This is a multi-part message in MIME format.

--===============0675772759==
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C71242.A154ED2C"
Content-class: urn:content-classes:message

This is a multi-part message in MIME format.

------_=_NextPart_001_01C71242.A154ED2C
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Alan,

=20

If I understand correctly, you are missing only the ability to pop your
mail server from the outside. Just add the following statements to fix
that.

=20

=20

access-list outside_access_in permit tcp any eq pop3 interface outside
eq pop3

static (inside,outside) tcp interface pop3 Web-Exch-Server pop3 netmask
255.255.255.255 0 0

=20

=20

Cheers,

=20

Rob Gills

________________________________

From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
William A. May
Sent: November 25, 2006 8:51 PM
To: firewall-wizards@listserv.icsalabs.com
Subject: [fw-wiz] Pix 501 NAT problems with Web and Exchange server

=20

I read through the postings about inbound NAT problems with the PIX 501
posted in February 2005 and tried to configure my new PIX 501
accordingly but with little luck. What I trying to do is replace my
Linksys WRT54G with a PIX 501. I have a Web server and an Exchange
Server 2003 on my internal network and I want to be able to have my web
page accessed from the outside and I also want to be able to continue to
receive my email. Currently I can view web pages and send email.
Listed below is my current configuration, with certain marked changes,
please let me know where I'm going wrong?

=20

Thanks,

=20

Alan

=20

: Saved

: Written by enable_15 at 19:49:11.582 UTC Sat Nov 25 2006

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password encrypted

passwd encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 172.16.10.0 LAN

name 172.16.10.11 Web-Exch-Server

access-list outside_access_in permit tcp any eq www interface outside eq
www=20

access-list outside_access_in permit tcp any eq https interface outside
eq https=20

access-list outside_access_in permit tcp any eq smtp interface outside
eq smtp=20

access-list outside_access_in permit icmp any any echo-reply=20

access-list outside_access_in permit icmp any any traceroute=20

access-list outside_access_in permit icmp any any time-exceeded=20

access-list inside_access_in permit icmp any any=20

access-list inside_access_in permit ip LAN 255.255.255.0 any=20

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 172.16.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location LAN 255.255.255.0 inside

pdm location Web-Exch-Server 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www Web-Exch-Server www netmask
255.255.255.255 0 0=20

static (inside,outside) tcp interface https Web-Exch-Server https
netmask 255.255.255.255 0 0=20

static (inside,outside) tcp interface smtp Web-Exch-Server smtp netmask
255.255.255.255 0 0=20

access-group outside_access_in in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+=20

aaa-server TACACS+ max-failed-attempts 3=20

aaa-server TACACS+ deadtime 10=20

aaa-server RADIUS protocol radius=20

aaa-server RADIUS max-failed-attempts 3=20

aaa-server RADIUS deadtime 10=20

aaa-server LOCAL protocol local=20

http server enable

http LAN 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

terminal width 80

Cryptochecksum:8069dd3a26bd7570990dfe55c7c7064e

: end

=20


------_=_NextPart_001_01C71242.A154ED2C
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

xmlns=3D"urn:schemas-microsoft-comfficeffice" =
xmlns:w=3D"urn:schemas-microsoft-comffice:word" =
xmlns:st1=3D"urn:schemas-microsoft-comffice:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">


charset=3Dus-ascii">

namespaceuri=3D"urn:schemas-microsoft-comffice:smarttags" =
name=3D"PersonName"/>









style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Alan,>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>If I understand correctly, you are =
missing
only the ability to pop your mail server from the outside. Just add the
following statements to fix that.>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>access-list outside_access_in =
permit tcp any
eq pop3 interface outside eq pop3>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>static (inside,outside) tcp =
interface pop3
style=3D'font-size:10.0pt;
font-family:Arial'>Web-Exch-Server
color=3Dnavy
face=3DArial> style=3D'font-size:10.0pt;font-family:Arial;color:navy'>pop3
netmask 255.255.255.255 0 0>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Cheers,>>

=


style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>>



w:st=3D"on"> size=3D2 color=3Dnavy face=3DArial> style=3D'font-size:10.0pt;font-family:Arial;
color:navy'>Rob G
color=3Dnavy
face=3DArial> style=3D'font-size:10.0pt;font-family:Arial;color:navy'>ills
>

size=3D2 color=3Dnavy face=3DArial> style=3D'font-size:10.0pt;font-family:Arial;
color:navy'>>>





size=3D3
face=3D"Times New Roman">






style=3D'font-size:10.0pt;font-family:Tahoma;font-weight:bold'>From: n> size=3D2 face=3DTahoma> style=3D'font-size:10.0pt;font-family:Tahoma'>
firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] style=3D'font-weight:bold'>On Behalf Of
William A. May

Sent: November 25, 2006 =
8:51 PM

To:
firewall-wizards@listserv.icsalabs.com

Subject: [fw-wiz] Pix 501 =
NAT
problems with Web and Exchange server lang=3DEN-US>>>





style=3D'font-size:
12.0pt'>>



style=3D'font-size:
10.0pt;font-family:Arial'>I read through the postings about inbound NAT
problems with the PIX 501 posted in February 2005 and tried to configure =
my new
PIX 501 accordingly but with little luck.  What I trying to do is =
replace
my Linksys WRT54G with a PIX 501.  I have a Web server and an =
Exchange
Server 2003 on my internal network and I want to be able to have my web =
page
accessed from the outside and I also want to be able to continue to =
receive my
email.  Currently I can view web pages and send email.  Listed =
below
is my current configuration, with certain marked changes, please let me =
know
where I’m going wrong?>>



style=3D'font-size:
10.0pt;font-family:Arial'>>



style=3D'font-size:
10.0pt;font-family:Arial'>Thanks,>>



style=3D'font-size:
10.0pt;font-family:Arial'>>



style=3D'font-size:
10.0pt;font-family:Arial'>Alan>>



style=3D'font-size:
10.0pt;font-family:Arial'>>



style=3D'font-size:
10.0pt;font-family:Arial'>: Saved>>



style=3D'font-size:
10.0pt;font-family:Arial'>: Written by enable_15 at 19:49:11.582 UTC Sat =
Nov 25
2006>>



style=3D'font-size:
10.0pt;font-family:Arial'>PIX Version =
6.3(5)>>



style=3D'font-size:
10.0pt;font-family:Arial'>interface ethernet0 =
auto>>



style=3D'font-size:
10.0pt;font-family:Arial'>interface ethernet1 =
100full>>



style=3D'font-size:
10.0pt;font-family:Arial'>nameif ethernet0 outside =
security0>>



style=3D'font-size:
10.0pt;font-family:Arial'>nameif ethernet1 inside =
security100>>



style=3D'font-size:
10.0pt;font-family:Arial'>enable password <deleted> =
encrypted>>



style=3D'font-size:
10.0pt;font-family:Arial'>passwd <deleted> =
encrypted>>



style=3D'font-size:
10.0pt;font-family:Arial'>hostname pixfirewall =
<changed>>>



style=3D'font-size:
10.0pt;font-family:Arial'>domain-name ciscopix.com =
<changed>>>



style=3D'font-size:
10.0pt;font-family:Arial'>fixup protocol dns maximum-length =
512>>



style=3D'font-size:
10.0pt;font-family:Arial'>fixup protocol ftp =
21>>



style=3D'font-size:
10.0pt;font-family:Arial'>fixup protocol h323 h225 =
1720>>



style=3D'font-size:
10.0pt;font-family:Arial'>fixup protocol h323 ras =
1718-1719>>



style=3D'font-size:
10.0pt;font-family:Arial'>fixup protocol http =
80>>



style=3D'font-size:
10.0pt;font-family:Arial'>fixup protocol rsh =
514>>



style=3D'font-size:
10.0pt;font-family:Arial'>fixup protocol rtsp =
554>>



style=3D'font-size:
10.0pt;font-family:Arial'>fixup protocol sip =
5060>>



style=3D'font-size:
10.0pt;font-family:Arial'>fixup protocol sip udp =
5060>>



style=3D'font-size:
10.0pt;font-family:Arial'>fixup protocol skinny =
2000>>



style=3D'font-size:
10.0pt;font-family:Arial'>no fixup protocol smtp =
25>>



style=3D'font-size:
10.0pt;font-family:Arial'>fixup protocol sqlnet =
1521>>



style=3D'font-size:
10.0pt;font-family:Arial'>fixup protocol tftp =
69>>



style=3D'font-size:
10.0pt;font-family:Arial'>names>>



style=3D'font-size:
10.0pt;font-family:Arial'>name 172.16.10.0 LAN =
<changed>>>



style=3D'font-size:
10.0pt;font-family:Arial'>name 172.16.10.11 Web-Exch-Server =
<changed>>>



style=3D'font-size:
10.0pt;font-family:Arial'>access-list outside_access_in permit tcp any =
eq www
interface outside eq www >>



style=3D'font-size:
10.0pt;font-family:Arial'>access-list outside_access_in permit tcp any =
eq https
interface outside eq https >>



style=3D'font-size:
10.0pt;font-family:Arial'>access-list outside_access_in permit tcp any =
eq smtp
interface outside eq smtp >>



style=3D'font-size:
10.0pt;font-family:Arial'>access-list outside_access_in permit icmp any =
any
echo-reply >>



style=3D'font-size:
10.0pt;font-family:Arial'>access-list outside_access_in permit icmp any =
any
traceroute >>



style=3D'font-size:
10.0pt;font-family:Arial'>access-list outside_access_in permit icmp any =
any
time-exceeded >>



style=3D'font-size:
10.0pt;font-family:Arial'>access-list inside_access_in permit icmp any =
any >>



style=3D'font-size:
10.0pt;font-family:Arial'>access-list inside_access_in permit ip LAN
255.255.255.0 any >>



style=3D'font-size:
10.0pt;font-family:Arial'>pager lines 24>>



style=3D'font-size:
10.0pt;font-family:Arial'>mtu outside 1500>>



style=3D'font-size:
10.0pt;font-family:Arial'>mtu inside 1500>>



style=3D'font-size:
10.0pt;font-family:Arial'>ip address outside dhcp =
setroute>>



style=3D'font-size:
10.0pt;font-family:Arial'>ip address inside 172.16.10.1 255.255.255.0
<changed>>>



style=3D'font-size:
10.0pt;font-family:Arial'>ip audit info action =
alarm>>



style=3D'font-size:
10.0pt;font-family:Arial'>ip audit attack action =
alarm>>



style=3D'font-size:
10.0pt;font-family:Arial'>pdm location LAN 255.255.255.0 =
inside>>



style=3D'font-size:
10.0pt;font-family:Arial'>pdm location Web-Exch-Server 255.255.255.255 =
inside>>



style=3D'font-size:
10.0pt;font-family:Arial'>pdm logging informational =
100>>



style=3D'font-size:
10.0pt;font-family:Arial'>pdm history =
enable>>



style=3D'font-size:
10.0pt;font-family:Arial'>arp timeout 14400>>



style=3D'font-size:
10.0pt;font-family:Arial'>global (outside) 1 =
interface>>



style=3D'font-size:
10.0pt;font-family:Arial'>nat (inside) 1 0.0.0.0 0.0.0.0 0 =
0>>



style=3D'font-size:
10.0pt;font-family:Arial'>static (inside,outside) tcp interface www
Web-Exch-Server www netmask 255.255.255.255 0 0 =
>>



style=3D'font-size:
10.0pt;font-family:Arial'>static (inside,outside) tcp interface https
Web-Exch-Server https netmask 255.255.255.255 0 0 =
>>



style=3D'font-size:
10.0pt;font-family:Arial'>static (inside,outside) tcp interface smtp
Web-Exch-Server smtp netmask 255.255.255.255 0 0 =
>>



style=3D'font-size:
10.0pt;font-family:Arial'>access-group outside_access_in in interface =
outside>>



style=3D'font-size:
10.0pt;font-family:Arial'>timeout xlate =
0:05:00>>



style=3D'font-size:
10.0pt;font-family:Arial'>timeout conn 1:00:00 half-closed 0:10:00 udp =
0:02:00
rpc 0:10:00 h225 1:00:00>>



style=3D'font-size:
10.0pt;font-family:Arial'>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00
sip_media 0:02:00>>



style=3D'font-size:
10.0pt;font-family:Arial'>timeout sip-disconnect 0:02:00 sip-invite =
0:03:00>>



style=3D'font-size:
10.0pt;font-family:Arial'>timeout uauth 0:05:00 =
absolute>>



style=3D'font-size:
10.0pt;font-family:Arial'>aaa-server TACACS+ protocol tacacs+ =
>>



style=3D'font-size:
10.0pt;font-family:Arial'>aaa-server TACACS+ max-failed-attempts 3 =
>>



style=3D'font-size:
10.0pt;font-family:Arial'>aaa-server TACACS+ deadtime 10 =
>>



style=3D'font-size:
10.0pt;font-family:Arial'>aaa-server RADIUS protocol radius =
>>



style=3D'font-size:
10.0pt;font-family:Arial'>aaa-server RADIUS max-failed-attempts 3 =
>>



style=3D'font-size:
10.0pt;font-family:Arial'>aaa-server RADIUS deadtime 10 =
>>



style=3D'font-size:
10.0pt;font-family:Arial'>aaa-server LOCAL protocol local =
>>



style=3D'font-size:
10.0pt;font-family:Arial'>http server =
enable>>



style=3D'font-size:
10.0pt;font-family:Arial'>http LAN 255.255.255.0 =
inside>>



style=3D'font-size:
10.0pt;font-family:Arial'>no snmp-server =
location>>



style=3D'font-size:
10.0pt;font-family:Arial'>no snmp-server =
contact>>



style=3D'font-size:
10.0pt;font-family:Arial'>snmp-server community =
public>>



style=3D'font-size:
10.0pt;font-family:Arial'>no snmp-server enable =
traps>>



style=3D'font-size:
10.0pt;font-family:Arial'>floodguard enable>>



style=3D'font-size:
10.0pt;font-family:Arial'>telnet timeout 5>>



style=3D'font-size:
10.0pt;font-family:Arial'>ssh timeout 5>>



style=3D'font-size:
10.0pt;font-family:Arial'>console timeout 0>>



style=3D'font-size:
10.0pt;font-family:Arial'>dhcpd auto_config =
outside>>



style=3D'font-size:
10.0pt;font-family:Arial'>terminal width 80>>



style=3D'font-size:
10.0pt;font-family:Arial'>Cryptochecksum:8069dd3a26bd7570990dfe55c7c7064e=
>>



style=3D'font-size:
10.0pt;font-family:Arial'>: end>>



style=3D'font-size:
10.0pt;font-family:Arial'>>









------_=_NextPart_001_01C71242.A154ED2C--

--===============0675772759==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards

--===============0675772759==--