skeatingMemberOctober 16, 2015 at 6:57 am #165884
I have a Cisco PIX-515 version 6.3(4). I need to add a line to allow email from a site that uses multiple IPs on a rotating basis. I need to be able to add a XX.XXX.XXX.0/20 CIDR line into the PIX. How would I go about this? This would need to be both To and From the IP range.
AnonymousOctober 18, 2015 at 8:35 am #371868
If your PIX won’t accept CIDR notation due to the age of the OS (it’s gone end-of-life), why not use an on-line IP calculator to give you the proper subnet mask for the IP you want to use?October 19, 2015 at 4:43 am #391061
So should it be something like “access-list 110 permit any XX.XXX.XXX.0 255.255.240.0” using the subnet mask? That would be the equivalent of XX.XXX.XXX.0/20?
More specifically, should it be a line like access-list BORDER35 permit tcp host XX.XXX.XXX.0 255.255.240.0 eq smtp. I am trying to put in a line to allow the Barracuda email system to forward email to my mail server.
AnonymousOctober 21, 2015 at 1:07 pm #371870
In both cases you have the mask format correct for the CIDR ref. However, your 2nd example is incomplete, tho. If you want to allow smtp traffic from Barracuda into your environment’s mail server, then you should have your email server’s IP with ‘host’ as the second IP info block, but ‘host’ will NOT be used with the Barracuda IP, since you’re giving an address range rather than a single host address. Your statement should look more like this (internal mail server address chosen at random to illustrate):
‘access-list BORDER35 permit tcp XX.XXX.XXX.0 255.255.240.0 eq smtp host 192.168.100.7 eq smtp’ (assuming they are sending from their port 25 to your destination port 25.)
Access-lists are always written with source info first (any, or host, or range with ports if appropriate), then destination (any, or host, or range with ports if appropriate).October 21, 2015 at 1:13 pm #391062
Thanks a lot for that information. My head was beginning to hurt trying to figure it out.October 21, 2015 at 1:26 pm #391063
If I could trouble you with one more item, I have in the PIX a line that reads “access-list SMTP-OUT permit tcp host XX.XX.X.XXX eq smtp”. There are several like this. Is this necessary to allow outbound email, or what would they be used for? Thanks again.
AnonymousOctober 22, 2015 at 1:23 pm #371871
I’m assuming that’s an ACL to explicitly allow outbound SMTP traffic to a specific destination IP, but since there isn’t a second entry (any, host or range) as I explained previously, I could be wrong. To me, that ACL is incomplete. I never used the PIX range of hardware, but ACLs are pretty much standard throughout Cisco. Have you tried looking up the IP address in any of these ACLs to see where they go? It may be that these lines were put in as part of a setup but never used, and never removed.October 22, 2015 at 1:28 pm #391064
The IPs listed with them after host were Exchange servers past and present, and some other ones which I have not tracked down yet. I was hoping one of these was in some way the rule that allows email to go outbound from the network. What might that look like? I appreciate all the help your giving, for what must be Cisco 101 questions.
AnonymousOctober 22, 2015 at 1:51 pm #371872
The best thing I can suggest at this point is to try reading through this reference by Cisco:
While there’s a lot of info, and some may not be applicable to your device seeing as it’s out of support (your specific OS version isn’t available at Cisco), the basics are the same as far as general access-list behavior and setup are concerned. Oh, and based on your separate thread for the Barracuda connection: your email may have stopped because of the ports being used from my example. I’d given the example with the assumption that both ends are sending and receiving through tcp port 25 (smtp). But if the sender isn’t sending from port 25, then no traffic will match the rule as used. If you don’t know for certain the source port from their end, then remove the ‘eq smtp’ bit from that ACL. See the differences in my examples:
(allows inbound traffic from barracuda, random source tcp port) ‘access-list BORDER35 permit tcp XX.XXX.XXX.0 255.255.240.0 host 192.168.100.7 eq smtp’
(allows inbound traffic from barracuda, confirmed source tcp port 25) ‘access-list BORDER35 permit tcp XX.XXX.XXX.0 255.255.240.0 eq smtp host 192.168.100.7 eq smtp’
(allows outbound traffic to barracuda, random source tcp port) ‘access-list BORDER35 permit tcp host 192.168.100.7 XX.XXX.XXX.0 255.255.240.0 eq smtp’
(allows outbound traffic to barracuda, confirmed source tcp port 25) ‘access-list BORDER35 permit tcp host 192.168.100.7 eq smtp XX.XXX.XXX.0 255.255.240.0 eq smtp’October 23, 2015 at 5:00 am #391066
Success!!!!! Using line one of the allows inbound traffic from above (deleting the eq smtp) was the trick. I am now getting email, with the original access-list line removed. Thank you so much. Next I’ll try the outbound rule, but first I have to translate what’s there to make sure I pull the right one first. Now I know why IT people stay away from the PIX.
AnonymousOctober 25, 2015 at 6:26 am #371875
The PIX isn’t your issue, it’s your own ignorance due to lack of experience, nothing more. You’re learning. Boundary control devices work fairly much the same no matter who makes them, in that you have to define your traffic within the rules of the device in question vs the needs of your organization. The specifics are down to the OS of the device you use and the type(s) of traffic you wish to control. As for the ‘..stay away from the pix…’, since it’s not supported by Cisco any longer, that means there are no updates being provided for the OS, so any vulnerabilities which have been patched since your OS version was released, still exist in your device. You may want to consider replacing that device with something newer, and supportable. At least then you can have some guidance from the manufacturer, maybe even a training course.
You must be logged in to reply to this topic.