HELP - Routing smtp mail through PIX 515E 1

[CertifiedNut]

Hi All,
I have a real problem. In reconfiguring our network we have lost SMTP mail through our PIX. The mail server sends out mail ok through the proxy sweeper and out of the Pix, but incoming mail seems to be lost and does not appear to be getting through the pix the the rpoxy sweeper on the way back. Any one got any ideas what I have missed this time??? As always I have included a copy of the config from the PIX.

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz_int security50

enable password xxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxx encrypted

hostname XXXXXXXXX

domain-name XXXXXXXX

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

object-group service group1 udp

port-object range 27950 27965

object-group service HTTPPorts tcp

port-object range

http://www www

port-object eq www

port-object eq https

port-object range 8080 8080

port-object range 81 81

access-list outside_access_in permit tcp interface outside eq smtp interface outside eq smtp

access-list outside_access_in deny icmp any any

access-list outside_access_in deny tcp any any

access-list inside_access_in permit tcp host 10.0.10.242 eq smtp any

access-list inside_access_in deny tcp any any eq domain

access-list inside_access_in permit tcp any any eq ftp

access-list inside_access_in deny tcp any any object-group HTTPPorts

access-list inside_access_in deny tcp any any eq ftp-data

access-list inside_access_in deny tcp any any eq irc

access-list inside_access_in permit tcp any any eq ldaps

access-list inside_access_in permit tcp any any eq ldap

access-list inside_access_in permit udp any any eq domain

access-list inside_access_in deny icmp any any

pager lines 24

logging on

logging timestamp

logging buffered alerts

logging trap alerts

mtu outside 1500

mtu inside 1500

mtu dmz_int 1500

ip address outside 86.54.xxx.xxx 255.255.255.xxx

ip address inside 10.0.10.252 255.255.255.0

no ip address dmz_int

ip audit info action alarm

ip audit attack action alarm

no pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp 10.0.10.242 smtp netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.0.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.0.10.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxx

: end

 

[Supergrrover]

What exactly did you change?

Something that pops out immediately

access-list outside_access_in permit tcp interface outside eq smtp interface outside eq smtp

should be
access-list outside_access_in permit tcp any interface outside eq smtp


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[CertifiedNut]

Hi Brent,

Thanks for your reply and sorry if the post looked vague. I did a rebuild over the weekend and this is the new config that I have loaded currently that has your kind addition, however, it still doesn't work.

The reference to the IP address AA.AA.AA.AA is the default gateway of my ISP and the BB.BB.BB.BB is the ip address of the PIX outside i/f. What I'm trying to acheive is to route SMTP traffic from the ISP who are delivering it targeted at our PIX outside IP (i/f) to our Mail sweeping appliance inside the network which in turns delivers it to our Exchange. The PIX needs to just forward all SMTP traffic to the appliance and in turn forward all SMTP traffic from the appliance to the ISP and on to the net.

your further help is much appreciated.

Rick

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz_int security50
enable password ????????????? encrypted
passwd ??????????????? encrypted
hostname MobilityPix
domain-name Mobility.co.uk
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service group1 udp
port-object range 27950 27965
object-group service HTTPPorts tcp
port-object range

http://www www

port-object eq www
port-object eq https
port-object range 8080 8080
port-object range 81 81
access-list inside_access_in permit tcp host 10.0.10.242 eq smtp any
access-list inside_access_in permit tcp host 10.0.10.11 any object-group HTTPPor
ts
access-list inside_access_in permit udp any any eq domain
access-list inside_access_in deny icmp any any
access-list smtp permit tcp any interface outside eq smtp
pager lines 24
logging on
logging timestamp
logging buffered alerts
logging trap alerts
mtu outside 1500
mtu inside 1500
mtu dmz_int 1500
ip address outside BB.BB.BB.BB 255.255.255.240
ip address inside 10.0.10.252 255.255.255.0
no ip address dmz_int
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (outside,inside) tcp 10.0.10.242 smtp AA.AA.AA.AA smtp netmask 255.255.255.255 0 0
static (inside,outside) AA.AA.AA.AA 10.0.10.242 netmask 255.255.255.255 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 195.224.108.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.0.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxx
: end
MobilityPix(config)#

 

[Supergrrover]

Ahhhh, Exchange uses ESMTP. The inspect SMTP rejects some of the extended commands. There are also some problems with your statics and you will need to add that ACL.

do these to your posted config

no fixup protocol smtp 25
no static (outside,inside) tcp 10.0.10.242 smtp AA.AA.AA.AA smtp netmask 255.255.255.255 0 0
no static (inside,outside) AA.AA.AA.AA 10.0.10.242 netmask 255.255.255.255 0 0
static (inside,outside) tcp BB.BB.BB.BB smtp 10.0.10.242 smtp netmask 255.255.255.255 0 0
access-list outside_access_in permit tcp any host BB.BB.BB.BB eq smtp
access-group outside_access_in in interface outside


Now save the config and clear the xlates.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[CertifiedNut]

Thanks for your reply. I have removed and added the lines you recommended, but still can't get mail through. i have posted the the latest config below. Can you see anything i have missed.

It all looks to be there, but for some reason it just doesn't work.

Thanks for your help

Rick

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz_int security50
enable password XXXXXXXXXXXXXXXt encrypted
passwd XXXXXXXXXXXXXXXX encrypted
hostname MobilityPix
domain-name Motability.co.uk
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service group1 udp
port-object range 27950 27965
object-group service HTTPPorts tcp
port-object range

http://www www

port-object eq www
port-object eq https
port-object range 8080 8080
port-object range 81 81
access-list inside_access_in permit tcp host 10.0.10.242 eq smtp any
access-list inside_access_in permit tcp host 10.0.10.11 any object-group HTTPPorts
access-list inside_access_in permit udp any any eq domain
access-list inside_access_in deny icmp any any
access-list smtp permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any host 86.54.76.254 eq smtp
pager lines 24
logging on
logging timestamp
logging buffered alerts
logging trap alerts
mtu outside 1500
mtu inside 1500
mtu dmz_int 1500
ip address outside BB.BB.BB.BB 255.255.255.240
ip address inside 10.0.10.252 255.255.255.0
no ip address dmz_int
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp BB.BB.BB.BB smtp 10.0.10.242 smtp netmask 255.255.2
55.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.0.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:fb58ae462cd5ad4ac80479b5d5fa5db2

 

[Supergrrover]

The config looks good. (I am assuming that you have masked the real IP with BB.BB.BB.BB.)

What is " rpoxy sweeper" from the first post and where is it?
Is there a reason you are restricting outbound access? Some of these might be blocking as well. Try taking that inside outbound ACL off and see if that works as well.




Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[CertifiedNut]

Thanks for all your help. The config you suggested did work, but a typo in the config of another device (a router acting as default gateway) was sending the return packets to another gateway (a remote office) .

Many thanks for your help as the original config obviously wouldn't have worked even without the default gateway typo error.

Regards

Rick

 

[Supergrrover]

No Problem. Glad it works.



Brent
Systems Engineer / Consultant
CCNP, CCSP