|
Question : Pix 501 Configuration for Exchange OWA
|
|
I am trying to access an Exchange Server behind a Pix 501. (Also, how do I modify and/or delete a line from the config from the PIX Device Manager or Telnet??)
Here is a copy of my current Config. (IP's and Passwords Removed)
PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxxxxxxxxx encrypted passwd xxxxxxxxxx encrypted hostname pix501 domain-name mydomain.com clock timezone CST -7 clock summer-time CDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.1.1.253 a2 name 10.1.1.188 BB name 10.1.1.144 BR name 10.1.1.198 BG name 10.1.1.251 A3 name ---.---.---.4 Outside-IP04 object-group service InternetServices tcp description HTTP, HTTPS, SMTP port-object eq https port-object eq www port-object eq smtp port-object eq echo object-group service OWA-Ports tcp description Ports 80, 443, port-object eq www port-object eq https access-list outside permit tcp any host Outside-IP04 eq www access-list outside permit tcp any host Outside-IP04 eq https access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 10.1.2.64 255.255.255.224 access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 10.1.2.32 255.255.255.224 access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 10.1.2.128 255.255.255.224 access-list outside_cryptomap_dyn_20 permit ip any 10.1.2.32 255.255.255.224 access-list IPSecVPNGroup_splitTunnelAcl permit ip 10.1.1.0 255.255.255.0 any access-list outside_access_in remark Static Mapping for OWA Server access-list outside_access_in permit tcp host Outside-IP04 host Outside-IP04 pager lines 24 logging on mtu outside 1500 mtu inside 1500 ip address outside ---.---.---.14 255.255.255.240 ip address inside 10.1.1.245 255.255.255.0 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm ip local pool IPSecVPN_pool 10.1.2.33-10.1.2.63 ip local pool PPTPVPN_pool 10.1.2.129-10.1.2.159 pdm location 10.1.1.155 255.255.255.255 inside pdm location A3 255.255.255.255 inside pdm location Outside-IP04 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 10 ---.---.---.3 nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 10 0.0.0.0 0.0.0.0 0 0 static (inside,outside) Outside-IP04 A3 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 ---.---.---.1 1 route inside a2 255.255.255.255 ---.---.---.14 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server RADIUS (inside) host A3 PasswordDeleted timeout 10 aaa-server LOCAL protocol local aaa authentication http console LOCAL ntp server time.apple source outside prefer http server enable http BR 255.255.255.255 inside http BB 255.255.255.255 inside http BR 255.255.255.255 inside http A3 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication RADIUS crypto map outside_map interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup IPSecVPNGroup address-pool IPSecVPN_pool vpngroup IPSecVPNGroup dns-server A3 vpngroup IPSecVPNGroup wins-server A3 vpngroup IPSecVPNGroup default-domain MyDomain.com vpngroup IPSecVPNGroup split-tunnel IPSecVPNGroup_splitTunnelAcl vpngroup IPSecVPNGroup split-dns MyDomain.com vpngroup IPSecVPNGroup idle-time 1800 vpngroup IPSecVPNGroup password ******** telnet A3 255.255.255.255 inside telnet timeout 15 ssh timeout 5 console timeout 0 vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto vpdn group PPTP-VPDN-GROUP client configuration address local PPTPVPN_pool vpdn group PPTP-VPDN-GROUP client configuration dns A3 vpdn group PPTP-VPDN-GROUP client configuration wins A3 vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS vpdn group PPTP-VPDN-GROUP client accounting RADIUS vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn enable outside terminal width 80 Cryptochecksum:5xxxxxxxxxxxxxxxxxxxxxxxxxxxxx76 : end
|
Answer : Pix 501 Configuration for Exchange OWA
|
|
Just use these commands. You have the wrong access-list applied to the interface.
pix501#config pix501(config)#no access-group outside_access_in in interface outside pix501(config)#access-group outside in interface outside pix501(config)#exit pix501#write mem
The "no" in front of almost any command will remove it from the config
|
|
|
|