思科 邮件服务器 配置,PIX/ASA 7.x和以后：在外部网络的邮件(SMTP)服务器访问配置示例...

简介

此示例配置展示如何设置Cisco PIX防火墙，来访问位于外部网络的邮件服务器。

请参阅 PIX/ASA 7.x 及更高版本：在网络内部配置示例的邮件服务器访问为了设置访问的PIX/ASA安全工具对在网络内部查找的mail/SMTP服务器。

与邮件服务器访问的参考的PIX/ASA 7.x在DMZ网络配置示例为了设置访问的PIX/ASA安全工具对在DMZ网络查找的mail/SMTP服务器。

请参阅 ASA 8.3及以上版本：在外部网络配置示例的邮件(SMTP)服务器访问关于在Cisco可适应安全工具(ASA)的相同配置的更多信息有版本8.3和以上的。

本文档没有任何特定的要求。

使用的组件

本文档中的信息基于以下软件和硬件版本：

PIX 防火墙 535

PIX 防火墙软件 7.1(1) 版

Cisco 2500 Routers

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络，请确保您已经了解所有命令的潜在影响。

有关文档规则的详细信息，请参阅 Cisco 技术提示规则。

相关产品

此配置也可用于运行版本 7.x 及更高版本的自适应安全设备 (ASA)。

配置

本部分提供有关如何配置本文档所述功能的信息。

注意：请使用Cisco CLI分析器得到关于用于此部分的命令的更多信息。

网络图

本文档使用以下网络设置：

配置

本文档使用以下配置：

PIX防火墙

PIX Version 7.1(1)

!

hostname pixfirewall

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

!--- Define the IP address for the inside interface.

interface Ethernet3

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.252

!

!--- Define the IP address for the outside interface.

interface Ethernet4

nameif outside

security-level 0

ip address 209.64.3.1 255.255.255.252

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

no asdm history enable

arp timeout 14400

!--- This command defines the global for the Network Address Translation !--- (NAT) statement. In this case, the two commands state that any traffic !--- from the 192.168.2.x network that passes from the inside interface (Ethernet0) !--- to the outside interface (Ethernet 1) translates into an address !--- in the range of 209.64.3.129 through 209.64.3.253 and contains a subnet !--- mask of 255.255.255.128.

global (outside) 1 209.64.3.129-209.64.3.253 netmask 255.255.255.128

!--- This command reserves the last available address (209.64.3.254) for !--- for Port Address Translation (PAT). In the previous statement, !--- each address inside that requests a connection uses one !--- of the addresses specified. If all of these addresses are in use, !--- this statement provides a failsafe to allow additional inside stations !--- to establish connections.

global (outside) 1 209.64.3.254

!--- This command indicates that all addresses in the 192.168.2.x range !--- that pass from the inside (Ethernet0) to a corresponding global !--- designation are done with NAT. !--- As outbound traffic is permitted by default on the PIX, no !--- static commands are needed.

nat (inside) 1 192.168.2.0 255.255.255.0

!--- Creates a static route for the 192.168.2.x network with 192.168.1.2. !--- The PIX forwards packets with these addresses to the router !--- at 192.168.1.2.

route inside 192.168.2.0 255.255.255.0 192.168.1.2 1

!--- Sets the default route for the PIX Firewall at 209.64.3.2.

route outside 0.0.0.0 0.0.0.0 209.64.3.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

!--- SMTP/ESMTP is inspected since "inspect esmtp" is included in the map.

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:8a63de5ae2643c541a397c2de7901041

: end

路由器 A

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname 2522-R4

!

enable secret 5 $1$N0F3$XE2aJhJlCbLWYloDwNvcV.

!

ip subnet-zero

!

!

!

!

!

interface Ethernet0

!--- Assigns an IP address to the inside Ethernet interface.

ip address 192.168.2.1 255.255.255.0

no ip directed-broadcast

!

interface Ethernet1

!--- Assigns an IP address to the PIX-facing interface.

ip address 192.168.1.2 255.255.255.252

no ip directed-broadcast

!

interface Serial0

no ip address

no ip directed-broadcast

shutdown

!

interface Serial1

no ip address

no ip directed-broadcast

shutdown

!

ip classless

!--- This route instructs the inside router to forward all !--- non-local packets to the PIX.

ip route 0.0.0.0 0.0.0.0 192.168.1.1

!

!

line con 0

transport input none

line aux 0

autoselect during-login

line vty 0 4

exec-timeout 5 0

password ww

login

!

end

路由器 B

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname 2522-R4

!

enable secret 5 $1$N0F3$XE2aJhJlCbLWYloDwNvcV.

!

ip subnet-zero

!

!

!

!

interface Ethernet0

!--- Assigns an IP address to the PIX-facing Ethernet interface.

ip address 209.64.3.2 255.255.255.252

no ip directed-broadcast

!

interface Ethernet1

!--- Assigns an IP address to the server-facing Ethernet interface.

ip address 209.64.3.5 255.255.255.252

no ip directed-broadcast

!

interface Serial0

!--- Assigns an IP address to the Internet-facing interface.

ip address 209.64.3.9 255.255.255.252

no ip directed-broadcast

no ip mroute-cache

!

interface Serial1

no ip address

no ip directed-broadcast

!

ip classless

!--- All non-local packets are to be sent out serial 0. In this case, !--- the IP address on the other end of the serial interface is not known, !--- or you can specify it here.

ip route 0.0.0.0 0.0.0.0 serial 0

!

!--- This statement is required to direct traffic destined to the !--- 209.64.3.128 network (the PIX global pool) to the PIX to be translated !--- back to the inside addresses.

ip route 209.64.3.128 255.255.255.128 209.64.3.1

!

!

line con 0

transport input none

line aux 0

autoselect during-login

line vty 0 4

exec-timeout 5 0

password ww

login

!

end

ESMTP TLS 配置

注意：如果对电子邮件通信使用传输层安全 (TLS) 加密，则 PIX 中的 ESMTP 检查功能(默认情况下启用)将丢弃数据包。要允许在启用了 TLS 功能的情况下使用电子邮件，请禁用 ESMTP 检查功能，如此输出所示。

pix(config)#policy-map global_policy

pix(config-pmap)#class inspection_default

pix(config-pmap-c)#no inspect esmtp

pix(config-pmap-c)#exit

pix(config-pmap)#exit

当前没有可用于此配置的验证过程。

确定Cisco CLI分析程序支持显示命令。请使用CLI分析器查看show命令输出分析。

注意：使用 debug 命令之前，请参阅有关 Debug 命令的重要信息。

logging console debugging 命令将邮件导向到 PIX 控制台。如果与邮件服务器的连接有问题，请检查控制台调试消息，查找发送站和接收站的 IP 地址以便确定问题所在。

相关信息