (inside,outside) tcp interface https Web-Exch-Server https
netmask 255.255.255.255 0 0 

static (inside,outside) tcp interface smtp Web-Exch-Server smtp netmask
255.255.255.255 0 0 

access-group outside_access_in in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server LOCAL protocol local 

http server enable

http LAN 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

terminal width 80

Cryptochecksum:8069dd3a26bd7570990dfe55c7c7064e

: end

 


==================================================== 
This email is confidential and intended solely for the use of the 
individual or organization to whom it is addressed. Any opinions or 
advice presented are solely those of the author and do not necessarily 
represent those of the Millward Brown Group of Companies.  If you are 
not the intended recipient of this email, you should not copy, modify, 
distribute or take any action in reliance on it. If you have received 
this email in error please notify the sender and delete this email 
from your system. Although this email has been checked for viruses 
 and other defects, no responsibility can be accepted for any loss or 
damage arising from its receipt or use. 
==================================================== 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards