Pix firewall kills outlook 2

[rouse01]

I'd been using a 1720 with port forwarding/Access control lists to move mail on my inhouse email server. My outlook clients were setup to use mail.domain.net for incoming & outgoing mail. This worked fine for my work station and roaming laptop users until the cisco pix firewall was installed.

Now the Outlook clients inside the network won't resolve to the mail.domain.net, but instead need the (class c) ip address entered in the pop3 & smtp fields. The CE told me that the pix won't allow traffic that originates from inside to 'hairpin' back to an inside address.

We aren't a large office, so I can modify the hosts file on the workstations to resolve the dot addr to the domain addr. But this won't work on my laptops, because they'll have to change their hosts or outlook config depending on if they are inside my network or on the road.

Does this sound right?

Thanks - Keith

 

[KiscoKid]

I'm not sure I can fully visalise this but can you confirm where the DNS server is that is resolving your mail domain name, i.e. is it on the inside or outside of the PIX?

 

[UnaBomber]

You cant Redirect traffic down the same interface on a PIX, if this is what you mean.

As KiscoKid is implying this can be fixed with DNS. You need your inside DNS server to resolve for mail.domain.net to the internal IP address of your email server, and the outside DNS server to resolve to the public IP address. If you dont have an internal DNS Server I beleive you can use the Alias command, and low and behold it has been replace by DNS Doctoring:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Hope that is of some help

UnaBomber
ccnp mcse2k

 

[rouse01]

Thanks both. I do not have an internal dns server, so the alias command worked! I printed off the tech_note, showed it to the engineer and all is good.