theterranaut

Forum Replies Created

Viewing 30 posts - 1 through 30 (of 111 total)
  • Author
    Posts
  • Avatar
    theterranaut
    Member
    in reply to: Some Emails are Delayed #386349

    Re: Some Emails are Delayed

    AndyJG247;261903 wrote:
    I get the impression the emails hit you and then fail from the below?

    Do you have file and/or Exchange AV on the server and is it setup with the correct exclusions etc.
    Have you checked basic stuff like duplex mismatches on the server/switch/firewall/router?
    What is the physical setup? Server – – switch — firewall — router etc?
    If you open an smtp connection to your server and leave it open does it drop unexpectedly?

    Yes I have Exchange AV. But I turn it off and nothing change. The physical setup is exactly the same as told.

    I’ ll check for duplex mismatches .
    What do you mean with last question ? Open SMTP session using telnet or something else ?

    Avatar
    theterranaut
    Member
    in reply to: Some Emails are Delayed #386348

    Re: Some Emails are Delayed

    Sembee;261874 wrote:
    So this is INBOUND email, not OUTBOUND? It wasn’t clear from your original question.

    The error is usually caused by a networking issue, something with the router configuration, wrong default gateway, something scanning SMTP traffic which it shouldn’t be etc.

    Simon.

    YES it’s INBOUND email. Excuse me for unclear question.
    The thing that confuse me is that this happens with some inbound emails. Not with all.

    Avatar
    theterranaut
    Member
    in reply to: Some Emails are Delayed #386347

    Re: Some Emails are Delayed

    Hi. This is the qmail-send program at yahoo.com.
    I’m afraid I wasn’t able to deliver your message to the following addresses.
    This is a permanent error; I’ve given up. Sorry it didn’t work out.

    < [email protected]>:
    Connected to my.public.ip but connection died. (#4.4.2)
    I’m not going to try again; this message has been in the queue too long.

    This is message return to yahoo

    Avatar
    theterranaut
    Member
    in reply to: Some Emails are Delayed #386346

    Re: Some Emails are Delayed

    ,”220 mail.mydomain.com Microsoft ESMTP MAIL Service ready at Thu, 19 Jul 2012 03:07:55 +0300″,
    < ,HELO omp1051.mail.bf1.yahoo.com,
    >,250 mail.mydomain.com Hello [98.139.212.242],
    < ,MAIL FROM:,
    *,08CF2E681009D6D7;2012-07-19T00:07:55.809Z;1,receiving message
    >,250 2.1.0 Sender OK,
    < ,RCPT TO:,
    >,250 2.1.5 Recipient OK,
    < ,DATA,
    >,354 Start mail input; end with .,
    -,,Remote

    This is part of receive connector log.
    And plenty messages like this appear all day long.

    Avatar
    theterranaut
    Member
    in reply to: Some Emails are Delayed #386345

    Re: Some Emails are Delayed

    Sembee;261813 wrote:
    What does the queue viewer say?
    Not enough information to go on really.

    Do you have a static IP address with everything setup correctly? PTR on the address, valid host name.

    Simon.

    There is nothing at the queue viewer. Server is with static private address which in nat to our static public IP. And It has valid host name and PTR.

    Avatar
    theterranaut
    Member
    in reply to: Anybody worked on Cisco ASA ? #285890

    Re: Anybody worked on Cisco ASA ?

    Brian-

    The sad fact is that Cisco get slated (improperly, IMHO) in the firewall communities for a lack of GUI-ness, and had for some time been promising a ‘proper’ GUI that would make Checkpoint guys feel at home and want to migrate.

    ASDM is it.

    The company I work for specialise in Checkpoint->PIX ‘wins’ or migrations, and this is something that Cisco give us a lot of time and help to do. There’s no way, in the timescales involved, that I can teach these admin guys the rudiments of the CLI for the PIX- they need that comforting ‘clicking on stuff’ to get them acclimatised. Its very important, politically, for Cisco that the ASDM is adopted and used. Us old-timers can use the CLI (I use nothing else for config and troubleshooting), but even the current exam literature makes great bones of ASDM- so its here to stay.

    I agree with what you say, and in helping out on these forums there’s no way I could describe a ‘click on this, click on that’ scenario (as some of the MS forums seem to deal in solely!)- so all of my help is geared towards a CLI-based approach, and hopefully this teaches some of the forumites the underlying PIX principles. FWIW, at least the ASDM does not break configs when used, as PDM did. I could never trust it, and always left it installed with a note of caution for their admins: at least I now know that ASDM will not wreck my configs!

    see you around-

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Vlan Trouble #285889

    Re: Vlan Trouble

    Thanks for correcting me Brian. I had assumed that these things were ‘budget’ devices, but it sounds like they are quite hefty, yes? The price tag makes me suspicious! However, Cisco say:

    • 32 Gbps forwarding bandwidth

    • Forwarding rate based on 64-byte packets: 38.7 Mpps (Cisco Catalyst 3560G-48TS and Catalyst 3560G-48PS, and Cisco Catalyst 3560G-24TS and Catalyst 3560G-24PS); 13.1 Mpps (Cisco Catalyst 3560-48TS and Catalyst 3560-48PS); and 6.5 Mpps (Cisco Catalyst 3560-24TS and Catalyst 3560-24PS)

    • 128 MB DRAM

    • 32 MB Flash memory (Cisco Catalyst 3560G-24TS, Catalyst 3560G-24PS, Cisco Catalyst 3560G-48TS, Catalyst 3560G-48PS, Catalyst 3560-24TS, and Catalyst 3560-48TS); and 16-MB Flash memory (Cisco Catalyst 3560-48PS and Catalyst 3560-24PS)

    • Configurable up to 12,000 MAC addresses

    • Configurable up to 11,000 unicast routes

    • Configurable up to 1000 IGMP groups and multicast routes

    • Configurable maximum transmission unit (MTU) of up to 9000 bytes, with a maximum Ethernet frame size of 9018 bytes (Jumbo frames), for bridging on Gigabit Ethernet ports, and up to 1546 bytes for bridging of Multiprotocol Label Switching (MPLS) tagged frames on 10/100 ports

    So, even the basic model can do over 6Mpps- not too shabby! As you say, its per-packet for the routing, so there shouldn’t be an enormous hit. I can see the need for these units from Cisco’s standpoint, I’ve just been configuring some chassis-based 3Com units (7000 series) which offer a fairly incredible backplane, advanced routing, every feature under the sun- and at approximately 1/3rd to half the price of the equivalent Cisco unit. I’ll have 2!

    re: non-16 bit nets. You’re right, they can get messy in the wrong hands, and constraining broadcast domains is never a bad idea. I stand corrected on this, and should have suggested a slightly larger mask for our friends needs instead of choosing the next biggest ‘private’ network for his needs.
    As I said “this is becoming a design issue’!!
    However- I still maintain that our friend needs to look carefully at placement and grouping, and not count overly on switching speed to get him out of it!

    regards

    theterranaut

    BTW: good having you around here!

    Avatar
    theterranaut
    Member
    in reply to: 857/877 IPsec tunnels #285888

    Re: 857/877 IPsec tunnels

    Batch processing. Those were the days! If only they had all gone away…

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Vlan Trouble #285887

    Re: Vlan Trouble

    Hi Marc,

    easiest way, in that case, would just be to go for a 16-bit subnet for your whol internal network.
    This would (obviously) involve readressing. So, you could choose, just for example:

    172.16.0.0/16- thats a mask of 255.255.0.0, which would give you just shy of 65,000 possible addresses. (Bone up on RFC1918 addressess if you are not sure about this.)

    As for apps timing out- could be your topology, but its difficult to say for sure. This is really becoming a design question.

    HTH

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: extended Ping #285886

    Re: extended Ping

    Hi Boaz,

    from when I use it, I find operation is largely automatic, in that the device prompts
    you for next steps.

    Why not just write some small keypress macros that you can fire at the console when you’re in it? Would be very easy.

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Vlan Trouble #285885

    Re: Vlan Trouble

    Hi Marc,
    without a detailed look at your topology- yes, it probably will break things!

    I’d create another, separate VLAN on your core switch (VTP Master)
    and have this as your ‘new’ VLAN. You’ve just got to choose another set of private addresses.
    Best not to muck about with the current arrangement until the full ramifications are known (if it aint broke…), and this way, you get to do testing beforehand. Always a bonus.

    Bear in mind that dividing up your network into a ‘separate vlan per identity’
    topology might not be the most efficient way to do things. These switches will
    have to ROUTE every packet that originates on a server but is destined for a workstation instead of SWITCHING them. So, have a think about placement before you rush in. File servers, for example, might take an adverse hit on performance.

    If you do it, you’ll also have to set up DHCP forwarding- which I *think* 3560’s can do, but will check.

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: PIX506e : #285884

    Re: PIX506e :

    You and me both, Andy, you and me both…:(

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: 857/877 IPsec tunnels #285883

    Re: 857/877 IPsec tunnels

    Hi Dave,

    do you mean that the tunnel(s) are only going to be in operation for a brief point during the day?

    regards

    TT

    Avatar
    theterranaut
    Member
    in reply to: Pix—> Isa Server ——-> Exchange 2003 #285882

    Re: Pix—> Isa Server


    > Exchange 2003

    Hi again,

    yes, I like it, it seems pretty stable, easy to configure, seems to be rated by at least some 3rd party security labs, and is finally available in ‘hardware’ models.

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Pix—> Isa Server ——-> Exchange 2003 #285881

    Re: Pix—> Isa Server


    > Exchange 2003

    Hello Ferandres, happy holidays to you as well.

    In theory, as you have the PIX working, all you should need to get working
    now is ISA. As you’ve already indicated, this will be ISA in “2-leg” mode- a NIC for each network. Obviously, ISA’s ‘outside’ net will be the same as the ‘inside’ for your PIX, and ISA’s ‘inside’ will be your internal LAN. This will mean reconfiging your PIX back similarly to the way you had it initially- and that there really are 3 networks involved in this:

    -your ‘outside’ PUBLIC IP addresess (on the PIX’s outside)
    -your ‘middle’ network (private addreses, on the inside of the PIX AND outside of ISA)
    -your ‘inside’ LAN (private addresses, on the inside of ISA)

    The tricky parts to remember will be:

    -whatever IP address you use on the ‘middle’ for the PIXs ‘static’ statement for SMTP in will be used by ISA to forward in SMTP to the ‘inside’
    -whatever you use to allow Internet access from the Inside to Outside will have to got through the ‘middle’

    I would strip back ISA, rerun the setup wizards, and choose this scenario. Then, create rules to forward traffic from the ‘middle’ SMTP address to the ‘inside’ IP address, while allowing ‘inside’ access to Internet (if desired).

    Easiest way to accomplish all of this is to break it into 2 halves. Get the PIX working first with ‘outside’ and ‘middle’ networks, and use telnets on appropriate ports to test. Then, get ISA up, configed, and do similar testing.

    (BTW: dont know if anyone uses this, but Netcat is a really powerful tool for testing. For example, you could set up most of the above in a lab, no mail server needed on the inside: then run Netcat on a PC on the inside, ‘listening’ on tcp 25. Then, from a machine on the ‘outside’, telnet to the appropriate IP on 25. If you get a response, your firewall is forwarding in on 25. More info here: http://m.nu/program/util/netcat/netcat.html)

    regards

    theterranaut

    Incidentally, and please do not take this in any pejorative way to yourself- but your IT Director should really consider some proper penetration testing after this is installed. You are clearly new to the PIX, and are obviously a capable person, learning fast as you go along. But these devices protect your network from intrusion, and if there is sufficient reason for installing 2 firewalls then there is sufficient reason for making sure they are installed correctly. Advice from strangers on forums cannot be taken as gospel, and will not keep you in a job when its proven that an incorrect firewall install caused the network to get cracked.
    (I dont mean to slander IT Directors with my next comment- some of my best friends are IT Directors!- but I see this happen all too often; realising that the shiny new box they’ve bought may actually need some expensive expertise to install, they shrug, hand it off to the most capable member of their team, who’s always a ‘can-doer’ who will shift heaven and earth to get it working. But what if…?)

    So: keep yourself on the right side here, and make it clear that you are no PIX pro, you are learning on the job, and that you take no responsibility for the configuration until its been signed off by someone else.

    Avatar
    theterranaut
    Member
    in reply to: Vlan Trouble #285880

    Re: Vlan Trouble

    Indeed. From Cisco.com:

    “The Cisco Catalyst 3560 is available with either the standard multilayer software image (SMI) or the enhanced multilayer software image (EMI). The SMI feature set includes advanced QoS, rate-limiting, ACLs, and basic routing functionality. The EMI provides a richer set of enterprise-class features, including advanced hardware-based IP unicast and IP Multicast routing as well as policy-based routing (PBR).”

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Pix—> Isa Server ——-> Exchange 2003 #285879

    Re: Pix—> Isa Server


    > Exchange 2003

    I see.

    So- ISA is not involved in this network at this point? You’ve removed it?
    (Sorry, but if you have its not clear from your posts)

    If its is out, unless there’s a compelling reason for leaving it in, I wouldn’t bother
    putting it back. Is there some reason why you want 2 firewalls?

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Pix—> Isa Server ——-> Exchange 2003 #285878

    Re: Pix—> Isa Server


    > Exchange 2003

    Right. In that case, your internal network setup looks good, and there’s some external factor thats the problem. The first thing I would check is:
    -Whats the mx for your mail server?

    (Do you know how to check this?)

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Pix—> Isa Server ——-> Exchange 2003 #285877

    Re: Pix—> Isa Server


    > Exchange 2003

    Here’s some stuff to check:

    -the earlier telnet test? What was the IP you telnetted to? Was it 192.168.1.2? Or something else?
    Can you confirm this please?

    -Can you telnet from the ‘outside world’ on port 25?

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: How to make a backup to a Cisco Router #285876

    Re: How to make a backup to a Cisco Router

    All DD’s work, cant take any credit, but thanks anyway-

    regards

    TT

    Avatar
    theterranaut
    Member
    in reply to: snmp arp table #285875

    Re: snmp arp table

    Hello Huseyin, how are things?

    Haven’t a clue, pal, but here’s what my friend Google says:

    http://lists.sans.org/pipermail/unisog/2004-January/022697.html

    This bit of info needs snmpwalk: http://www.mkssoftware.com/docs/man1/snmpwalk.1.asp

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Pix—> Isa Server ——-> Exchange 2003 #285874

    Re: Pix—> Isa Server


    > Exchange 2003

    I see.

    OK:

    The IP address you used when you tried the telnet test I asked you to do earlier? That one is what I’m calling “YOUR MAIL ADDRESS”
    Your external IP address is the outside IP of your PIX.

    So:

    -If you used IP address 172.16.32.20 on the telnet test
    -And your external IP address is 200.200.200.1

    Your command is:

    -static (inside,outside) tcp (200.200.200.1) 25 (172.16.3.20) 25 netmask 255.255.255.255 0 0

    You see, you are (I think, you havent confirmed yet) doing ‘double nat’. Both your PIX and ISA are natting. Which is wasteful and unnecessary, but will work. The PIX is the (from the perspective of the internet) the first natting device, ISA is the second.

    regards

    TT

    BTW- how are you conducting this test?

    Avatar
    theterranaut
    Member
    in reply to: Pix—> Isa Server ——-> Exchange 2003 #285873

    Re: Pix—> Isa Server


    > Exchange 2003

    Good stuff. Now, what address did you use to telnet to? This is the address that needs to be added into the ‘static’ statement. Lets call this ‘your mail address’ for now.

    Try this:

    -static (inside,outside) tcp (your external IP address) 25 (your mail address) 25 netmask 255.255.255.255 0 0

    -no fixup smtp 25

    (This disables the PIX interfering with SMTP.)

    Your access lists are:

    access-list ac_out permit tcp any interface outside eq smtp
    access-list ac_out permit tcp any host 200.XXX.XXX.XX3 eq smtp

    These should be okay.

    regards

    theterranaut

    I ask again- is this a ‘production’ device?

    Avatar
    theterranaut
    Member
    in reply to: Pix—> Isa Server ——-> Exchange 2003 #285872

    Re: Pix—> Isa Server


    > Exchange 2003

    OK. First thing: is this ISA doing NAT? If not, why do you need it at all?

    Secondly: if you connect a machine addressed with a 172.x address from your
    range, can you telnet to the Exchange box on port 25?

    ie:

    -set machine up on 172.16.32.5
    -can you telnet on port 25 to the address that ISA is ‘presenting’ the Exchange server on?

    regards

    Thirdly: I have to ask- is this a business-critical installation, or just something you are trying
    out in a lab?

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Pix—> Isa Server ——-> Exchange 2003 #285871

    Re: Pix—> Isa Server


    > Exchange 2003

    Hi Ferandres,

    firstly, have a read here at one of my earlier posts: http://forums.petri.com/showthread.php?t=11619

    I think all that you are lacking is the correct ‘static’ and ‘access-list’ needed
    for translating your external mail address into your internal mail
    address.

    Incidentally, what is ISA doing in all of this? Is it natting? Is this configured correctly?
    What does your 192.x address lead to?

    You said:

    PIX
    OUTSIDE: 200.XXX.XXX.XX3
    INSIDE: 172.16.32.1

    ISA
    NIC1: 172.16.32.2
    NIC2:192.168.1.2

    EXCHANGE:
    NIC1:172.16.32.5

    So, this means Exchange is on the same subnet as the PIX’s inside subnet. I cant see how ISA
    would firewall in this scenario. Is it being used for some sort of front end solution for Exchange?

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: How to make a backup to a Cisco Router #285870

    Re: How to make a backup to a Cisco Router

    Hello Billy,

    (David, if you dont mind I’ll help on this one.)

    Billy, there are 2 main types of files from a router that you may want to back up.

    The first of these is the configuration, the details you supply to get the routerto do what you want.

    The second of these is the operating system file: the IOS.

    You said:


    Running the command “copy running-config tftp” she created a file no extension and Type:File , 3KB

    but when running

    “copy flash:c3725-ik9o3s-mz.122.14.T1.bin” she created c3725-ik9o3s-mz.122.14.T1.bin file and Type:Bin, 17,852Kb

    Are these 2 files contain the same information? one is big and the other is very small



    The first file you backed up was the config file. It is, as you say, very small. Just rename the file, add a ‘.txt’ extension, and it should be readable.

    The second file you backed up was the IOS. Its much bigger.

    FWIW- IOS is stored in ‘flash’ memory, config is stored in NVRAM (usually!)

    You also said:



    Note: I read other method using a terminal emulation program to backup a configuration using a command terminal length 0 / Transfer > Capture Text / Start ……….

    This method created a text file that I call config.txt of 3Kb

    Now I have a lot backup files but I do not know if all are the same , if not, which one to use to restore my router configuration



    Thats another way to backup your config. It works- but in practice, you are far better off with David’s method. The main reason for this is: any ‘secret’ passwords, keys, etc, survive tftp transfer in a readable form (mostly: this, I gather, is changing!) so tftp is the way to go: but also keep a separate file with your secret stuff: enable passwords, any crypto info, etc- elsewhere.

    BTW- if you go back and read David’s article, you’ll see he covers all of this, and describes exactly what is being backed up.

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: PIX506e : #285869

    Re: PIX506e :

    Hello Andy,

    David’s already helping you on this one, but if no-one minds I’ll but in :o

    (BTW- here’s a link to a post I made recently that may clarify the PIX and how it thinks of the world- http://forums.petri.com/showthread.php?t=11619

    So: heres your config: I’ve deleted the ‘unnecessary’ parts from this.


    ip address outside 217.46.nnn.nnn 255.255.255.248
    ip address inside 192.168.71.226 255.255.255.0

    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 217.46.nnn.nnn 192.168.71.221 netmask 255.255.255.255 0 0

    route outside 0.0.0.0 0.0.0.0 217.46.nnn.nnn 1



    As said (by David also!) the PIX by default wants to allow all traffic from its ‘more trusted’ interfaces to its ‘less trusted’ interfaces. A simple example of this is your ‘inside’ network- your local LAN, and the ‘outside’ network- the internet. By default- if the right initial rules are in place- the PIX will allow every host hanging off your LAN unrestricted internet access, because (as said) this meets the criteria of traffic flowing from ‘more trusted’ to ‘less trusted’. Cleverly, to prevent unwanted traffic coming in, it tracks what went out, makes an entry in a table, and , when the traffic returns, allows it back in.

    In your current config, all devices on your LAN are allowed out. To tie this up, you can do the following (btw- there’s more than one way to do this- I’m showing you a very basic way.) I’ve changed the line which needs amended into bold, and I’ve assumed that the PC you want to have unrestricted access has IP address 192.168.71.10.


    ip address outside 217.46.nnn.nnn 255.255.255.248
    ip address inside 192.168.71.226 255.255.255.0

    global (outside) 1 interface
    nat (inside) 1 192.168.71.10 255.255.255.255 0 0
    static (inside,outside) 217.46.nnn.nnn 192.168.71.221 netmask 255.255.255.255 0 0

    route outside 0.0.0.0 0.0.0.0 217.46.nnn.nnn 1



    See what we did there? The original line read:
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    Which means:

    ‘nat traffic originating on the inside, using pool 1 (your global statement) according to traffic which can be described as 0.0.0.0 0.0.0.0’

    This particular 0.0.0.0 0.0.0.0 is shorthand for EVERTHING, which is why all your inside hosts can currently get internet access.

    The changed line reads:
    nat (inside) 1 192.168.71.10 255.255.255.255 0 0

    ‘nat traffic originating on the inside, using pool 1 (your global statement) according to traffic which corresponds to 192.168.71.10 255.255.255.255 ‘

    Try this and see how you get on.

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: How to get ADSL dsl thru Cisco 2501 serial ports. #285868

    Re: How to get ADSL dsl thru Cisco 2501 serial ports.

    No problem, good that you got there in the end!

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: How to get ADSL dsl thru Cisco 2501 serial ports. #285867

    Re: How to get ADSL dsl thru Cisco 2501 serial ports.

    Thanks.

    I may be misunderstanding your post, but do you mean that all is working now?

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: CISCO PIX515 and email (exchange) forwarding #285866

    Re: CISCO PIX515 and email (exchange) forwarding

    chief007;49182 wrote:
    Hurrah! Success!

    The only thing is that

    access-list smtp_in permit tcp any interface outside eq 25 didn’t work so I used

    access-list smtp_in permit tcp any host d.e.f.122 eq 25 instead

    And now I’m getting external mail and the internet is still up!

    Many Thanks!

    Oops! Typo’d that one, Chief. Sorry about that. Still, you triumphed over my inability to cut and paste correctly!

    Note that the last section: forwarding port 25 in: can be replicated for any port/internal IP address. So you could run an internal web server, for example, or similar. Doing this and running your internal-to-internet traffic is using Policy NAT and PAT (port address translation) which, in theory, means you’ve circa 60,000 possible connections you can play with. In practice its far less, but you should still be okay as long as you dont have several hundred internal users.

    all the best,

    theterranaut

Viewing 30 posts - 1 through 30 (of 111 total)