POP3 and SMTP

[Helfenmir]

Hi

I have just setup a PIX 515 with a basic config. I can access the internet through it but cannot recieve or send mail on POP3 and SMTP. Have tested the mail and confirmed everything is OK by using other systems.

Can you tell me what commands i need to put in to make it work.

Many Thanks for your help

Helfenmir

 

[baddos]

Is this a mail server on the Internet you are trying to use, or your mail server on the inside of the firewall that people on the Internet cannont use?

 

[cat6506]

You need to apply a static nat

static (inside,outside) x.x.x.x(Public IP) x.x.x.x(Private IP) netmask 255.255.255.255 0 0

Then an access-list to allow smtp and pop3

access-list (identifier) permit tcp any host x.x.x.x(Public IP) eq 25
access-list (identifier) permit tcp any host x.x.x.x(Public IP) eq 110

Hope this helps.

 

[Helfenmir]

Hi Baddos and cat6506

Baddos
It is a mail server on the Internet we access to get our POP3 mail and send our SMTP mail.

cat6506

I'll try that shortly.

Thanks to you both hopefully I won't need to trouble you again.

Helfenmir

 

[Helfenmir]

No that didn't work, does anyone have any more ideas. I just need to access amil pop3 and smtp from our internal network , through the firewall and out onto the Internet mail server. I have managed to be able to browse the Internet OK.

Many Thanks
Helfenmir

 

[baddos]

Send us the config.

 

[yizhar]

HI.

* Post a detailed config as mentioned above.

> Have tested the mail and confirmed everything is OK by using other systems...
What do you mean?
What did you do?
What were the results?

* Try to telnet to port 25 and 110 of the mail server from internal host. What do you get?
How did you try to contact the mail server (Outlook Express?) and what was the exact error?

* Please also describe your DNS configuration.
* Do you access the mail server by DNS name or IP address?

* Use syslog messages at the pix.
Use level 4 to see what is blocked by the pix, or use level 6/7 to see also what is going through.

* Contact the mail server postmaster@xxxx or by phone. Maybe they can also help you out.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Helfenmir]

Hi Baddos and Yizar

here is my config below. I can access the internet OK but can't get any email in or out of the building throgh this PIX. This is all we want it for Internet Access and to access our SMTP server on the Internet and pick up our pop3 mail of the internet server.

I am extremely dense on the issue of the PIX 515 and it shows miserably.

Any help would be great I have omitted a few numbers for x's for obvious security reason.

Many thanks in anticipation of your help
Helfenmir

PIX Version 5.3(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXX encrypted
hostname pix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
pager lines 24
logging on
logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
logging trap notifications
no logging history
logging facility 20
logging host inside 192.168.1.121
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 212.X.X.151 255.255.X.X
ip address inside 192.168.1.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 212.X.X.152 netmask 255.255.X.X
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:671877841f209d7faea9d4959f4c107e

Thanks

 

[ChrisAC]

Are you sure that your mail clients are able to resolve DNS okay for the smtp and POP3 server. If you haven't set up DNS server IP's on the machines then the clients just won't be able to resolve those server names. Can you telnet to the IP address of the server on ports 25 and 110 from your desktop. If not, what error do you get. If it works then try using the hostname. If that doesn't work then check DNS settings. When that works then your mail clients should also work.

Your problems might not be with the PIX!! Don't rule out the easy stuff.

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[baddos]

It looks like you don't have any ACL's blocking any outgoing traffic from your "inside" interface. What could be the problem is reverse DNS. Some people have their email servers setup so not you allow a SMTP connection if Reverse DNS fails.

Make sure that 212.X.X.152 has reverse DNS setup (A PTR DNS record). You might have to have your ISP set this up. You can find out if one is already setup by doing this:

Open a command prompt on a WindowsNT/2000/XP or linux/Unix box and type "nslookup".

Enter "212.X.X.152"

See if the it gives you a DNS name back or a non-existant error message.

You could also check to see if there are any filters/ACLs on your Internet router that would filter the outbound traffic.

 

[Helfenmir]

Hi

Thanks for the input. Bare with me while I try and explain the detail.

Firstly I have a dialup ISDN at the same site which is currently working OK with SMTP and PoP3 and Internet.We now have a Satelite router at this site for faster access (Broadband), and the PIX which was not being used before is to be the firewall for the SAT Router. At another site we have a SAT router (identical) with a different manufacturers firewall and that works OK so I am confident it is not a filter issue on the SAT router as they are setup the same-exception ip address.

I ran nslookup albeit from another site (I have not had time to try this through the PIX yet at the site in question) and it returned a DNS name and a DNS address which is one of the same addresses we use when setting up clients to access Internet and email. So I guess that bit is OK.

Further to all this: If I ping smtp.xxxxxxxx from the site that has the SAT router working, I get a resulting IP address returned before I receive a 'request timed out', this is obviously correct because everything works OK. I get the same result for pop3. However, if I try that at the site where the PIX is I get an 'unknown error' I just can't get out or maybe back in through the PIX for mail. Yet like I say the Internet works fine, but I will need to tighten up on what sites being blocked etc, but that can wait for another day.

More Info.
There is a common latency problem with SAT routers (ping times can be from 300ms to 1200ms-roughly) but only to the extent that you cannot use VPN, PPTP, On-line Gaming, video conferencing etc. etc. But it does not have any implications on mail whatsoever.

Really hope you can help It's getting frustrating now and my knowledge of Firewalls is very limited.

Many Thanks really appreciate your help.
Helfenmir

 

[baddos]

ok... Try this. Hang a computer off the outside network. The same segment that houses the SAT router and the PIX. Try to telnet to your mail server using port 25.

I.e. "telnet mail.someserver.com 25"

You should see a 220 message from the email server. If you do, it's working and the PIX or something on the inside network is causing it. If you get an error then it's not your PIX's fault.

 

[yizhar]

HI.

Checkout this article and see if it is relevant:
PIX Performance Issues Caused by IDENT Protocol:

http://www.cisco.com/warp/public/110/2.html

Try to access POP3 and SMTP server of a different mail server.
Simply try to telnet to ports 25 and 110 of the mail server, you do not need a valid account for the test.
What do you get?
Try to access the mail server using both DNS name or IP address. What do you get?

> logging trap notifications
For the test, increase this to level 6 (informational).
What syslog messages do you get related to your attempts?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Helfenmir]

Hi

Have used telnet to access the mail server through the sat router without the PIX. This was successful, I know this is OK because other users at another site access there mail OK.

Have tried through the PIX with DNS and IP address but with no success. Tried adding all sorts of routes but no success.

How can I set level 6 and where do I look for the log results?

Is there any way I can remove all blocking just to establish it is possible to recieve and send email through this PIX 515.

I'll check the URL Yizhar.

Many Thanks for your help both

Helfenmir

 

[N0ktar]

Your NAT statement look something like this:
[nat (inside) 1 0.0.0.0 0.0.0.0 0 0]
Add:
static 212.X.X.x 192.168.2.100 192.168.x.x
Add:
[no fixup protocol smtp 25] to prevent mail looping
Add:
access-list 100 permit tcp any host 212.X.X.x eq pop3
access-list 100 permit tcp any host 212.X.X.x eq smtp
Add:
access-list inside permit tcp host 192.168.x.x any eq pop3
access-list inside permit tcp host 192.168.x.x any eq smtp
Add:
access-group 100 in int outside
access-group inside in int inside
Save:
wr mem

Test config.

 

[N0ktar]

Your NAT statement look something like this:
[nat (inside) 1 0.0.0.0 0.0.0.0 0 0]
Add:
static 212.X.X.x 192.168.x.x
Add:
[no fixup protocol smtp 25] to prevent mail looping
Add:
access-list 100 permit tcp any host 212.X.X.x eq pop3
access-list 100 permit tcp any host 212.X.X.x eq smtp
Add:
access-list inside permit tcp host 192.168.x.x any eq pop3
access-list inside permit tcp host 192.168.x.x any eq smtp
Add:
access-group 100 in int outside
access-group inside in int inside
Save:
wr mem

Test config.