Pix 501 can't receive inbound email

[bgl3775]

Rookie trying to install 501 on Small Business Server 4.5 with Exchange 5.5 Able to send external emails but can't receive inbound emails. Any help is greatly appreciated. Thanks in advance.

BGL

 

[jdeaner]

please post your pix configuration. Are you using public or private IP's? if private/public have you opened smtp port 25 to the email server?

 

[marsmann]

as stated by previous poster, in your PIX config you must allow inbound connections for smtp (port 25) and forward them to an internal host.

post a sample of your config (doesn't have to be exact as you should not post your passwords, etc.) and change your IP addresses if desired but leave all the commands so we can see how you are set up.

 

[bgl3775]

This is the config...

Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100


fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list smtp permit tcp any host 66.40.203.54 eq smtp
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 66.40.203.54 255.255.255.240
ip address inside 172.38.16.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.10.1 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 66.40.203.54 10.10.10.1 netmask 255.255.255.255 0 0
access-group smtp in interface outside
route outside 0.0.0.0 0.0.0.0 66.40.203.66 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.38.16.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80

: end
[OK]

 

[jdeaner]

Do you have static a static IP assigned to your exchange server? Your PIX does DHCP but exchange needs a static IP. You are out of the range of Private IP's on your inside. This will cause problems. Here is the range:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Unless your typed it wrong, you are in 172.38.16.X
Ponder that change that for starters.

Usually the inside address (E1) of a PIX is on an internal network (10.X.X.X in your case). Are you routing through any other pieces of equipment behind the PIX? The internal interface acts as a gateway for your machines. Here are sample (not complete) commands for an inside IP with a 16-bit net mask. Do you really need a 24 bit subnet mask?

ip address inside 10.10.20.1 255.255.0.0

nat (inside) 1 10.10.0.0 255.255.0.0 0 0

dhcpd address 10.10.10.5-10.10.10.100 inside

DHCP is depending on your scheme. If your not routing that 172 IP then change it to an internal address. Allow for X many servers to have static IP's outside the dhcp address range (10.10.10.1-10.10.10.4 or whatever) to avoid confusion.

This will work with your static exchange mapping but you need to make sure the net masks match up.

I'm not 100% sure how DHCP works on a 501 since its not recommended on others. But I believe you need to be on the same IP scheme unless otherwise routed. SAVE your configuration externally before you make any changes. I'm not an expert, someone correct me if I’m wrong.

-Jason

 

[netilla]

You'll probably find the problem lies with the SMTP fixup, this will allow SMTP only commands, if the machines try to pass ESMTP commands, the PIX will block them. You can try to telnet from outside your firewall on port 25 & check the response, if you're unsure about this, check the following link:

http://www.yuki-onna.co.uk/email/smtp.html

You can do the above & then try to disable the SMTP fixup with:

no fixup protocol smtp 25

& try again, the telnet exercise using port 25 will now perhaps work.

This is assuming also that all NAT issues as per above have been resolved.

Mike

 

[cchipman]

Looking at these three lines, it looks like you have an ip address problem.

ip address outside 66.40.203.54 255.255.255.240
access-list smtp permit tcp any host 66.40.203.54 eq smtp
static (inside,outside) 66.40.203.54 10.10.10.1 netmask 255.255.255.255 0 0

from the outside IP address line, it appears you have the 66.40.203.48 to 66.40.203.64 ip addresses inclusive.

However, you've tried to set the static IP address of your mail server to the same IP address as your pix outside interface. You CAN do this, but to do so, IIRC, you are supposed to use the word interface like this:

static (inside, outside) tcp interface smtp 10.10.10.1 smtp


What I'd recommend (unless you have IP address problems) is changing it like this:

ip address outside 66.40.203.54 255.255.255.240
access-list smtp permit tcp any host 66.40.203.55 eq smtp
static (inside,outside) 66.40.203.55 10.10.10.1 netmask 255.255.255.255 0 0