|
Posted by Walter Roberson on April 7, 2006, 11:59 am
If you were Registered and logged in, you could reply and use other advanced thread options
>Can anyone help me with my PiX firewall. There is an Exchange server
>192.168.2.11 inside. The outbound emails are blocked and can not reach
>outside!
>PIX Version 6.1(1)
That's a fairly old version, and there have been a number of security
fixes since then, including some you are entitled to for free. You
really should update.
>access-list inside_access_out permit tcp any any eq smtp
>ip address outside 206.158.XYZ.69 255.255.252.0
>ip address inside 192.168.2.2 255.255.255.0
>global (outside) 1 206.158.XYZ.105 netmask 255.255.252.0
>global (outside) 1 206.158.XYZ.104 netmask 255.255.252.0
>nat (inside) 0 access-list vpnacl
>nat (inside) 1 192.168.2.0 255.255.255.0 0 0
>static (inside,outside) 206.158.XYZ.99 192.168.2.11 netmask 255.255.255.255 0 0
>access-group inside_access_out in interface inside
>conduit deny ip any host 81.48.75.223
>conduit permit ip any 141.152.97.32 255.255.255.224
>conduit permit tcp host 206.158.107.99 eq smtp any
>conduit permit tcp host 206.158.107.99 eq www any
>conduit permit tcp host 206.158.107.99 eq domain any
>conduit permit ip host 206.158.107.99 host 141.152.97.35
I suggest removing the conduit and replacing them with an access-group
applied to the outside interface. conduit is obsolescent and not
certain to work with ACLs.
Your conduit statements appear to have some redundancy: you first
allow any packet from 141.152.97.32 255.255.255.224 in (wherever a
translation can be found); then later you talk specifically about
the host 141.152.97.35 (which is part of the .32/.224) to host
206.158.107.99 (which is part of the 'any' of the earlier command.)
| 
XML site map