Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Help Pix Problem
Options
-
07-09-2006 8:34pm#1ok im trying to change the internel IP of the exchange server thats fine!
exchange is now 192.168.1.210 but want it on 192.168.1.242
but changeing where smtp traffic flows to at the PIX is the problem: Can anyone help please!!!! (below is a copy of the config alterered a bit)
Can anyone tell me what i need to change? If tried a few things but breaks whole web when i do it.:eek: :eek:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol sip udp 5060
names
access-list 101 permit tcp any host 192.168.1.210 eq smtp
access-list 101 permit tcp any host 192.168.1.11 eq www
access-list 101 permit tcp any host 192.168.1.11 eq https
access-list 101 permit tcp any any eq smtp
access-list 101 deny tcp any host 192.168.1.210 eq www
access-list 101 permit tcp any any eq www
access-list 101 permit ip 192.168.1.0 255.255.255.0 any
access-list 101 permit tcp any host 192.168.1.11 eq login
access-list 101 permit tcp any host 192.168.1.11 eq ftp
access-list 101 permit tcp 192.168.1.0 255.255.255.0 any eq ftp
access-list 101 permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list 101 permit tcp 192.168.1.0 255.255.255.0 any eq login
access-list 101 permit udp any any eq isakmp
access-list 101 permit tcp host 192.168.1.165 host 82.xxx.xxx.203 eq 5500
access-list 101 permit tcp host 192.168.1.165 host 82.xxx.xxx.203 eq 5900
access-list 101 permit tcp host 192.168.1.165 host 82.xxx.xxx.203 eq 5800
access-list 101 permit tcp host 192.168.1.165 host 82.xxx.xxx.203 eq 1897
access-list 101 permit tcp host 192.168.1.165 host 82.xxx.xxx.203 eq 1896
access-list 101 permit icmp any any
access-list 101 permit tcp host 192.168.1.165 host 193.xxx.xxx.195 eq 5500
access-list 101 permit tcp host 192.168.1.165 host 193.xxx.xxx.195 eq 5900
access-list 101 permit tcp host 192.168.1.165 host 193.xxx.xxx.195 eq 1897
access-list 101 permit tcp host 192.168.1.165 host 193.xxx.xxx.195 eq 1896
access-list 101 permit gre host 192.168.1.165 host 193.xxx.xxx.195
access-list 101 permit tcp host 192.168.1.165 host 193.xxx.xxx.195 eq pptp
access-list 101 permit gre host 193.xxx.xxx.195 host 192.168.1.165
access-list 101 permit tcp host 193.xxx.xxx.195 host 192.168.1.165 eq pptp
access-list 101 permit gre host 62.xxx.xxx.196 host 193.xxx.xxx.195
access-list 101 permit gre host 193.xxx.xxx.195 host 62.xxx.xxx.196
access-list 101 permit tcp host 62.xxx.xxx.196 host 193.xxx.xxx.195 eq pptp
access-list 101 permit tcp host 193.xxx.xxx.195 host 62.xxx.xxx.196 eq pptp
access-list 101 permit tcp any host 62.xxx.xxx.196
access-list 101 permit tcp any any eq https
access-list 101 permit tcp any host 192.168.1.210 eq https
access-list 101 permit tcp any host 62.xxx.xxx.193 eq 8032
access-list 101 permit tcp host 192.168.1.230 any eq 3101
access-list 101 permit tcp any host 192.168.1.220 eq pptp
access-list 101 permit gre any host 192.168.1.220
access-list 101 permit ip any host 193.xxx.xxx.6
access-list vpn_to_belfast permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list vpn_to_belfast permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list vpn_to_belfast permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_to_belfast permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list vpn_to_belfast permit ip 192.168.4.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list vpn_to_belfast permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list vpn_to_belfast permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap debugging
logging host inside 192.168.1.215
logging host inside 192.168.1.226
logging host inside 192.168.1.220
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 62.xxx.xxx.193 255.255.255.224
ip address inside 192.168.1.10 255.255.255.0
ip address intf2 217.xxx.xxx.24 255.255.255.224
pdm logging emergencies 100
no pdm history enable
arp timeout 14400
global (outside) 1 interface
global (intf2) 1 interface
nat (inside) 0 access-list vpn_to_belfast
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 62.xxx.xxx.193 www 192.168.1.241 www netmask 255.255.255.255 0 0
static (inside,outside) 193.xxx.xxx.5 192.168.1.9 netmask 255.255.255.255 0 0
static (inside,outside) 62.xxx.xxx.194 192.168.1.11 netmask 255.255.255.255 0 0
static (inside,outside) 62.xxx.xxx.195 192.168.1.210 netmask 255.255.255.255 0 0
static (inside,outside) 62.xxx.xxx.196 192.168.1.165 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group vpn_to_belfast in interface intf2
conduit permit gre host 192.168.1.220 any
conduit permit tcp host 192.168.1.220 eq pptp any
route outside 0.0.0.0 0.0.0.0 62.xxx.xxx.222 1
route intf2 0.0.0.0 0.0.0.0 217.67.133.30 2
route intf2 81.xxx.xxx.133 255.255.255.255 217.xxx.xxx.30 1
route inside 192.100.100.0 255.255.255.0 192.168.1.160 1
route intf2 192.168.0.0 255.255.255.0 213.xxx.xxx.133 1
route intf2 192.168.2.0 255.255.255.0 81.xxx.xxx.133 1
route inside 192.168.3.0 255.255.255.0 192.168.1.64 1
timeout xlate 1:00:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.110 255.255.255.255 inside
http 192.168.1.215 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
no sysopt route dnat0
Comments
-
I don't know much about PIXs, but a wild, crazy guess would be to change the lines in the config with '192.168.1.210' to use '192.168.1.242' instead, i.e. change:
access-list 101 permit tcp any host 192.168.1.210 eq smtp
access-list 101 permit tcp any host 192.168.1.210 eq https
static (inside,outside) 62.xxx.xxx.195 192.168.1.210 netmask 255.255.255.255 0 0
etc to the new IP.0 -
Sico wrote:I don't know much about PIXs, but a wild, crazy guess would be to change the lines in the config with '192.168.1.210' to use '192.168.1.242' instead, i.e. change:
access-list 101 permit tcp any host 192.168.1.210 eq smtp
access-list 101 permit tcp any host 192.168.1.210 eq https
static (inside,outside) 62.xxx.xxx.195 192.168.1.210 netmask 255.255.255.255 0 0
etc to the new IP.
Yea tried that! And we lose all inet access and mails don't flow anywhere!
Banging my head against wall0 -
I'm assuming you mean you lose connectivity to/from the server, rather than the entire network?
Have you tried restarting the PIX and any switches (and the server maybe) and letting them re-learn the network layout? I've had trouble in the past with Catalyst switches holding onto their ARP entries for far longer than I'd have thought, particularly if they're running spanning-tree with a load of other switches. You'd want to do this at a quiet time though, as spanning-tree can take a few minutes to get itself organized.
BTW, you might get better answers in 'Nets & Comms', this is a networking issue rather than a security one.0
Advertisement