CISCO PIX and port forwarding

[LaSERCHiPs]

Trying to Open Port 3000 and forward to our mail server

CISCO PIX config file

This config doesn't seem to work
Can anyone see why this is working
and could you post the corrections

Thanks

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
hostname pix515
domain-name xxxxxxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
name 192.168.0.3 mdaemon
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit tcp any host mdaemon eq 3000
access-list mail permit tcp any host <Public IP Address> eq smtp
access-list mail permit tcp any host <Public IP Address> eq pop3
access-list mail permit tcp any host <Public IP Address>
access-list mail permit tcp any host <Public IP Address> eq smtp
access-list mail permit tcp any host <Public IP Address> eq pop3
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside <Public IP Address> 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.1.1-192.168.1.254
pdm location mdaemon 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) tcp <Public IP Address> pop3 mdaemon pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp <Public IP Address> 3000 mdaemon 3000 netmask 255.255.255.255 0 0
static (inside,outside) tcp <Public IP Address> smtp mdaemon smtp netmask 255.255.255.255 0 0
access-group 101 in interface outside
conduit permit icmp any any
conduit permit tcp host <Public IP Address> eq 3000 any
route outside 0.0.0.0 0.0.0.0 209.162.225.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 209.162.224.10
vpngroup vpn3000 wins-server mdaemon
vpngroup vpn3000 default-domain xxxxxx.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.1.0 255.255.255.0 outside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
terminal width 80
Cryptochecksum:2bebbfdc3778070ad41f45201a597a89
: end
[OK]

THANKS A TON

[Ya_know]

That's not your real En password, is it?

[CeeBee]

So what is *not* working? Is your mail server listening on port 3000? Can you connect from an IP in server's subnet?

[CeeBee]

That's not your real En password, is it?

One is... 15 seconds to crack the hash...

[LaSERCHiPs]

So what is *not* working? Is your mail server listening on port 3000? Can you connect from an IP in server's subnet?

Port is open on server

Internal clients connect no problems

No that's not the real password that's my 2bs74hf849fie typing


just through the firewall this doesn't work

[CeeBee]

firewall running on the server and blocking IP's outside the subnet?
you'd better change the passwords... assume they are compromised and play safe.
plaintext of "2KFQnbNIdI.2KYOU" is "cisco"

[LaSERCHiPs]

firewall running on the server and blocking IP's outside the subnet?
you'd better change the passwords... assume they are compromised and play safe.
plaintext of "2KFQnbNIdI.2KYOU" is "cisco"

LOL!! congrats...The Passwords are changed every month...this password is just to post so no worries here.

I thought that I would get an answer to my question not start a password cracking game. I really need so feed back on the configuration of this PIX. I am extremely frustrasted why this will not work...

No firewall running on the server...There is no problem internally; It works it's just access this from the outside...

Is the firewall configuration correct? Does anyone see anything wrong with how this is configured.

[CeeBee]

what o/s is the server?

[LaSERCHiPs]

what o/s is the server?

Windows Server 2003

[CeeBee]

In the LAN connection properties verify that the internet connection firewall is disabled. If not, verify that there is a rule in place to allow access to your port.
Also looking at your config file it looks like port 3000 is only allowed for your access list "101", while access list "mail" allows for POP3 and SMTP from any IP.

[LaSERCHiPs]

In the LAN connection properties verify that the internet connection firewall is disabled. If not, verify that there is a rule in place to allow access to your port.
Also looking at your config file it looks like port 3000 is only allowed for your access list "101", while access list "mail" allows for POP3 and SMTP from any IP.

It is disabled...

If not, verify that there is a rule in place to allow access to your port.

what do u mean by this

The Mail access rule I have no clue who or when or how this ACL was created...It's not assign to any interface so I left it in there..it's incorrect anywaze...you can't forward all port to the SMTP port then forward all ports to the POP# port...I think the ISP may have been playing.

[CeeBee]

not a cisco expert, but instinct tells me you should have a line like this added there:
access-list mail permit tcp any host <Public IP Address> eq 3000

looks like even if you have a static mapping for the port, there is no access rule to allow the access to that port. but again, this is just my instinct.

[LaSERCHiPs]

not a cisco expert, but instinct tells me you should have a line like this added there:
access-list mail permit tcp any host <Public IP Address> eq 3000

looks like even if you have a static mapping for the port, there is no access rule to allow the access to that port. but again, this is just my instinct.

For kicks and giggles I try it off hours...I'm cisco certified...and man it looks right to me but it's been about a year since i have touched it...so I'm not a hundered percent sure...

all while testing...we some how lost access to our POP3 email server from the outside..the IP public static address changed; lost internet access; lost mail connectivity; all have been fix except the port 3000

the ISP servers are flakey this has been the worst experience ever opening a port... I have done this hundreds of times before...and never experienced anything like this.