Hi,
I have a an exchange 2003 frontend server sitting behind a PIX running 6.3(4).
I have a static from the front end 10.3.1.3 to an outside address.
With this config, I can not send out emails from exchange, though I can recieve. (I added DNS to the list to see if it was an issue). I can nslookup from the front end server fine.
static (inside,outside) 63.110.65.246 10.3.1.135 netmask 255.255.255.255 0 0
access-list acl_out line 2 permit tcp any host 63.110.65.135 eq smtp (hitcnt=868
1)
access-list acl_out line 3 permit tcp any host 63.110.65.135 eq )
access-list acl_out line 4 permit tcp any host 63.110.65.135 eq domain (hitcnt=0
)
access-list acl_out line 5 permit udp any host 63.110.65.135 eq domain (hitcnt=0
)
access-list acl_out line 6 permit tcp any host 63.110.65.245 eq domain (hitcnt=0
)
access-list acl_out line 7 permit udp any host 63.110.65.245 eq domain (hitcnt=1
4921)
access-group acl_out in interface outside
It works if I add a permit ip any any on the access-list on the inside interface (which I obviously don't want to do). I tried adding smtp (which it looks like something is using (not sure if its the exchange server).
access-list acl_outbound line 1 permit tcp any any eq ftp (hitcnt=215)
access-list acl_outbound line 2 permit tcp any any eq ftp-data (hitcnt=0)
access-list acl_outbound line 3 permit tcp any any eq domain (hitcnt=4)
access-list acl_outbound line 4 permit udp any any eq domain (hitcnt=40043)
access-list acl_outbound line 5 permit tcp any any eq access-list acl_outbound line 6 permit tcp any any eq https (hitcnt=3046)
access-list acl_outbound line 7 permit tcp host 10.3.1.178 any (hitcnt=23)
access-list acl_outbound line 8 permit tcp host 10.3.1.7 any (hitcnt=0)
access-list acl_outbound line 9 permit tcp host 10.3.1.121 any (hitcnt=0)
access-list acl_outbound line 10 permit tcp host 10.3.1.179 any (hitcnt=0)
access-list acl_outbound line 11 permit icmp host 10.3.1.178 any (hitcnt=0)
access-list acl_outbound line 12 permit icmp host 10.3.1.121 any (hitcnt=0)
access-list acl_outbound line 13 permit icmp host 10.3.1.48 any (hitcnt=1)
access-list acl_outbound line 14 permit ip 10.5.0.0 255.255.0.0 10.5.0.0 255.255
.0.0 (hitcnt=0)
access-list acl_outbound line 15 permit ip 10.3.0.0 255.255.0.0 10.5.0.0 255.255
.0.0 (hitcnt=0)
access-list acl_outbound line 16 permit ip 10.2.0.0 255.255.0.0 10.5.0.0 255.255
.0.0 (hitcnt=0)
access-list acl_outbound line 17 permit ip 10.4.0.0 255.255.0.0 10.5.0.0 255.255
.0.0 (hitcnt=0)
access-list acl_outbound line 18 permit tcp any any eq smtp (hitcnt=21923)
access-list acl_outbound line 19 permit ip any any (hitcnt=7423)
question is why won't mail go out based on the outside interface access-list? thanks
I have a an exchange 2003 frontend server sitting behind a PIX running 6.3(4).
I have a static from the front end 10.3.1.3 to an outside address.
With this config, I can not send out emails from exchange, though I can recieve. (I added DNS to the list to see if it was an issue). I can nslookup from the front end server fine.
static (inside,outside) 63.110.65.246 10.3.1.135 netmask 255.255.255.255 0 0
access-list acl_out line 2 permit tcp any host 63.110.65.135 eq smtp (hitcnt=868
1)
access-list acl_out line 3 permit tcp any host 63.110.65.135 eq )
access-list acl_out line 4 permit tcp any host 63.110.65.135 eq domain (hitcnt=0
)
access-list acl_out line 5 permit udp any host 63.110.65.135 eq domain (hitcnt=0
)
access-list acl_out line 6 permit tcp any host 63.110.65.245 eq domain (hitcnt=0
)
access-list acl_out line 7 permit udp any host 63.110.65.245 eq domain (hitcnt=1
4921)
access-group acl_out in interface outside
It works if I add a permit ip any any on the access-list on the inside interface (which I obviously don't want to do). I tried adding smtp (which it looks like something is using (not sure if its the exchange server).
access-list acl_outbound line 1 permit tcp any any eq ftp (hitcnt=215)
access-list acl_outbound line 2 permit tcp any any eq ftp-data (hitcnt=0)
access-list acl_outbound line 3 permit tcp any any eq domain (hitcnt=4)
access-list acl_outbound line 4 permit udp any any eq domain (hitcnt=40043)
access-list acl_outbound line 5 permit tcp any any eq access-list acl_outbound line 6 permit tcp any any eq https (hitcnt=3046)
access-list acl_outbound line 7 permit tcp host 10.3.1.178 any (hitcnt=23)
access-list acl_outbound line 8 permit tcp host 10.3.1.7 any (hitcnt=0)
access-list acl_outbound line 9 permit tcp host 10.3.1.121 any (hitcnt=0)
access-list acl_outbound line 10 permit tcp host 10.3.1.179 any (hitcnt=0)
access-list acl_outbound line 11 permit icmp host 10.3.1.178 any (hitcnt=0)
access-list acl_outbound line 12 permit icmp host 10.3.1.121 any (hitcnt=0)
access-list acl_outbound line 13 permit icmp host 10.3.1.48 any (hitcnt=1)
access-list acl_outbound line 14 permit ip 10.5.0.0 255.255.0.0 10.5.0.0 255.255
.0.0 (hitcnt=0)
access-list acl_outbound line 15 permit ip 10.3.0.0 255.255.0.0 10.5.0.0 255.255
.0.0 (hitcnt=0)
access-list acl_outbound line 16 permit ip 10.2.0.0 255.255.0.0 10.5.0.0 255.255
.0.0 (hitcnt=0)
access-list acl_outbound line 17 permit ip 10.4.0.0 255.255.0.0 10.5.0.0 255.255
.0.0 (hitcnt=0)
access-list acl_outbound line 18 permit tcp any any eq smtp (hitcnt=21923)
access-list acl_outbound line 19 permit ip any any (hitcnt=7423)
question is why won't mail go out based on the outside interface access-list? thanks