Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 515 - SMTP not working

Status
Not open for further replies.
garveyp

garveyp

MIS
Apr 11, 2004
2
CA
Hey all,

I'm having a very big problem with configuring a Cisco PIX firewall for a client of mine. I had a RH Linux firewall built for them for the past 4 years or so and everything was working fine this whole time. They have private LAN (192.168.x.y/24), some public IP's and the Linux firewall was forwarding all Internet mail to a Groupwise server on the private network (essentially port forwarding). This worked perfectly for over 4 years.
After a hard disk failure, and a few head aches, they decided to change products to upgrade to a Cisco PIX.

Here is an edited version (for security purposes) of the config file:
blah# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100basetx
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1IHxZPn4AHSkwDiH encrypted
passwd UGnHowesXI2i3HW6 encrypted
hostname something
domain-name blah.com
clock summer-time MST recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list test permit ip any any
access-list acl_inside deny icmp any any echo
access-list acl_inside deny icmp any any echo-reply
access-list test1 permit tcp any any
pager lines 24
logging monitor debugging
mtu outside 1500
mtu inside 1500
ip address outside x.y.z.190 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 x.y.z.189
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.y.z.162 192.168.1.2 netmask 255.255.255.255 0 0
static (inside,outside) x.y.z.171 192.168.4.3 netmask 255.255.255.255 0 0
static (inside,outside) x.y.z.172 192.168.4.2 netmask 255.255.255.255 0 0
static (inside,outside) x.y.z.173 192.168.4.6 netmask 255.255.255.255 0 0
static (inside,outside) x.y.z.168 192.168.1.99 netmask 255.255.255.255 0 0
static (inside,outside) x.y.z.174 192.168.1.21 netmask 255.255.255.255 0 0
static (inside,outside) x.y.z.178 192.168.1.24 netmask 255.255.255.255 0 0
static (inside,outside) x.y.z.180 192.168.1.13 netmask 255.255.255.255 0 0
static (inside,outside) x.y.z.181 192.168.1.14 netmask 255.255.255.255 0 0
static (inside,outside) x.y.z.183 192.168.4.201 netmask 255.255.255.255 0 0
static (inside,outside) x.y.z.65 192.168.1.6 netmask 255.255.255.255 0 0
static (inside,outside) x.y.z.165 192.168.4.5 netmask 255.255.255.255 0 0
static (inside,outside) x.y.z.182 192.168.1.11 netmask 255.255.255.255 0 0
access-group test in interface outside
access-group test in interface inside
route outside 0.0.0.0 0.0.0.0 x.y.z.161 1
route inside 192.168.4.0 255.255.255.0 192.168.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public

Everything works great except for SMTP. When I try to test it with "telnet <mail_server> 25", sometimes it doesn't connect at all or it works take minutes before it connects.
Has any one run into a similar scenario? When I put an OpenBSD firewall in the PIX place, everything works beautifully. So, I know it a configuration issue on the PIX with SMTP.
Any help at this point work be great.

Thanks in advance,
Alhagie.
 
Sort by date Sort by votes
Noticed you have "no fixup protocol smtp 25". Have you tried with SMTP fixup enabled. Also have you checked your logfiles, they might reveal some details.

skeletor1
 
Upvote 0 Downvote
Which static mapping is your mailserver?

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
access-list test permit ip any any
access-group test in interface outside
access-group test in interface inside

You might as well remove the PIX since it is permitting EVERYTHING...
What is your mail server? Is it Exchange? What is the private ip address on this server? All you need is a static translation and an access list permitting SMTP traffic, ie:

static (inside, outside) <mail-server-public-ip> <mail-server-private-ip> netmask 255.255.255.255
access-list test permit tcp any host <mail-server-public-ip> eq 25


By any chance are you using port redirection (ie: using the PIX's outside ip address for the mail server static translation?
 
Upvote 0 Downvote
yeah, I was opening everything to rule out the access list being in the way. that's why the access list name is "test".

And no, I am not using port redirection.

Could DNS have anything to with it too.....
 
Upvote 0 Downvote
static (inside,outside) x.y.z.162 192.168.1.2 netmask 255.255.255.255 0 0
static (inside,outside) x.y.z.171 192.168.4.3 netmask 255.255.255.255

ip address inside 192.168.1.1 255.255.255.0

Why do you have different internal ip series in your static?

What internal ip do your mailserver have?
 
Upvote 0 Downvote
These are the lines we are running for our mail server. We have the pix 515 running version 6.0. Where x.y.z.67 is the outside IP of the email server.

PIX Version 6.0(1)

fixup protocol smtp 25
static (inside,outside) x.y.z.67 192.168.168.250 netmask 255.255.255.255 0 0
access-list 101 permit tcp any host x.y.z.67 eq smtp
access-list 101 permit tcp any host x.y.z.67 eq pop3

Not for sure if this will help or not.

 
Upvote 0 Downvote
static (inside,outside) x.y.z.67 192.168.168.250 netmask 255.255.255.255 0 0

that means your mail server is on subnet 192.168.168.X and according to your configuration you don't have a static route for this subnet:

route inside 192.168.4.0 255.255.255.0 192.168.1.3 1


Add the corresponding static route:

route inside 192.168.168.0 255.255.255.0 <next-hop>
 
Upvote 0 Downvote
Wrong poster themut, sschlicher was giving garveyp a config example. ;-)
 
Upvote 0 Downvote
oops didn't notice it was sschlicher who posted the config. Sorry guys...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

disturbedone
  • Locked
  • Question
proxy.pac not working correctly in IE11
Replies
0
Views
83
disturbedone
disturbedone
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
71
brownmab53
brownmab53
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
61
xwray
xwray
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
75
gbayi_omo
gbayi_omo
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
138
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top