[afnog] PIX Configuration Issue

Julius Kidubuka juki at one2net.co.ug
Wed Jun 22 10:24:17 EAT 2005 

Hi all,

>From my last posting, I had issues with getting LAN clients to browse the
internet which issue I successfully resolved.

Right now, I can't seem to get the LAN PCs to pop and send mail through
the mail server though they can 'ping' it successfully.

I have done a couple of searches and looked at numerous sample
configurations where the mail server is placed in a DMZ. I have tried to
create a 'kind of DMZ' in the best possible way I can by placing the mail
server on the same subnetwork as the Router and PIX with the use of a
switch (this is because the PIX I am using only has two ethernet
interfaces hence I don't specifically have an interface to assign as a DMZ
interface). This or something else could be the cause of all my mail
problems.


My network diagram is as follows:




                          192.168.0.0/24           192.168.10.0/24
81.199.29.54/30
     |Router| ------------- |Switch| -----------|PIX|------------|LANSwitch|
                                |
                                |
                                |
                                |
                                |
                                  192.168.0.5
                            |Mail server|



I have attached both configurations (router & PIX) for reference.


Thanks in advance.


Rgds,
Juki.




-------------- next part --------------
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
logging on
logging trap errors
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.2 255.255.255.0
ip address inside 192.168.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 14400
global (outside) 1 192.168.0.20-192.168.0.220 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
conduit permit tcp host 192.168.0.5 eq smtp any
rip inside passive version 1
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
rip inside passive version 1
rip inside default version 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.255.0 outside
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 20
ssh timeout 5
console timeout 0
terminal width 80
-------------- next part --------------
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname MOLG
!
!
ip subnet-zero
ip name-server 213.177.165.49
ip name-server 213.177.165.57
!
!
!
!
interface FastEthernet0
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 speed auto
!
interface Serial0
 no ip address
 encapsulation frame-relay IETF
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 ip address 81.199.29.54 255.255.255.252
 ip nat outside
 frame-relay interface-dlci 215   
!
interface Serial0.2 multipoint
!
ip nat inside source list molg interface Serial0.1 overload
ip nat inside source static tcp 192.168.0.5 10000 81.199.29.54 10000 extendable
ip nat inside source static tcp 192.168.0.5 25 81.199.29.54 25 extendable
ip nat inside source static tcp 192.168.0.5 110 81.199.29.54 110 extendable
ip nat inside source static tcp 192.168.0.5 143 81.199.29.54 143 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 81.199.29.53
no ip http server
!
!
ip access-list standard molg
 permit 192.168.0.0 0.0.0.255
 deny   any
!
!
line con 0
 login
line aux 0
line vty 0 4
 login
!
end

More information about the afnog mailing list