No inbound email to PIX515..please help!

[grinchstyle]

We currently have an exchange server sitting behind out PIX 515E and we are unable to receive email. Looking at the logs it says the following:

Outbound email works just fine.

TCP request discarded from xx.x.x.91/60772 to outside:x5.xx2.xx.xx6/25

Any help on this would be appreciated.. here is our running config. Thanks!

asdm image flash:/asdm521.bin
no asdm history enable
: Saved
:
PIX Version 7.2(1)
!
hostname hello_pix
domain-name here.net
asdm image flash:/asdm521.bin
no asdm history enable
: Saved
:
PIX Version 7.2(1)
!
hostname no_pix
domain-name here.net
names
!
interface Ethernet0
nameif outside
security-level 0
ip address xx.xx2.x4.xx6 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 192.168.2.3 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name comsourceinc.net
access-list outside_access_in extended permit tcp any host xx.xx2.x4.xx7 eq www
access-list outside_access_in extended permit tcp any host xx.xx2.x4.xx6 eq smtp
access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.224
access-list outside_cryptomap extended permit ip any 192.168.4.0 255.255.255.224
access-list outside_cryptomap_1 extended permit ip any 192.168.4.0 255.255.255.224
access-list vpn1_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.224
access-list outside_cryptomap_2 extended permit ip any 192.168.4.0 255.255.255.224
access-list dmz_cryptomap extended permit ip any 192.168.4.0 255.255.255.224
access-list dmz1_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list dmz_cryptomap_1 extended permit ip any 192.168.4.0 255.255.255.224
pager lines 24
logging enable
logging list Tesst level debugging
logging list email level debugging
logging list email message 609001-609002
logging list ok message 609001-609002
logging list server message 710005
logging monitor debugging
logging trap errors
logging asdm server
logging mail debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool vpn_pool 192.168.4.2-192.168.4.20
icmp permit any inside
asdm image flash:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 200 interface
global (outside) 300 xx.xx2.x4.xx0 netmask 255.0.0.0
global (dmz) 200 10.15.22.1-10.15.22.50 netmask 255.0.0.0
global (dmz) 300 10.12.17.11-10.12.17.51 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 300 192.168.1.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 200 192.168.2.0 255.255.255.0
static (dmz,outside) xx.xx2.x4.xx8 192.168.2.10 netmask 255.255.255.255
static (inside,outside) xx.x2.x4.xx5 192.168.1.2 netmask 255.255.255.255
static (dmz,outside) xx.xx2.x4.xx7 192.168.2.4 netmask 255.255.255.255 dns
static (inside,outside) xx.xx2.x4.xx6 192.168.1.11 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x5.xx2.74.xx5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no eou allow clientless
group-policy vpn1 internal
group-policy vpn1 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn1_splitTunnelAcl
group-policy dmz1 internal
group-policy dmz1 attributes
wins-server value 192.168.1.x1
dns-server value 192.168.1.x1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dmz1_splitTunnelAcl
default-domain value nowhere.local

privilege 15


class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect esmtp test
description basic
parameters
no mask-banner
match MIME filename length gt 255
log
match sender-address length gt 320
log
match cmd RCPT count gt 100
log
match body line length gt 998
log
match cmd line length gt 512
log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect esmtp test
!
service-policy global_policy global
tftp-server inside 192.168.1.2 file
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command vpn-sessiondb
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:327e72e87d94dd39f8d63adc4142c504
: end

!
interface Ethernet0
nameif outside
security-level 0
ip address xx.xx2.x4.xx6 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 192.168.2.3 255.255.255.0
!

dns server-group DefaultDNS
domain-name xxx.net
access-list outside_access_in extended permit tcp any host xx.2xx.x4.xx7 eq www
access-list outside_access_in extended permit tcp any host xx.xx.xx.xx6 eq smtp
access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.224
access-list outside_cryptomap extended permit ip any 192.168.4.0 255.255.255.224
access-list outside_cryptomap_1 extended permit ip any 192.168.4.0 255.255.255.224
access-list vpn1_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.224
access-list outside_cryptomap_2 extended permit ip any 192.168.4.0 255.255.255.224
access-list dmz_cryptomap extended permit ip any 192.168.4.0 255.255.255.224
access-list dmz1_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list dmz_cryptomap_1 extended permit ip any 192.168.4.0 255.255.255.224
pager lines 24
logging enable
logging list Tesst level debugging
logging list email level debugging
logging list email message 609001-609002
logging list ok message 609001-609002
logging list server message 710005
logging monitor debugging
logging trap errors
logging asdm server
logging mail debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool vpn_pool 192.168.4.2-192.168.4.20
icmp permit any inside
asdm image flash:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 200 interface
global (outside) 300 xx.xx2.xx.xx0 netmask 255.0.0.0
global (dmz) 200 10.15.22.1-10.15.22.50 netmask 255.0.0.0
global (dmz) 300 10.12.17.11-10.12.17.51 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 300 192.168.1.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 200 192.168.2.0 255.255.255.0
static (dmz,outside) xx.xx2.xx.xx8 192.168.2.10 netmask 255.255.255.255
static (inside,outside) xx.xx.x4.xx5 192.168.1.2 netmask 255.255.255.255
static (dmz,outside) xx.xx2.x4.xx7 192.168.2.4 netmask 255.255.255.255 dns
static (inside,outside) xx.xx2.x4.xx6 192.168.1.1x netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.2xx.xx.x5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no eou allow clientless
group-policy vpn1 internal
group-policy vpn1 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn1_splitTunnelAcl
group-policy dmz1 internal
group-policy dmz1 attributes
wins-server value 192.168.1.x1
dns-server value 192.168.1.x1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dmz1_splitTunnelAcl
default-domain value xxxxx.local

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect esmtp test
!
service-policy global_policy global
tftp-server inside 192.168.1.2 file
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command vpn-sessiondb
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:327e72e87d94dd39f8d63adc4142c504
: end

 

[Supergrrover]

Your ACL is
access-list outside_access_in extended permit tcp any host xx.xx2.x4.xx7 eq www
access-list outside_access_in extended permit tcp any host xx.xx2.x4.xx6 eq smtp
but your static only doesn't match
static (dmz,outside) xx.xx2.x4.xx7 192.168.2.4 netmask 255.255.255.255 dns
Add
static (dmz,outside) tcp xx.xx2.x4.xx7 smtp 192.168.2.4 smtp netmask 255.255.255.255



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[grinchstyle]

Thanks..I made the changes you suggested and emails are still bouncing back to the senders:

Is there a reason why the PIX would discard smtp ip packets even though the ACL specifies that it should allow them for than interface/ip?

 

[Supergrrover]

Sorry typo, your SMTP server is .xx6 not .xx7
Should be
static (dmz,outside) tcp xx.xx2.x4.xx6 smtp 192.168.2.4 smtp netmask 255.255.255.255

Also, make sure your DNS MX record reflects your external IP for the SMTP server.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[grinchstyle]

Thanks for all the help Superrgrover.. I forgot to mention that the Exchange server isn't sitting in the DMZ but rather, on the inside network.

I have been able to temporarily resolve my incoming mail issues by changing the public IP address on "outside" interface on the pix from xx6 to xx9. However, I still have a static NAT on the Exchange server to xx6 (as reflected by MX records). emails work fine now. It seemed as though the PIX was dropping the smtp packets because it thought the mail was destined for the security appliance (PIX515E) itself? They had the same public ip's "outside" interface and mail server (NAT-->192.168.xx.11).

Any thoughts on how I can use the same public ip for the outisde interface as well as the mail server without dropped mail?