Re: Kindly help me with this PIX problem
- From: soup_or_power@xxxxxxxxx
- Date: 30 Jul 2006 05:50:55 -0700
Walter Roberson wrote:
In article <1154210717.737250.76220@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
<soup_or_power@xxxxxxxxx> wrote:
Why can't I ping the host 209.178.196.211? Please see the config below.
Like I said in the firewalls newsgroup, you have a very old
PIX operating system and there are known bugs in the
NAT translation in that version.
Hi Walter
Thank you very much for posting your reply. I don't understand what you
mean by NAT. The firewall configuration uses static to map inside and
outside IP's. If you have read the configuration that I posted, you'd
know that we don't use NAT. Or may be I am an ignoramus. Also, the
firewall configuration didn't change over many years and it did work
exceptionally well despite the drawbacks you mention. Kindly read the
configuration and let me know what's wrong with it.
I would like to start with a minimal configuration and build on it. Can
you please suggest what minimum rules are required for the PIX6 to work
and at the same time make the mail server available?
The IP belongs to a Windows 2000 mail server. Because it is blocked by
PIX, our company cannot send or receive email.
Inability to ping an IP address does not affect ability to send
or receive email. It is NOT part of the smtp protocol to ping
an address before attempting to connect to it on tcp port 25.
You are right. I have allowed all icmp messages to pass through the
firewall. The firewall, however, is blocking SMTP. Somewhere I have
read that the following line is more robust
no fixup protocol smtp 25
As it will allow ESMTP commands as well.
I was told to post here to get the
attention of experts in CISCO appliances.
Always a better idea than posting in the general firewalls
newsgroup; there are more people here who are familiar with PIX
and something might occur to one person that the other people missed.
Alas, I appear to be the resident PIX 6 expert, and I'm the one
who told you that you really need a software upgrade.
Thank you sir for the suggestion. I want to get this email thing right
in my heads. There is no point in aspiring for better things when I am
stuck at a very basic level. I hope I am being clear and communicative.
I want the PIX 6 configuration to work before I go and make an upgrade.
Further more, this configuration has worked for 5 years without a hitch
in the email delivery.
I won't be able to access the PIX
until Monday. That is another issue. The PIX has an outside IP of
209.178.196.210 (please see the config below). When I telnet to it
using Putty (secure shell) there was no response. However, if someone
has a solution to my problem, I will able to implement it in the
weekend.
You cannot telnet to the outside interface of a PIX 6 firewall
(at least not without VPN layers that are not present in your
configuration.) You *can* ssh to the outside interface of
a PIX 6 firewall, if you have set up a few things ahead of time.
In particular,
ssh njrep1 255.255.255.255 inside
That command allows ssh to the PIX, but only from the host
njrep1 on the -inside- interface. You would need an 'ssh'
configuration command that ended in 'outside' in order to
ssh from outside.
Putty is able to ssh without difficulty, so your reference
to 'telnet' might just have been a terminology mistake.
Thanks for the clarification. How do I make any host from outside to
connect to PIX?
Will "ssh any 255.255.255.255 outside" work?
Once again I apologize for starting multiple threads.
Really, multiple threads doesn't help.
Sorry, but this is Usenet, and people respond or they don't.
Multiple threads tend to annoy people. When you say that a
situation is urgent, and that your ISP doesn't want to help,
what you are telling us is that your situation calls for a
consultant, either a private firm hired, or a support contract
or "incident" call with Cisco. Particularily on a weekend, when
people have family things, or yards to tend, or festivals to go to,
or vacation to, urrr, vacate.
Anyhow, if your smtp has stopped, then double-check your DNS
entries for the affected IP address. Ensure that the IP address
has a valid reverse address translation -- better yet, a
valid reverse address translation in the same domain as people
are sending the email to.
Oh yeah, another thing: if you won't have access to the device
until Monday then the situation must not be quite so urgent.
An urgent situation is when you get the company president out of
bed to get the doors open for you, and the company president is
happy to do so because the president realizes what the technical
problem means to the company.
The email issue is back logged for more than 4 days now. So I was very
desperate to get it fixed. I don't know what a consultant can do or how
to advertise for a consultant. Our company is a startup and has a very
tight budget. We do all the development in house. We have a windows
maintenance contract with Primary Support. I called them and they were
not helpful. They wanted to telnet/ssh to the firewall and that was not
possible now. Please note that my intention is not to abuse the usenet.
I want to learn as I go through your response. You have been very kind
in the past and as always in explaining things. So my kind regards to
you.
.
- Follow-Ups:
- Re: Kindly help me with this PIX problem
- From: Walter Roberson
- Re: Kindly help me with this PIX problem
- From: Walter Roberson
- Re: Kindly help me with this PIX problem
- From: Greg Hennessy
- Re: Kindly help me with this PIX problem
- References:
- Kindly help me with this PIX problem
- From: soup_or_power
- Re: Kindly help me with this PIX problem
- From: Walter Roberson
- Kindly help me with this PIX problem
- Prev by Date: Re: 2600 replacement?
- Next by Date: Re: PIX 501 ipsec and VLANs
- Previous by thread: Re: Kindly help me with this PIX problem
- Next by thread: Re: Kindly help me with this PIX problem
- Index(es):
Relevant Pages
|
Loading
