Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Exchange 2003 front end server can't send email.

Status
Not open for further replies.
gmontano

gmontano

IS-IT--Management
Aug 7, 2001
14
0
0
US
Hi,

I have a an exchange 2003 frontend server sitting behind a PIX running 6.3(4).

I have a static from the front end 10.3.1.3 to an outside address.

With this config, I can not send out emails from exchange, though I can recieve. (I added DNS to the list to see if it was an issue). I can nslookup from the front end server fine.



static (inside,outside) 63.110.65.246 10.3.1.135 netmask 255.255.255.255 0 0

access-list acl_out line 2 permit tcp any host 63.110.65.135 eq smtp (hitcnt=868
1)
access-list acl_out line 3 permit tcp any host 63.110.65.135 eq )
access-list acl_out line 4 permit tcp any host 63.110.65.135 eq domain (hitcnt=0
)
access-list acl_out line 5 permit udp any host 63.110.65.135 eq domain (hitcnt=0
)
access-list acl_out line 6 permit tcp any host 63.110.65.245 eq domain (hitcnt=0
)
access-list acl_out line 7 permit udp any host 63.110.65.245 eq domain (hitcnt=1
4921)


access-group acl_out in interface outside



It works if I add a permit ip any any on the access-list on the inside interface (which I obviously don't want to do). I tried adding smtp (which it looks like something is using (not sure if its the exchange server).

access-list acl_outbound line 1 permit tcp any any eq ftp (hitcnt=215)
access-list acl_outbound line 2 permit tcp any any eq ftp-data (hitcnt=0)
access-list acl_outbound line 3 permit tcp any any eq domain (hitcnt=4)
access-list acl_outbound line 4 permit udp any any eq domain (hitcnt=40043)
access-list acl_outbound line 5 permit tcp any any eq access-list acl_outbound line 6 permit tcp any any eq https (hitcnt=3046)
access-list acl_outbound line 7 permit tcp host 10.3.1.178 any (hitcnt=23)
access-list acl_outbound line 8 permit tcp host 10.3.1.7 any (hitcnt=0)
access-list acl_outbound line 9 permit tcp host 10.3.1.121 any (hitcnt=0)
access-list acl_outbound line 10 permit tcp host 10.3.1.179 any (hitcnt=0)
access-list acl_outbound line 11 permit icmp host 10.3.1.178 any (hitcnt=0)
access-list acl_outbound line 12 permit icmp host 10.3.1.121 any (hitcnt=0)
access-list acl_outbound line 13 permit icmp host 10.3.1.48 any (hitcnt=1)
access-list acl_outbound line 14 permit ip 10.5.0.0 255.255.0.0 10.5.0.0 255.255
.0.0 (hitcnt=0)
access-list acl_outbound line 15 permit ip 10.3.0.0 255.255.0.0 10.5.0.0 255.255
.0.0 (hitcnt=0)
access-list acl_outbound line 16 permit ip 10.2.0.0 255.255.0.0 10.5.0.0 255.255
.0.0 (hitcnt=0)
access-list acl_outbound line 17 permit ip 10.4.0.0 255.255.0.0 10.5.0.0 255.255
.0.0 (hitcnt=0)
access-list acl_outbound line 18 permit tcp any any eq smtp (hitcnt=21923)
access-list acl_outbound line 19 permit ip any any (hitcnt=7423)


question is why won't mail go out based on the outside interface access-list? thanks
 
Sort by date Sort by votes
I am asuming your config has a line like this....

access-group acl_outbound in interface inside

In this circumstance the access list "acl_outbound" is filtering traffic going from the "inside" interface to another interface on the PIX (probably "oustide"). Your "acl_out" applies to traffic coming into your "outside" interface and moving to a higher level interface (probably "inside").

Your exchange server should only need SMTP or TCP port 25 to send emails in your "acl_outbound" access-list. It might also need DNS or UDP port 53.
 
Upvote 0 Downvote
Thanks. I got that. I gave SMTP and DNS to the exchange. Emails just sit in the exchange queues unless I give the inside interface the permit any any.

doesn't make sense.

the static works as I can recieve emails, just cant send.
 
Upvote 0 Downvote
Are you having an exchange server in front of your PIX that sends these emails?
 
Upvote 0 Downvote
Exchange server is behind the pix, doing static from outside to inside interface.
 
Upvote 0 Downvote
Where is your front end and back end exchange servers in relation to the PIX though.
 
Upvote 0 Downvote
They are both behind the pix on the inside interface. MS reccomended not putting it in DMZ due to opening ports for Active Directory etc.
 
Upvote 0 Downvote
Then you should be good... Try running "logging trap debugging" on your PIX and setup a syslog server to see what ports your server is trying to use.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
143
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
143
Johnkite
Johnkite
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
48
Russtoleum
Russtoleum
Garbear
  • Locked
  • Question
TZ190 VPN Connection works but can't ping some IP's on either side
Replies
0
Views
41
Garbear
Garbear
MeesterDull
  • Locked
  • Question
Can't remote into my SonicWall
Replies
0
Views
25
MeesterDull
MeesterDull

Part and Inventory Search

Sponsor

Back
Top