If you do not have a fronted server or you are not using OWA all you
need is 25 and 110 TCP.
Steve
-----Original Message-----
From: Pierre-Alex [mailto:[EMAIL PROTECTED]]
Sent: Sunday, September 16, 2001 8:27 AM
To: [EMAIL PROTECTED]
Subject: PIX and EXCHANGE [7:20098]
Thank you Ryan, it does make sense!
Sorry for the late reply, I was down for 3 days for upgrade.
(All my servers are now BEHIND the firewall!). I still have 1 issue
however.
My Exchange server was receiving mail but could not send any.
I finally decided to create a static mapping for the mail server
and created two conduits to let all tcp and udp traffic go through!
I would like to tighten the security (without causing much down time).
Anyone out there who has a MS Exchange 2000 Server and done this before?
...
Pierre-Alex
-----Original Message-----
From: Ryan Lecomte [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 12, 2001 3:31 PM
To: pierreg
Subject: RE: PIX -- Cannot locate the static xlate --FIXED [7:19536]
Pierre-Alex,
The global address is used for computers on the inside network to access
the outside. All of the computers on the inside will look like they are
originating from this address.
With version 6.0 you can use the outside address, not the global address
for static mappings but only for a single port to an address. Here's
more detail:
You can translate 10.1.1.13 on the inside to 102.162.86.53 port 80 on
the outside interface
You can translate 10.1.1.14 on the inside to 102.162.86.53 port 25 on
the outside interface
You can translate 10.1.1.15 on the inside to 102.162.86.53 port 53 on
the outside interface
You can't translate 10.1.1.13 and 10.1.1.14 to 102.162.86.53 and both
use port 80. Does that make sense?
You're right, before v6.0 the outside address was not useful.
Ryan
-----Original Message-----
From: pierreg [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 12, 2001 6:50 AM
To: [EMAIL PROTECTED]
Subject: RE: PIX -- Cannot locate the static xlate --FIXED [7:19536]
Thank you, I chose 102.162.86.54 and that did the trick.
Please help me understand the following two points:
1) What rational for not being able to use the same IP address for the
static mapping and the global translation IP address?
2) Can I use the IP address (outside) of the firewall to do static
mapping?
If not then:
3) What is the purpose of the outside IP address? Looks kind of a waste
to
me!
Thanks again
Pierre-Alex
----------------------
Hello,
Try This...
static (inside,outside) 102.162.86.xxx 10.1.1.13 netmask 255.255.255.255
conduit permit tcp host 102.162.86.xxx eq 80 any
You can't use the same address as your global translation 102.162.86.52
try 102.162.86.54
The first line creates the translation and the second line permits any
host to access your server on port 80.
Let me know if you have any questions.
Ryan
-----Original Message-----
From: pierreg [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 11, 2001 5:36 PM
To: [EMAIL PROTECTED]
Subject: PIX -- Cannot locate the static xlate [7:19512]
Hi all,
I have a Web server on the internal side of the firewall (10.1.1.13)
I am trying to open port 80 of the firewall to internet traffic
I get the error message: "Cannot locate the static xlate"
when I enter the command:
pixfirewall(config)# conduit 102.162.86.52 80 tcp 0
What am I doing wrong? My configs are below:
PIX Version 4.0.7
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
no failover
names
syslog output 20.3
no syslog console
interface ethernet outside 10baset
interface ethernet inside 10baset
ip address inside 10.1.1.10 255.255.255.0
ip address outside 102.162.86.53 255.255.255.128
arp timeout 14400
global 1 102.162.86.52-102.162.86.52
nat 1 0.0.0.0 0.0.0.0
age 10
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 102.162.86.1 1
timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00
http 10.1.1.13 255.255.255.255
no snmp-server location
no snmp-server contact
telnet 10.1.1.13 255.255.255.255
mtu outside 1500
mtu inside 1500
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=20118&t=20098
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]