Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Odd problem after 7.2.(1) Upgrade

Status
Not open for further replies.

aisdale

Technical User
Aug 7, 2006
19
ZA
I upgraded a PIX 515e from 6.3(4) to 7.2(1) and since the upgrade there has been an issue with mail being delivered to a mail server on the inside of the PIX. The MX record is sitting at the ISP where there is a spam/virus filter then mail is pushed through to the mail server.

Usually there is no backlog of mail at all, maybe 10 11 mails max but now there has been over 500+ emails sitting at the ISP and they are coming through but at SUCH a slow rate. At first I was convinced that it had nothing to do with the upgrade and must be something at the ISP, the line or the mailserver but I had all of that checked and all I could point at was the upgrade - I downgraded back to the old code and the problem disappeared?

There is a router on the outside of the pix that connects to the ISP - I thought maybe it could be a duplex mismatch but I checked that.What's also weird is that its ONLY incomming mail, outgoing is 100% and so is browsing.

Here is the config, If anyone see's anything dumb i'm missing please let me know.

PIX Version 7.2(1)
!
hostname pixfirewall
domain-name xxx.co.za
enable password cRmNj1zd2MjSgoLZ encrypted
names
name 10.1.3.6 AS400_1
name 10.1.1.6 MAIL_SERVER
name 10.5.0.0 RAS_NET
name 196.35.xx.xx ISMailFW1
name 196.35.xx.xx ISMailFW2
name 10.1.3.10 JDE
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.5.1.2 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.240 255.255.255.0
!
interface Ethernet2
shutdown
nameif dmz
security-level 40
no ip address
!
passwd cRmNj1zd2MjSgoLZ encrypted
boot system flash:/pix721.bin
ftp mode passive
clock timezone SAST 2
dns server-group DefaultDNS
domain-name xxx.co.za
access-list All_Access extended permit ip any any
access-list authentication extended permit ip host 10.1.1.211 10.1.3.0 255.255.255.0
access-list authorization extended permit ip host 10.1.1.211 10.1.3.0 255.255.255.0
access-list outside_authentication_TACACS+ extended deny ip host 10.5.1.3 any
access-list outside_authentication_TACACS+ extended deny ip host 10.5.1.254 any
access-list outside_authentication_TACACS+ extended permit ip 10.5.1.0 255.255.255.0 any
access-list outside_authorization_TACACS+ extended deny ip host 10.5.1.3 any
access-list outside_authorization_TACACS+ extended deny ip host 10.5.1.254 any
access-list outside_authorization_TACACS+ extended permit ip 10.5.1.0 255.255.255.0 any
access-list outside_cryptomap_20 extended permit ip 10.0.0.0 255.0.0.0 10.50.0.0 255.255.255.0
access-list 108 extended permit ip 10.1.3.0 255.255.255.0 10.5.2.0 255.255.255.0
access-list 108 extended permit ip 10.0.0.0 255.0.0.0 10.5.2.0 255.255.255.0
access-list 108 extended permit ip 10.0.0.0 255.0.0.0 10.51.0.0 255.255.255.0
access-list 108 extended permit ip 10.0.0.0 255.0.0.0 10.50.0.0 255.255.255.0
access-list 108 extended permit ip 10.0.0.0 255.0.0.0 10.5.1.0 255.255.255.0
access-list xxxx-vpn_splitTunnelAcl extended permit ip 10.0.0.0 255.0.0.0 any
access-list inside_acl extended permit tcp 10.5.1.0 255.255.255.0 host 10.1.3.100 eq telnet
access-list inside_acl extended permit tcp 10.5.1.0 255.255.255.0 host 10.1.3.100 eq www
access-list inside_acl extended permit tcp any host 10.5.1.3 eq telnet
access-list inside_acl extended permit tcp any host 10.5.1.1 eq telnet
access-list inside_acl extended permit ip any 10.51.0.0 255.255.255.0
access-list inside_acl extended permit ip any 10.50.0.0 255.255.255.0
access-list inside_acl extended permit ip any 10.0.0.0 255.0.0.0
access-list inside_acl extended deny ip host 10.2.1.6 any
access-list inside_acl extended deny ip host 10.3.1.6 any
access-list inside_acl extended permit tcp any any eq nntp
access-list inside_acl extended permit tcp any any eq www
access-list inside_acl extended permit tcp any any eq https
access-list inside_acl extended permit tcp any any eq ftp
access-list inside_acl extended permit tcp any any eq ftp-data
access-list inside_acl extended permit tcp any any eq 1863
access-list inside_acl extended permit tcp any any eq 8000
access-list inside_acl extended permit tcp any any eq 8080
access-list inside_acl extended permit tcp any any eq 8081
access-list inside_acl extended permit tcp host MAIL_SERVER any eq smtp
access-list inside_acl extended permit tcp host MAIL_SERVER any eq domain
access-list inside_acl extended permit udp host MAIL_SERVER any eq domain
access-list inside_acl extended permit tcp any any eq 524
access-list inside_acl extended permit udp host MAIL_SERVER host 168.xx.x.2 eq domain
access-list inside_acl extended permit udp host MAIL_SERVER host 196.xx.xx.x eq domain
access-list inside_acl extended permit tcp any any eq 8300
access-list inside_acl extended permit tcp host 10.1.1.212 any eq pop3
access-list inside_acl extended permit tcp host 10.1.1.213 any eq pop3
access-list inside_acl extended permit tcp host 10.1.1.214 any eq pop3
access-list inside_acl extended permit tcp host 10.1.1.212 any eq smtp
access-list inside_acl extended permit tcp host 10.1.1.213 any eq smtp
access-list inside_acl extended permit tcp host 10.1.1.214 any eq smtp
access-list inside_acl extended permit tcp any any eq 19001
access-list inside_acl extended permit udp host 10.1.255.10 host 10.5.1.3 eq snmp
access-list inside_acl extended permit ip host 10.1.1.217 any
access-list inside_acl extended permit tcp any any eq 8800
access-list inside_acl extended permit tcp any any eq 8801
access-list inside_acl extended permit tcp any any eq 8802
access-list inside_acl extended permit tcp any any eq 8803
access-list inside_acl extended permit tcp any any eq 8804
access-list inside_acl extended permit tcp any any eq 8805
access-list inside_acl extended permit tcp any any eq 8806
access-list inside_acl extended deny ip host 10.3.1.8 any
access-list outside_acl extended permit icmp 10.5.1.0 255.255.255.0 host 10.1.3.100
access-list outside_acl extended permit ip 10.51.0.0 255.255.255.0 any
access-list outside_acl extended permit ip 10.50.0.0 255.255.255.0 any
access-list outside_acl extended permit udp host 10.5.1.3 host 10.1.255.10 eq 2058
access-list outside_acl extended permit udp host 10.5.1.3 host 10.1.255.10 eq snmp
access-list outside_acl extended permit udp host 10.5.1.3 host 10.1.255.10 eq snmptrap
access-list outside_acl extended permit tcp host ISMailFW1 host MAIL_SERVER eq smtp
access-list outside_acl extended permit tcp host ISMailFW2 host MAIL_SERVER eq smtp
access-list outside_acl extended permit tcp host 10.5.1.254 host MAIL_SERVER eq 7205
access-list outside_acl extended permit tcp 10.5.1.0 255.255.255.0 host 10.1.3.100 eq www
access-list outside_acl extended permit tcp 10.5.1.0 255.255.255.0 host 10.1.3.100 eq https
access-list outside_acl extended permit tcp 10.5.1.0 255.255.255.0 host 10.1.3.100 eq telnet
access-list outside_acl extended permit tcp 10.5.1.0 255.255.255.0 host 10.1.3.17 eq www
access-list outside_acl extended permit tcp 10.5.1.0 255.255.255.0 host 10.1.3.11 eq www
access-list outside_acl extended permit tcp 10.5.1.0 255.255.255.0 host 10.1.3.51 eq www
access-list outside_acl extended permit tcp 10.5.1.0 255.255.255.0 host 10.1.3.52 eq www
access-list outside_acl extended permit tcp 10.5.1.0 255.255.255.0 host 10.1.3.53 eq www
access-list outside_cryptomap_dyn_20 extended permit ip any 10.51.0.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 10.5.2.0 255.255.255.0
access-list JDE extended permit ip any host JDE
access-list JDE extended permit ip any host 10.1.3.100
access-list JDE extended deny ip any any
pager lines 35
logging enable
logging monitor debugging
logging buffered debugging
logging history warnings
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool vpnclientpool 10.5.2.1-10.5.2.255
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
icmp permit 10.5.1.0 255.255.255.0 outside
icmp permit any inside
icmp permit any dmz
asdm history enable
arp timeout 14400
nat-control
nat (inside) 0 access-list 108
nat (inside) 0 0.0.0.0 0.0.0.0
nat (dmz) 0 0.0.0.0 0.0.0.0
static (inside,outside) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,outside) 10.1.3.9 10.1.3.9 netmask 255.255.255.255
static (inside,outside) MAIL_SERVER MAIL_SERVER netmask 255.255.255.255
static (inside,outside) 10.1.1.11 10.1.1.11 netmask 255.255.255.255
static (inside,outside) 10.1.255.10 10.1.255.10 netmask 255.255.255.255
static (inside,outside) 10.1.3.100 10.1.3.13 netmask 255.255.255.255
access-group outside_acl in interface outside
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 10.5.1.3 1
route inside 10.1.0.0 255.255.0.0 10.1.1.1 1
route inside 10.1.255.10 255.255.255.255 10.1.1.1 1
route inside 10.2.0.0 255.255.0.0 10.1.1.1 1
route inside 10.3.0.0 255.255.0.0 10.1.1.1 1
route inside 10.10.0.0 255.255.0.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 1:00:00 absolute uauth 0:30:00 inactivity
aaa-server TACACS+ protocol tacacs+
max-failed-attempts 4
aaa-server TACACS+ host 10.1.3.13
timeout 5
key abcde
aaa-server RADIUS protocol radius
aaa-server AuthInbound protocol radius
aaa-server AuthInbound host 10.1.3.13
timeout 5
key abcde
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
group-policy xxxxx-vpn internal
group-policy xxxxx-vpn attributes
dns-server value 10.1.1.6
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value xxxx-vpn_splitTunnelAcl
default-domain value xxxx.co.za
split-dns value xxxx.co.za
aaa authentication match outside_authentication_TACACS+ outside TACACS+
aaa authorization match outside_authorization_TACACS+ outside TACACS+
http server enable
http 10.1.1.211 255.255.255.255 inside
http 10.1.3.13 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
virtual telnet 10.1.3.100
sysopt connection tcpmss 1300
auth-prompt prompt xxxx NETWORK ACCESS
auth-prompt accept Network Access Granted
auth-prompt reject Network Access Denied
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xx.x.x.xx
crypto map outside_map 20 set transform-set ESP-DES-MD5 ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86000
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 60
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
tunnel-group xx.xxx.xxx.x type ipsec-l2l
tunnel-group xx.xxx.xxx.x ipsec-attributes
pre-shared-key *
tunnel-group xxxxx-vpn type ipsec-ra
tunnel-group xxxxx-vpn general-attributes
address-pool vpnclientpool
authentication-server-group (outside) TACACS+
default-group-policy xxxx-vpn
tunnel-group xxxx-vpn ipsec-attributes
pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
telnet 10.1.3.0 255.255.255.0 inside
telnet 10.1.1.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh timeout 5
ssh version 1
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:59e78481e07dd9b9da204dc7239beb2d
: end


 
Does your email server have a long EHLO or HELO message? I think the changes to the ESMTP inspection restricts that to a certain length.
 
Thanks guys, taking out inspect esmtp sorted it out.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top