Cisco pix 501 setup with Mcafee

Question

I am way out of my leauge on this but if someone could take the time to help me I would appreciate it. We renewed our Mcafee Saas Protection and I am trying to set up their required ip addresses in our cisco pix 501 so there servers can route emails to our servers through the firewall on the smtp port. I have been at it all day and cannot seem to get the correct configuration. I now think I have entries in the pix that dont need to be there. Right now they are hitting the Mcafee sever but not getting to ours. I guess my questions are as follows:

1.) How do I remove the unneeded entries and put in the correct entries?

2.) How do I get the pix to allow a string of IP addresses through. I need to let in 208.65.144.0-208.65.151.255 and 208.81.64.0-208.81.71.255

3.) How can I test it to make sure it works?

I dont mind reading up on this stuff if anyone can point me to some fairly easy to understand reading material. Below is the info from our pix box.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password <removed> encrypted
passwd <removed> encrypted
hostname PIXDaniels
domain-name danielsconstructioninc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.7 Exchange
name 10.0.0.8 Web1
access-list 101 permit icmp any any
access-list 101 permit tcp any host 24.xxx.xxx.xx eq pptp
access-list 101 permit tcp any host 24.xxx.xxx.xx eq www
access-list 101 permit tcp 64.18.0.0 255.255.240.0 host 24.xxx.xxx.xx eq smtp
access-list 101 permit tcp any host 24.xxx.xxx.xx eq https
access-list 102 permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.4.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.5.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.6.0.0 255.255.0.0
access-list 103 permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.0.0
access-list 104 permit ip 10.0.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list 105 permit ip 10.0.0.0 255.255.0.0 10.4.0.0 255.255.0.0
access-list 106 permit ip 10.0.0.0 255.255.0.0 10.5.0.0 255.255.0.0
access-list 107 permit ip 10.0.0.0 255.255.0.0 10.6.0.0 255.255.0.0
access-list acl_out permit tcp host 209.165.201.1 eq smtp any
access-list acl_out permit tcp host 208.65.144.0 eq smtp any
access-list acl_out permit tcp host 208.81.64.0 eq smtp any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 24.xxx.xxx.xx 255.255.255.252
ip address inside 10.0.0.2 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.0.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pptp Exchange pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp Exchange smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www Web1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https Exchange https netmask 255.255.255.2 55 0 0
static (inside,outside) 209.165.201.1 192.168.42.1 netmask 255.255.255.255 0 0
static (inside,outside) 208.65.144.0 24.xxx.xxx.xx netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 24.xxx.xxx.xx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set candle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 102
crypto map transam 1 set peer 24.xxx.xxx.xxx
crypto map transam 1 set transform-set candle
crypto map transam 2 ipsec-isakmp
crypto map transam 2 match address 103
crypto map transam 2 set peer 24.xxx.xxx.xxx
crypto map transam 2 set transform-set candle
crypto map transam 3 ipsec-isakmp
crypto map transam 3 match address 104
crypto map transam 3 set peer 209.180.70.70
crypto map transam 3 set transform-set candle
crypto map transam 4 ipsec-isakmp
crypto map transam 4 match address 105
crypto map transam 4 set peer 24xxx.x.xxx
crypto map transam 4 set transform-set candle
crypto map transam 5 ipsec-isakmp
crypto map transam 5 match address 106
crypto map transam 5 set peer 63.230.147.133
crypto map transam 5 set transform-set candle
crypto map transam 6 ipsec-isakmp
crypto map transam 6 match address 107
crypto map transam 6 set peer 24.xxx.xx.xxx
crypto map transam 6 set transform-set candle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 209.180.70.70 netmask 255.255.255.255
isakmp key ******** address 24.xxx.xxx.xxx netmask 255.255.255.255
isakmp key ******** address 24.xxx.xx.xxx netmask 255.255.255.255
isakmp key ******** address 24.xxx.x.xxx netmask 255.255.255.255
isakmp key ******** address 24.xxx.xxx.xxx netmask 255.255.255.255
isakmp key ******** address 63.230.147.133 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 208.65.144.0 255.255.255.255 outside
telnet 208.81.64.0 255.255.255.255 outside
telnet 10.0.0.0 255.0.0.0 inside
telnet 208.65.144.0 255.255.255.255 inside
telnet 208.81.64.0 255.255.255.255 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 10.0.102.100-10.0.102.200 inside
dhcpd dns 22.xxx.x.xx 24.xxx.xx.xx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:d391c84f416a746cf0e31df16ab7050e
: end

Working log is below. Any ideas what may have happend to VPN and our OMA?

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname PIXDaniels
domain-name danielsconstructioninc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.7 Exchange
name 10.0.0.8 Web1
access-list 101 permit icmp any any
access-list 101 permit tcp any host 24.xxx.xxx.xx eq pptp
access-list 101 permit tcp any host 24.xxx.xxx.xxx eq www
access-list 101 permit tcp 64.18.0.0 255.255.240.0 host 24.xxx.xxx.xx eq smtp
access-list 101 permit tcp any host 24.xxx.xxx.xx eq https
access-list 102 permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.4.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.5.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.6.0.0 255.255.0.0
access-list 103 permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.0.0
access-list 104 permit ip 10.0.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list 105 permit ip 10.0.0.0 255.255.0.0 10.4.0.0 255.255.0.0
access-list 106 permit ip 10.0.0.0 255.255.0.0 10.5.0.0 255.255.0.0
access-list 107 permit ip 10.0.0.0 255.255.0.0 10.6.0.0 255.255.0.0
access-list acl_out permit tcp 208.65.144.0 255.255.255.0 any eq smtp log
access-list acl_out permit tcp 208.81.64.0 255.255.255.0 any eq smtp log
access-list acl_out deny ip any any log
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 24.x.xx.xx 255.255.255.252
ip address inside 10.0.0.2 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.0.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pptp Exchange pptp netmask 255.255.255.255
 0 0
static (inside,outside) tcp interface smtp Exchange smtp netmask 255.255.255.255
 0 0
static (inside,outside) tcp interface www Web1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https Exchange https netmask 255.255.255.2
55 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 24.xxx.xxx.xx x
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00     
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set candle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 102
crypto map transam 1 set peer 24.111.168.154
crypto map transam 1 set transform-set candle
crypto map transam 2 ipsec-isakmp
crypto map transam 2 match address 103
crypto map transam 2 set peer 24.111.172.114
crypto map transam 2 set transform-set candle
crypto map transam 3 ipsec-isakmp
crypto map transam 3 match address 104
crypto map transam 3 set peer 209.180.70.70
crypto map transam 3 set transform-set candle
crypto map transam 4 ipsec-isakmp
crypto map transam 4 match address 105
crypto map transam 4 set peer 24.111.4.142
crypto map transam 4 set transform-set candle
crypto map transam 5 ipsec-isakmp
crypto map transam 5 match address 106
crypto map transam 5 set peer 63.230.147.133
crypto map transam 5 set transform-set candle
crypto map transam 6 ipsec-isakmp
crypto map transam 6 match address 107
crypto map transam 6 set peer 24.111.26.150
crypto map transam 6 set transform-set candle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 209.180.70.70 netmask 255.255.255.255
isakmp key ******** address 24.xxx.xxx.xxx netmask 255.255.255.255
isakmp key ******** address 24.xxx.xxx.xxx netmask 255.255.255.255
isakmp key ******** address 24.xxx.x.xxx netmask 255.255.255.255
isakmp key ******** address 24.xxx.xxx.xxx netmask 255.255.255.255
isakmp key ******** address 63.230.147.133 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 60
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 10.0.102.100-10.0.102.200 inside
dhcpd dns 22.xxx.x.xx 24.xxx.x.xx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:d391c84f416a746cf0e31df16ab7050e
: end

Thank you agian for your time.

Info on my situation:

Our part time IT person moved and is not able to service us like we need. We then stopped receiving email do to our renewal with mcafee lapsing and them stopping flow of our email through their servers. We renewed thinking that would solve the problem. We then found out that they stopped using potsini for their services and started using their own servers to filter their email. So now that we are down an IT guy I am trying to get our basic needs filled until we can find the right it guy. So I had to reconfigure our pix box to accept the new server addresses which you helped me do. While I was messing with the pix box my phone quite receiving email and our manual vpn quit working. My phone is a droid 2 global trying to connect to exchange server using active sync with a ssl. At first we had an issue with this but we did the following to get it to work: secure OWA with an SSL certificate and point traffic on port 443 to the OWA website and keep all other web traffic on 80. We still had a few issues so the IT guy followed this link and finally got my droid email working.

As much as I know about our set up is as follows:

We have a web server and exchange server at our office behind a cisco pix 501. We have (3) satellite offices that have vpn tunnels set up to our exchange server so they are always connected to the network. Right now my phone will not connect to the server to receive email and I cannot manually vpn to our office network but the tunnels ARE working. The manual vpn and email on my phone seemed to quit working while we were switching over the new mcafee server addresses.

Shane Madden · Answer 1 · 2011-08-31T17:17:53.237

2

Looks like you just need some changes on your acl_out ACL:

access-list acl_out permit tcp host 209.165.201.1 eq smtp any

That was probably the old one, right? And these would be the added ones:

access-list acl_out permit tcp host 208.65.144.0 eq smtp any
access-list acl_out permit tcp host 208.81.64.0 eq smtp any

Change these to allow the full ranges that you mentioned:

access-list acl_out permit tcp 208.65.144.0 255.255.255.0 any eq smtp 
access-list acl_out permit tcp 208.81.64.0 255.255.255.0 any eq smtp

With a quick glance through, this stuff seems extraneous:

static (inside,outside) 209.165.201.1 192.168.42.1 netmask 255.255.255.255 0 0
static (inside,outside) 208.65.144.0 24.xxx.xxx.xx netmask 255.255.255.255 0 0
telnet 208.65.144.0 255.255.255.255 outside
telnet 208.81.64.0 255.255.255.255 outside
telnet 208.65.144.0 255.255.255.255 inside
telnet 208.81.64.0 255.255.255.255 inside

And this is probably not good:

ssh 0.0.0.0 0.0.0.0 outside

Should probably be changed to match your telnet rule's management policy:

ssh 10.0.0.0 255.0.0.0 inside

edited Aug 31 '11 at 17:17

answered Aug 31 '11 at 02:11

Shane Madden

114,520
13
181
251

@aaron Enter the commands I've referenced above, with `no` in front of the old ones. So, to allow the whole 208.65.144 range, run `no access-list acl_out permit tcp host 208.65.144.0 eq smtp any` to get rid of your old command, then `access-list acl_out permit tcp 208.65.144.0 255.255.255.0 eq smtp any` to enter the new configuration; it's the same process for all of the changes that I've mentioned above. – Shane Madden Aug 31 '11 at 02:39
Thank you for the quick answer and your help. To get rid of the static commands and telnet comands I just enter the same command with "no" infront of them? Example (no static (inside,outside) 208.65.144.0 24.xxx.xxx.xx netmask 255.255.255.255 0 0). Also for your last comment how to adjust that to fit my telnet rules? Do I need to change the subnet? Thank you for your time and sorry for the dumb questions just trying to get our email back up after 5 days without. – aaron Aug 31 '11 at 02:51
@aaron Your config allows SSH from anywhere, so to change that to match how it was set up for telnet, run `no ssh 0.0.0.0 0.0.0.0 outside` then `ssh 10.0.0.0 255.0.0.0 inside`. – Shane Madden Aug 31 '11 at 03:02
Shane, Can you tell me if these lines are ok? They just look wierd to me. What the best way is to post a new pix log as I cannot post it in a comment. Should I post it in the orginal post and how do I make it scrollable? access-group acl_out in interface outside route outside 0.0.0.0 0.0.0.0 24.xxx.xxx.xx 1 – aaron Aug 31 '11 at 13:10
@aaron Sure, edit your question with it - you can do the code blocks by putting 4 spaces before each line. – Shane Madden Aug 31 '11 at 14:20
Your command changes worked perfect. Below is the final commands i used to get it working. no access-list acl_out access-list acl_out permit tcp 208.65.144.0 255.255.255.0any eq 25 log access-list acl_out permit tcp 208.81.64.0 255.255.255.0 any eq 25 log access-list acl_out deny ip any any log access-group acl_out in interface outside – aaron Aug 31 '11 at 16:26
Now I just have one more question. During the course of this adventure our VPN and OMA quit working. Do you have any idea what I might have changed or what I can look at to see if I can get them up and running agian? Thank you for all of your help. – aaron Aug 31 '11 at 16:27
Looks like your VPN is PPTP to the exchange server? Probably just need to add those services to the outside interface ACL: `access-list acl_out permit tcp any host 24.x.x.x eq https` and `access-list acl_out permit tcp any host 24.x.x.x eq pptp` – Shane Madden Aug 31 '11 at 17:21
Shane I tried that and it didnt seem to work but I think you might be on the right track. I added more information to the bottom of the original question that may help. . Right now my phone will not connect to the server to receive email and I cannot manually vpn to our office network but the tunnels ARE working. The manual vpn and email on my phone seemed to quit working while we were switching over the new mcafee server addresses. – aaron Sep 02 '11 at 00:19

Cisco pix 501 setup with Mcafee

1 Answers1