思科PIX 501设置与迈克菲

我在这方面摆脱了我的束缚,但如果有人可以花时间来帮助我,我将不胜感激。 我们更新了我们的McAfee SaaS保护,并且正在尝试在我们的cisco pix 501中设置他们所需的IP地址,以便服务器可以通过smtp端口上的防火墙将电子邮件发送到我们的服务器。 我一整天都在忙,似乎无法得到正确的configuration。 我现在认为我有在pix不需要在那里的条目。 现在他们正在击中迈克菲的服务器,但没有到达我们的。 我想我的问题如下:

1.)我如何删除不需要的条目并input正确的条目?

2.)我如何获得图像以允许通过一串IP地址。 我需要在208.65.144.0-208.65.151.255和208.81.64.0-208.81.71.255

3.)我如何testing它,以确保它的工作?

我不介意读这些东西,如果有人能指点我一些相当容易理解的阅读材料。 以下是我们的pix框中的信息。

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password <removed> encrypted passwd <removed> encrypted hostname PIXDaniels domain-name danielsconstructioninc.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.0.0.7 Exchange name 10.0.0.8 Web1 access-list 101 permit icmp any any access-list 101 permit tcp any host 24.xxx.xxx.xx eq pptp access-list 101 permit tcp any host 24.xxx.xxx.xx eq www access-list 101 permit tcp 64.18.0.0 255.255.240.0 host 24.xxx.xxx.xx eq smtp access-list 101 permit tcp any host 24.xxx.xxx.xx eq https access-list 102 permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.0.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.0.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.0.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.2.0.0 255.255.0.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.4.0.0 255.255.0.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.5.0.0 255.255.0.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.6.0.0 255.255.0.0 access-list 103 permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.0.0 access-list 104 permit ip 10.0.0.0 255.255.0.0 10.2.0.0 255.255.0.0 access-list 105 permit ip 10.0.0.0 255.255.0.0 10.4.0.0 255.255.0.0 access-list 106 permit ip 10.0.0.0 255.255.0.0 10.5.0.0 255.255.0.0 access-list 107 permit ip 10.0.0.0 255.255.0.0 10.6.0.0 255.255.0.0 access-list acl_out permit tcp host 209.165.201.1 eq smtp any access-list acl_out permit tcp host 208.65.144.0 eq smtp any access-list acl_out permit tcp host 208.81.64.0 eq smtp any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 24.xxx.xxx.xx 255.255.255.252 ip address inside 10.0.0.2 255.255.0.0 ip audit info action alarm ip audit attack action alarm pdm location 10.0.0.0 255.0.0.0 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface pptp Exchange pptp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface smtp Exchange smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface www Web1 www netmask 255.255.255.255 0 0 static (inside,outside) tcp interface https Exchange https netmask 255.255.255.2 55 0 0 static (inside,outside) 209.165.201.1 192.168.42.1 netmask 255.255.255.255 0 0 static (inside,outside) 208.65.144.0 24.xxx.xxx.xx netmask 255.255.255.255 0 0 access-group acl_out in interface outside route outside 0.0.0.0 0.0.0.0 24.xxx.xxx.xx 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.0.0.0 255.0.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set candle esp-des esp-md5-hmac crypto map transam 1 ipsec-isakmp crypto map transam 1 match address 102 crypto map transam 1 set peer 24.xxx.xxx.xxx crypto map transam 1 set transform-set candle crypto map transam 2 ipsec-isakmp crypto map transam 2 match address 103 crypto map transam 2 set peer 24.xxx.xxx.xxx crypto map transam 2 set transform-set candle crypto map transam 3 ipsec-isakmp crypto map transam 3 match address 104 crypto map transam 3 set peer 209.180.70.70 crypto map transam 3 set transform-set candle crypto map transam 4 ipsec-isakmp crypto map transam 4 match address 105 crypto map transam 4 set peer 24xxx.x.xxx crypto map transam 4 set transform-set candle crypto map transam 5 ipsec-isakmp crypto map transam 5 match address 106 crypto map transam 5 set peer 63.230.147.133 crypto map transam 5 set transform-set candle crypto map transam 6 ipsec-isakmp crypto map transam 6 match address 107 crypto map transam 6 set peer 24.xxx.xx.xxx crypto map transam 6 set transform-set candle crypto map transam interface outside isakmp enable outside isakmp key ******** address 209.180.70.70 netmask 255.255.255.255 isakmp key ******** address 24.xxx.xxx.xxx netmask 255.255.255.255 isakmp key ******** address 24.xxx.xx.xxx netmask 255.255.255.255 isakmp key ******** address 24.xxx.x.xxx netmask 255.255.255.255 isakmp key ******** address 24.xxx.xxx.xxx netmask 255.255.255.255 isakmp key ******** address 63.230.147.133 netmask 255.255.255.255 isakmp identity address isakmp nat-traversal 10 isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 2 isakmp policy 1 lifetime 86400 telnet 208.65.144.0 255.255.255.255 outside telnet 208.81.64.0 255.255.255.255 outside telnet 10.0.0.0 255.0.0.0 inside telnet 208.65.144.0 255.255.255.255 inside telnet 208.81.64.0 255.255.255.255 inside telnet timeout 60 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 60 management-access inside console timeout 0 dhcpd address 10.0.102.100-10.0.102.200 inside dhcpd dns 22.xxx.x.xx 24.xxx.xx.xx dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside terminal width 80 Cryptochecksum:d391c84f416a746cf0e31df16ab7050e : end 

工作日志如下。 任何想法可能发生在VPN和我们的OMA?


 PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password encrypted passwd encrypted hostname PIXDaniels domain-name danielsconstructioninc.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.0.0.7 Exchange name 10.0.0.8 Web1 access-list 101 permit icmp any any access-list 101 permit tcp any host 24.xxx.xxx.xx eq pptp access-list 101 permit tcp any host 24.xxx.xxx.xxx eq www access-list 101 permit tcp 64.18.0.0 255.255.240.0 host 24.xxx.xxx.xx eq smtp access-list 101 permit tcp any host 24.xxx.xxx.xx eq https access-list 102 permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.0.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.0.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.0.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.2.0.0 255.255.0.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.4.0.0 255.255.0.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.5.0.0 255.255.0.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.6.0.0 255.255.0.0 access-list 103 permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.0.0 access-list 104 permit ip 10.0.0.0 255.255.0.0 10.2.0.0 255.255.0.0 access-list 105 permit ip 10.0.0.0 255.255.0.0 10.4.0.0 255.255.0.0 access-list 106 permit ip 10.0.0.0 255.255.0.0 10.5.0.0 255.255.0.0 access-list 107 permit ip 10.0.0.0 255.255.0.0 10.6.0.0 255.255.0.0 access-list acl_out permit tcp 208.65.144.0 255.255.255.0 any eq smtp log access-list acl_out permit tcp 208.81.64.0 255.255.255.0 any eq smtp log access-list acl_out deny ip any any log pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 24.x.xx.xx 255.255.255.252 ip address inside 10.0.0.2 255.255.0.0 ip audit info action alarm ip audit attack action alarm pdm location 10.0.0.0 255.0.0.0 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface pptp Exchange pptp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface smtp Exchange smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface www Web1 www netmask 255.255.255.255 0 0 static (inside,outside) tcp interface https Exchange https netmask 255.255.255.2 55 0 0 access-group acl_out in interface outside route outside 0.0.0.0 0.0.0.0 24.xxx.xxx.xx x timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.0.0.0 255.0.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set candle esp-des esp-md5-hmac crypto map transam 1 ipsec-isakmp crypto map transam 1 match address 102 crypto map transam 1 set peer 24.111.168.154 crypto map transam 1 set transform-set candle crypto map transam 2 ipsec-isakmp crypto map transam 2 match address 103 crypto map transam 2 set peer 24.111.172.114 crypto map transam 2 set transform-set candle crypto map transam 3 ipsec-isakmp crypto map transam 3 match address 104 crypto map transam 3 set peer 209.180.70.70 crypto map transam 3 set transform-set candle crypto map transam 4 ipsec-isakmp crypto map transam 4 match address 105 crypto map transam 4 set peer 24.111.4.142 crypto map transam 4 set transform-set candle crypto map transam 5 ipsec-isakmp crypto map transam 5 match address 106 crypto map transam 5 set peer 63.230.147.133 crypto map transam 5 set transform-set candle crypto map transam 6 ipsec-isakmp crypto map transam 6 match address 107 crypto map transam 6 set peer 24.111.26.150 crypto map transam 6 set transform-set candle crypto map transam interface outside isakmp enable outside isakmp key ******** address 209.180.70.70 netmask 255.255.255.255 isakmp key ******** address 24.xxx.xxx.xxx netmask 255.255.255.255 isakmp key ******** address 24.xxx.xxx.xxx netmask 255.255.255.255 isakmp key ******** address 24.xxx.x.xxx netmask 255.255.255.255 isakmp key ******** address 24.xxx.xxx.xxx netmask 255.255.255.255 isakmp key ******** address 63.230.147.133 netmask 255.255.255.255 isakmp identity address isakmp nat-traversal 10 isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 2 isakmp policy 1 lifetime 86400 telnet 10.0.0.0 255.0.0.0 inside telnet timeout 60 ssh 10.0.0.0 255.0.0.0 inside ssh timeout 60 management-access inside console timeout 0 dhcpd address 10.0.102.100-10.0.102.200 inside dhcpd dns 22.xxx.x.xx 24.xxx.x.xx dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside terminal width 80 Cryptochecksum:d391c84f416a746cf0e31df16ab7050e : end 

谢谢你的时间。

关于我的情况的信息:

我们的兼职IT人员感动,无法像我们所需要的那样服务于我们。 然后,我们停止收到电子邮件做我们的续约与迈克菲lapsing和他们停止通过他们的服务器的电子邮件stream。 我们重新思考,可以解决问题。 然后我们发现他们停止使用potsini来提供服务,并开始使用自己的服务器来过滤他们的邮件。 所以,现在我们是一个IT人,我试图让我们的基本需求得到填补,直到我们find合适的人。 所以我不得不重新configuration我们的pix框来接受你帮助我做的新的服务器地址。 虽然我搞的pix框我的手机相当接收电子邮件和我们的手动vpn退出工作。 我的手机是一个Droid 2全球性尝试连接到交换服务器使用主动同步与SSL。 起初,我们遇到了一个问题,但是我们做了以下工作:使用SSL证书安全OWA,并将端口443上的stream量指向OWA网站,并保持所有其他networkingstream量为80.我们仍然有一些问题所以IT人跟着这个链接,最后得到我的droid电子邮件工作。

就我所知,我们的设置如下:

我们有一个networking服务器和交换服务器在我们的办公室后面一个cisco pix 501.我们有(3)卫星办公室有VPN隧道build立到我们的交换服务器,所以他们总是连接到networking。 现在我的手机不能连接到服务器来接收电子邮件,我不能手动VPN到我们的办公室networking,但隧道工作。 当我们切换新的mcafee服务器地址时,手机上的手动vpn和电子邮件似乎停止工作。

看起来你只需要对你的acl_out ACL进行一些修改:

 access-list acl_out permit tcp host 209.165.201.1 eq smtp any 

那可能是旧的,对吧? 这些将是增加的:

 access-list acl_out permit tcp host 208.65.144.0 eq smtp any access-list acl_out permit tcp host 208.81.64.0 eq smtp any 

更改这些以允许您提到的完整范围:

 access-list acl_out permit tcp 208.65.144.0 255.255.255.0 any eq smtp access-list acl_out permit tcp 208.81.64.0 255.255.255.0 any eq smtp 

快速浏览一下,这东西似乎无关紧要:

 static (inside,outside) 209.165.201.1 192.168.42.1 netmask 255.255.255.255 0 0 static (inside,outside) 208.65.144.0 24.xxx.xxx.xx netmask 255.255.255.255 0 0 telnet 208.65.144.0 255.255.255.255 outside telnet 208.81.64.0 255.255.255.255 outside telnet 208.65.144.0 255.255.255.255 inside telnet 208.81.64.0 255.255.255.255 inside 

这可能不是很好:

 ssh 0.0.0.0 0.0.0.0 outside 

可能应该更改为符合您的telnet规则的pipe理策略:

 ssh 10.0.0.0 255.0.0.0 inside