PIX 515E external SMTP and POP access DMZ
Hi all
I need help to solve the problem I am facing with the configuration.
config: PIX515E Ver 6.3 (1), with 6 interfaces outside the interface is connected to the Internet router and assigned public IP. Access to the Internet is configured for users connected inside Interface only using the command Nat & Global (Global off-1 Interface). I want to activate the access to electronic mail (SMTP & POP3) host couple in one of the demilitarized zone.
1 NAT configured on the interface & access list applied. If I allowed SMTP & POP only I even don't get a kick on the access list. If I have IP enable any of these hosts, I can surf the net, E-mail etc. After that when I restict to SMTP & POP only, it works for a while, after some time, I don't see any future success to the access list.
What could the case of such behavior, I missing something...?, I'm confused.
Thanks in advance.
Best regards
Ensure that you allow DNS from these hosts too (UDP/53), as they're going to do queries DNS for the remote host IP address and the domain MX record before they can establish a connection to the mail host relevant external.
If you allow all IP then they will be able to make the DNS query, then perform the connection SMTP/POP, and they will be cached DNS queries for awhile that's why it works for a while after the removal of the ACL. Once the DNS cache expires in these hosts, they must make another DNS query causing crashes so that you don't have him through the ACL permits.
Tags: Cisco Security
Similar Questions
-
SMTP and POP with IOS iPad 2 Air 9
My email did not work for several months, since I upgraded my iPad 2 Air of iOS to iOS 8 9. Apparently I missed the window to load iOS back 8. Does anyone know if Apple has fixed iOS 9.1 so I can reuse the SMTP/POP email services?
they have never broken with ios9
try to remove the account and reintroduce
and make sure your carrier if the cellular router or wifi if wifi enable the ports required by your provider for smtp and pop email
-
PIX site to site and remote access
Dear guy
I have a PIX 515e with version 8.0 and the other side a 2811 router, the vpn site to site between these two devices is implemented, but I want some remote clients can connect to pix,.
so is this possibe two implement a site to access remote vpn on pix interface (outside)?
any clue?
Hello
Yes, it is quite possible. Please see attached the sample configuration. Note This is for pix v7.x, but it should work fine for 8.x
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807f9a89.shtml
HTH
Jon
-
Add SMTP and POP to the Muse contact form
Hi all
my contact form has met a PHP error, my server host is now telling me to add SMTP specifications and pop I use for my internship program and I have no experience with coding, also, I find not all boards online that seems useful. can someone tell me what my host and how do I do this?
Thank you!
Valerie
I would like to summarize, you don't waste time. Order form the Muse worked on the smtp Protocol, you need two things: 1) if traffic is important, you will need your own SMTP server. You should buy software (public SMTP is not reliable), being able to install and configure. (2) you must change the code in form.php, make a backup of this file and upload it to the server whenever you make a change on the site of Muse.
It is easier to use only one-third of hosting supporting php and php mail.
-
Termination of the client PIX VPN and Internet access from the same interface
Hello
VPN remote users connect to PIX (7.2) outside interface, but need to have these clients to access the Internet through the PIX outside interface as well. Need this because PIX IPs is registered and allowed access to some electronic libraries. One way would be to set up a proxy within the network and vpn users have access to the Internet through the proxy, but can it be done without proxy?
Yes, public internet on a stick
-
PIX 515E and remote access VPN
I use a PIX 515E with: ASDM Version: 5,0000 51 PIX Version: 8.0 (4) and configure it with remote access VPN.
I would like to get an email every time that a user login (and or disconnection) to the VPN. Remote clients use the Cisco VPN Client.
Any help is appreciated,
Hello
Here is a link to the email configuration when you log in to the ASA/PIX: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc7
Then you can create a list of message to send the logs only for the connection/disconnection of the VPN user: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc18
There is a wire that is linked here: https://supportforums.cisco.com/discussion/10798976/asa-email-logging-issue
-
We have a PIX 515E firewall and the SMTP banner is changed to 220 *.
I need to disable this and I can't use the command "no fixup protocol SMTP" as it is not present in 7.1.
Any suggestions?
Kind regards
Keyvan
This is done under the map class 'class-map inspection_default' in this version of the PIX OS.
pls rate if useful!
-
PIX 501 and pcAnywhere access rules
Hello
I'm having a problem with the implementation of pcANywhere remote access Access 2 servers on the inside network. I created 2 static rules and access lists 2 to start, but I can't get thru to the server. These are the settings
static (inside, outside) 7x.x.x.x 5631 172.16.x.x tcp 5631 255.255.255.255
static (inside, outside) udp 7x.x.x.x 172.16.x.x 5632 5632 255.255.255.255
list of allowed inbound tcp access any host 172.16.x.x eq 5631
list of allowed inbound udp access any host 172.16.x.x eq 5632
Access-group interface incoming outside
Version 6.3 of the PIX using
I also tried access server list terminal server because another method of access, but not go either.
There are no other rules.
Any ideas why this would not work?
TIA
Vince
your external ACL must mention the public IP address of your server:
list of allowed inbound tcp access any host 7x.x.x.x eq 5631
list of allowed inbound udp access any host 7x.x.x.x eq 5632
-
PIX 515e, multiple VIRTUAL networks on a physical interface to DMZ
We try to set up multiple VIRTUAL networks on a physical interface to the DMZ on a PIX 515e.
The goal is to have logical subnets linked to our single, physical interface DMZ.
Here's what I've tried so far without success:
The switch
-created the vlan 30
-added switchports fa0/1 to 30 of vlan
-attached host 192.168.100.1 in fa0/1
-added switchport fa0/24 to the vlan 1 and vlan 30 with multimode
-interface PIX DMZ connected to fa0/24 switchport
-attached host to switchport fa0/10 172.16.1.55 (vlan 1)
PIX:
Auto interface ethernet2
logical ethernet2 vlan30 interface
nameif DMZ security50 ethernet2
nameif vlan30 dmz2 security50
address IP DMZ 172.16.1.254 255.255.255.0
IP address dmz2 192.168.100.254 255.255.255.0
Results:
-172.16.1.55 has full connectivity to the PIX and beyond.
-192.168.100.1 cannot ping the PIX to the 192.168.100.254 or anything else besides.
Any help would be greatly appreciated. Also, I realize that I could buy a four port NIC and use the physical interfaces, but I can't get the approved purchase.
Thank you
Creation of VLANS on Ethernet1
We want to create a new interface VLAN - VLAN30 and name DMZ2. Also affect the security level 50 in it.
Step 1: Create a physical Interface:
PIX (config) # interface ethernet1 vlan2 physical
Step 2: Name the Interface and set the security level:
PIX (config) # nameif ethernet1 inside the security100
Step 3: Assign the IP address of the interface:
PIX (config) # ip inside 192.168.1.1 address 255.255.255.0
Step 4: Create the logical Interface:
PIX (config) # interface ethernet1 vlan30 logical
Step 5: Name of the Interface and set the security level:
PIX (config) # nameif vlan30 DMZ2 security50
Step 6: Assign IP address to the interface:
IP pix (config) # DMZ2 192.168.100.254 255.255.255.0
Step 7. Switch, set the port where from the inside, to the Isls or dot1q physical interface. Place the sheath in the native vlan2 as in step 1.
-
ASA inside access DMZ and return
Hi Expert,
How configure ASA to allow access from the inside to dmz host and also back?
Thank you.
Rgds,
To the Shaw feel Yeong
Hello
By default, access from inside the DMZ is permitted this access is through higher security level to lower the level of security.
Return to inside host traffic is automatically granted by ASA/firewall if the connection / translation is valid / exists.
Example:
Inside of the intellectual property: 192.168.1.1/24
DMZ: 172.16.1.1/24
2 two ways to do:
a. use nat & global command:
Global (dmz) 1 172.16.1.10 - 172.16.1.20--> help de.10 a.20 will be used inside hosts to access dmz
Global (dmz) 1 172.16.1.21--> all inside will use this IP like PAT, if the above range is fully used.
NAT (inside) 1 192.168.1.0 255.255.255.0
Note:
-Use the ACL if you need to control the type of service to pass through and apply on the inside of the interface.
b. static use of translation between inside and DMZ subnets:
static (inside, dmz) 192.168.1 192.168.1.0 netmask 255.0.0.0
Note:
-This will allow inside the host to initiate & access dmz and dmz to initiate & access to the inside (initiate connection to dmz host). When DMZ accessing inside the host, DMZ use inside physics/assigned host IP.
-Use the ACL if you need to control the type of service for cross and apply on time interfaces dmz & Interior.
Example of configuration:
* Watch under command "static (inside the dmz).
Rgds,
AK
-
IPSEC VPN between Pix 515E and 1841 router
Hi all
BACKGROUND
We have implemented a site to site VPN IPSEC between a Pix 515E 8.0 operation (4) and an 1841 using static IP addresses at both ends. We used CCP on the router and the ASDM the pix to build initial tunnels. Now the site with the router is evolving into a dynamic IP address from the ISP so we have implemented dynamic DNS to update dynamic IP address.
PROBLEM
The problem is that ASDM will not allow us to set a domain as the address of peers, it will not accept an IP address. We believe that the solution will be to remove the static Crypto map and replace it with a dynamic Crypto map on the side of Pix. Our questions are simply; is this the best solution? can change us the original static list or is it better to delete and make a new dynamic encryption card? Y at - it a shortcut to change the config command-line? This is a real network, so just check it out before make us any changes on the live kit.
Any help much appreciated.
You don't have to change anything when the peer-address changes. The dynamic crypto map aims to take dynamic peer connections. The only thing to remember, is that only the dynamic peer can initiate the connection. And you reduce your security if you use Pre-Shared key that now you can use a generic-PSK character.
As I remember, the PIX / ASA does not support the dynamic use of FQDNs for peer-resolution. This feature is supported in IOS.
For a feature, it would be preferable to static IP addresses on both sides.
-
Hello, this is not considered a regular registered sites export (I have many)... and it's a mistake.
In short, after computer out, I got the hard drive I have USB (old win 7 pro on an external drive)
How can I get my list of sites and FTP access, password etc...
they are encrypted in the registry if I'm not mistaken?
any idea?
Thank you.
(Google translation)
proceedings found:
Just do an export of the new common/site .reg file and the modifier with the values of the old and then importing, everything works
Thank you
-
Configuration of RADIUS and accounting AAA + PIX-515E
Dear All;
I want to put the accounting of PIX.
Here is the composition of the equipment.
ACS SE: 4.1.1.23.5
PIX 515E: 7.0 (6)
PIX of setting is as follows.
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + host xx.xx.xx.xx
key xxxxx
order of accounting AAA GANYMEDE +.
Console telnet accounting AAA GANYMEDE +.
Thus, the configuration setting was written in ACS.
But the user name is enable_15. (attached 1.jpg)
Is it a restriction?
Kind regards
Reiji
Hi Marilou,
Looks like we have the authority to command configured on the pix. You must enable authentication configured on the RADIUS server then only we would get username is accounting, unlike pix Device IOS doesn't send user name to the RADIUS server, he would send enable_15 as username for all users.
Configure the following command to make it work.
AAA authentication enable console LOCAL + Ganymede
HTH
-Philou
-
I am a new user and I'm trying to configure a PIX 515e Ver 6.3 (3). How can I give my users inside access to my webfarm located on dmz1. I am able to access the test sites inside and outside dzm1. I can't access the Web inside dmz1 sites. Here is my current config:
6.3 (3) version PIX
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
Automatic stop of interface ethernet3
Automatic stop of interface ethernet4
Automatic stop of interface ethernet5
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 dmz1 security50
nameif ethernet3 intf3 securite6
nameif ethernet4 intf4 security8
ethernet5 intf5 security10 nameif
enable password xxxx
passwd xxxx
hostname pix1
apprendrefacile.com domain name
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
aetest name 10.10.10.1
name 10.10.10.2 aetest1
name 13.13.13.3 aetestdmz
name 13.13.13.4 aetestdmz1
access-list from-out-to allow tcp any any eq www
pager lines 24
opening of session
debug logging in buffered memory
Outside 1500 MTU
Within 1500 MTU
dmz1 MTU 1500
intf3 MTU 1500
intf4 MTU 1500
intf5 MTU 1500
IP address outside the 12.x.x.x.255.255.0
IP address inside 10.10.10.2 255.255.255.0
IP address dmz1 13.x.x.x.255.255.0
No intf3 ip address
No intf4 ip address
No intf5 ip address
alarm action IP verification of information
alarm action attack IP audit
no failover
failover timeout 0:00:00
failover poll 15
No IP failover outdoors
No IP failover inside
no failover ip address dmz1
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
history of PDM activate
ARP timeout 14400
public static 12.12.12.15 (inside, outside) aetest netmask 255.255.255.255 0 0
public static 12.12.12.16 (inside, outside) aetest1 netmask 255.255.255.255 0 0
(dmz1, external) 12.12.12.17 static aetestdmz netmask 255.255.255.255 0 0
(dmz1, external) 12.12.12.18 static aetestdmz1 netmask 255.255.255.255 0 0
Access-group from-out-to external interface
Route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 10.10.10.207 255.255.255.255 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Telnet 10.10.10.0 255.255.255.0 inside
Telnet timeout 20
SSH timeout 5
Console timeout 0
Terminal width 80
Cryptochecksum:XXXXX
: end
Thank you... Jay
with pix v6.x, nat/global or static is a must do before the pix will start to transfer packets between two interfaces.
the current static instructions do not cover the translation between the inside and the dmz. as the traffic between pix inside the net and dmz is private, I suggest you to set up no. - nat between the two.
for example
static (inside, dmz1) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
clear xlate
in the above example, pix inside the host must be able to access the dmz Server pointing to the private ip address of dmz Web server.
If you prefer the pix inside the host to access the dmz by name server, then "alias" command should be applied.
for example
alias (inside) 13.13.13.3 12.12.12.17 255.255.255.255
the need for the command "alias" is due to the fact that when pix inside the host tries to access the server dmz by name, the public dns will point to the public IP address of the dmz Web server. now, as the static electricity created for the dmz Web server is directional i.e. public ip will be accessible from the outside, not the pix inside the net. so the 'alias' command will allow the PIX to manipulate the dns response and point the name to the private ip of Web server dmz for the pix inside the host.
-
Hello
I have pix 515E and I configured a VPN on it. My users connect to my network from the internet via the Cisco VPN client.
I have problem, only their LAN machine can do VPN from Cisco VPN client to my network at once.
Users are connected to the internet via an ADSL router and the LAN switch.
--------------------------------------------------
PIX Config:
6.3 (4) version PIX
interface ethernet0 car
Auto interface ethernet1
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
enable encrypted password xxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxx encrypted passwd
hostname ABCDEFGH
ABCD.com domain name
clock timezone IS - 5
clock to summer time EDT recurring
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
inside_out to the list of allowed access nat0_acl ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
list of allowed shared access ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
IP address outside xxx.xxx.xxx.xxx 255.255.255.0
IP address inside 192.168.1.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool vpnpool 192.168.2.1 - 192.168.2.254
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global interface 10 (external)
NAT (inside) 0-list of access inside_out-nat0_acl
NAT (inside) 10 0.0.0.0 0.0.0.0 0 0
Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server RADIUS (inside) host ABCDE timeout 10
AAA-server local LOCAL Protocol
RADIUS protocol radius AAA-server
Radius max-failed-attempts 3 AAA-server
AAA-radius deadtime 10 Server
RADIUS protocol AAA-server partnerauth
AAA-server partnerauth max-failed-attempts 3
AAA-server deadtime 10 partnerauth
partnerauth AAA-server (host ABCDEFG myvpn1 timeout 10 Interior)
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-3DES-MD5 value
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
card crypto client outside_map of authentication partnerauth
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
ISAKMP identity address
part of pre authentication ISAKMP policy 8
ISAKMP strategy 8 3des encryption
ISAKMP strategy 8 md5 hash
8 2 ISAKMP policy group
ISAKMP life duration strategy 8 the 86400
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 sha hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
vpngroup myvpn address vpnpool pool
vpngroup myvpn ABCDE dns server
vpngroup myvpn by default-field ABCD.com
splitting myvpn vpngroup split tunnel
vpngroup idle 1800 myvpn-time
vpngroup myvpn password *.
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 192.168.1.200 - 192.168.1.254 inside
dhcpd dns ABCDE
dhcpd lease 3600
dhcpd ping_timeout 750
field of dhcpd ABCD.com
dhcpd outside auto_config
dhcpd allow inside
Terminal width 80
--------------------------------------------------
Thanks in advance.
-Amit
Try to add the "isakmp nat-traversal" command to your PIX. I suspect what happens is that Remote LAN users is translated to a single IP address as they pass through the DSL connection. I also assume that the machine doing the translation has a capacity of IPSec passthrough. Linksys routers would be a good example of this type of NAT device that allows IPSec pull-out.
If that's the case, that a single VPN connection will be able to operate both. The above command will turn PIX detect clients that are located behind a NAT device, and then try to configure the VPN sessions in UDP packets and so to work around the limitation of NAT and IPSec passthrough device.
Maybe you are looking for
-
To bookmark pages will not appear in the bookmarks.
Not too long ago, I lost all my favorites. I went on creating all new bookmarks. I had a lot of Favorites and I had just finished organizing them into folders. The next time I start my computer, they were all gone, and bookmarks that were previously
-
Satellite A505-S6025: Win 7 64 bit - driver ACPI\TOS1901 fails
I have this problem and my phone freeze.If anyone knows what it is and how I can solve this problem. Thank you!!! failed to load the ACPI\TOS1901\2 device driver\driver\fwlnk & daba3ff & 2
-
Satellite P100-324 - graphic question
Satellite P100-324All native driver, from a site of the manufacturer.Intel (R) Core (TM) T7400 @2 2CPU. 216 GHz - driver 5.1.2600.0GeForce Go 7900 GS - 8.4.0.0 driverBIOS it is updated to the latest version - v4.70Windoows - license The computer, ear
-
First of all, I'm 50 years old and I grew up in the time before the PC, so I am very naïve. I have a laptop from Lenovo and it has a camera in it. I recently discovered that it can take still pictures, so I took some pictures of me. Now I want to dow
-
Hey,.My computer that I've had for a few years now worked perfectly all the time? Recently it started crashing without real reason. The full screen goes black and the sound tends to block and keep repeating! I haven't added a new software or hardware