Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Problem forwarding port 25 to Mail server (through router & pix)

Status
Not open for further replies.
saintpi

saintpi

IS-IT--Management
May 21, 2003
22
NG
I have a Mail Server behind Firewall. With an ipcop firewall connected and port 25 forwarded to the mail server ip, the exchange server works perfectly.
Now I have a combination of Cisco router and PIX. I cannot seem to be able to configure the pix and router to allow smtp traffic to the mail server. HELP!

Internet -->Cisco 3700 --> Pix 515E --> Mail Server

What do I do to get the router and the pix to forward port 25 to the Mail Server.

Thanks
 
Sort by date Sort by votes
Which is doing NAT for the internal networks?

Post a config (scrubbed) of the router and PIX...

Normally, on the router, you need

ip nat inside source static tcp x.x.x.x 25 int (outside interface) 25

and the ASA you would need

access-list OUT-IN permit tcp any host x.x.x.x 25

ip access-group OUT-IN in int out

and static NAT on the ASA

static (outside,inside)x.x.x.x y.y.y.y 255.255.255.255

x.x.x.x=inside IP of mail server, y.y.y.y=outside interface ip address

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Cisco 3700 config
Current configuration : 1907 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname YYYYYYY
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$DiLY$Uuxv4NeXqKvh5O19S6vAT/
enable password 7 044C19160C70
!
username dminis privilege 15 secret 5 $1$fjp.$skgrQPP9K3IDiSJdIy.Id/
username cmen privilege 15 secret 5 $1$PyF0$TQ7v2iq4a8HOir8hDyMZn1
no aaa new-model
ip subnet-zero
ip cef
!
!
!
no ip domain lookup
ip name-server k.j.16.8
ip name-server k.j.17.8
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
description Ethernet Link to IDIRECT 3000 SATELLITE ROUTER
ip address 201.13.12.102 255.255.255.252
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
description Ethernet Link to Outside interface on Firewall Police01
ip address 192.168.8.2 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat translation timeout 600
ip nat pool emore 201.13.12.102 201.13.12.102 prefix-length 27
ip nat inside source list 7 pool emore overload
ip nat inside source static tcp 10.10.11.80 25 201.12.13.102 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 201.12.13.101
ip http server
ip http authentication local
ip http max-connections 2
ip http timeout-policy idle 600 life 43200 requests 5
!
access-list 7 permit 192.168.8.0 0.0.0.255
snmp-server community demmy RW
snmp-server enable traps tty
banner motd ^C Unauthorized access is strictly PROHIBITED and shall be exhuastiv
ely PROSECUTED. If you are not authorised to be on KYC network, then you must DISCONNECT IMMEDIATELY ^C
!
line con 0
password 7 06111D314F1F
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 30 0
password 7 120E17071159
login
line vty 5
exec-timeout 30 0
login
line vty 6 15
login
!
end


PIX 515E config
: Saved
:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password pVR.SNSpOqeBwWhV encrypted
passwd kbQTH03mSQ/wd0Ql encrypted
hostname XXXXXXX
domain-name XXXX.com
clock timezone CEST 1
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_user permit tcp 10.10.11.0 255.255.255.0 any eq www
access-list OUT-IN permit tcp any host 10.10.11.80 eq smtp
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging buffered notifications
mtu outside 1500
mtu inside 1500
ip address outside 192.168.8.1 255.255.255.0
ip address inside 10.10.10.250 255.0.0.0
ip audit info action
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 10.10.10.11 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 192.168.8.5-192.168.8.250 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.8.251 10.10.10.70 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.8.252 10.10.10.251 netmask 255.255.255.255 0
0
static (inside,outside) 10.10.11.80 201.13.12.102 netmask 255.255.255.255 0 0

access-group OUT-IN in interface outside
conduit permit icmp any any
conduit permit tcp host 192.168.8.251 eq ftp any
conduit permit tcp host 192.168.8.252 eq telnet any
conduit permit icmp host 192.168.8.252 any
route outside 0.0.0.0 0.0.0.0 192.168.8.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
snmp-server host inside 10.10.10.250 trap
no snmp-server location
no snmp-server contact
snmp-server community etsd
snmp-server enable traps
floodguard enable
telnet 10.10.10.11 255.255.255.255 inside
telnet timeout 30
ssh timeout 20
console timeout 0
username kadmin password IpgK5i2cPtDbB3Ej encrypted privilege 15
terminal width 80
Cryptochecksum:3f62d84b32a6e944999ee67c6a71437d
: end
 
Upvote 0 Downvote
Here's how I would clean up the config:
1) Add ip route 10.0.0.0 0.0.0.255 192.168.8.1 into the 3700
2) Add access-list 7 permit 10.0.0.0 0.0.0.255 into the 3700
3) Add static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 into the pix.
4) Remove static (inside,outside) 10.10.11.80 201.13.12.102 netmask 255.255.255.255 0 0 from the pix

double check your mask on your 10 network to make sure that you do in fact want a /8 as opposed to a /24

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
On the PIX -
access-list OUT-IN permit tcp any host 10.10.11.80 eq smtp
should be
access-list OUT-IN permit tcp any host 192.168.8.252 eq smtp
and I don't think these are what you want -
conduit permit icmp any any
conduit permit tcp host 192.168.8.251 eq ftp any
conduit permit tcp host 192.168.8.252 eq telnet any
conduit permit icmp host 192.168.8.252 any
static (inside,outside) 10.10.11.80 201.13.12.102 netmask 255.255.255.255 0 0

Conduits and ACLs don't play nice with each other and that static won't work.

Why are you having double NAT? It creates a lot of problems. Have the router route and the pix do the nat and firewall. Just a thought.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
unclerico: ip route 10.0.0.0 0.0.0.255 192.168.8.1 does not work on the router - says inconsistent address and mask.

With the following modified config, I get some improvement. Doing a portqry from the mail server gives a response:-

TCP port 25 (smtp service): FILTERED

The initial result was : NOT LISTENING.

The problem now is to determine what is blocking the smtp service. Is it the router or the pix? How do I solve the problem?
---------------
Cisco 3700 config
Current configuration : 1810 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname YYYYYYY
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$DiLY$Uuxv4NeXqKvh5O19S6vAT/
enable password 7 044C19160C70
!
username dminis privilege 15 secret 5 $1$fjp.$skgrQPP9K3IDiSJdIy.Id/
username cmen privilege 15 secret 5 $1$PyF0$TQ7v2iq4a8HOir8hDyMZn1
no aaa new-model
ip subnet-zero
ip cef
!
!
!
no ip domain lookup
ip name-server k.j.16.8
ip name-server k.j.17.8
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
description Ethernet Link to IDIRECT 3000 SATELLITE ROUTER
ip address 201.13.12.102 255.255.255.252
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
description Ethernet Link to Outside interface on Firewall Police01
ip address 192.168.8.2 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat translation timeout 600
ip nat pool emore 201.13.12.102 201.13.12.102 prefix-length 27
ip nat inside source list 7 pool emore overload
ip classless
ip route 0.0.0.0 0.0.0.0 201.13.12.101
ip http server
ip http authentication local
ip http max-connections 2
ip http timeout-policy idle 600 life 43200 requests 5
!
access-list 7 permit 192.168.8.0 0.0.0.255
access-list 101 permit tcp any host 201.13.12.102 eq smtp
snmp-server community demmy RW
snmp-server enable traps tty
banner motd ^C Unauthorized access is strictly PROHIBITED and shall be exhuastiv
ely PROSECUTED. If you are not authorised to be on KYC network, then you must DISCONNECT IMMEDIATELY ^C
!
line con 0
password 7 06111D314F1F
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 30 0
password 7 120E17071159
login
line vty 5
exec-timeout 30 0
login
line vty 6 15
login
!
end


PIX 515E config
: Saved
:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password pVR.SNSpOqeBwWhV encrypted
passwd kbQTH03mSQ/wd0Ql encrypted
hostname XXXXXXX
domain-name XXXX.com
clock timezone CEST 1
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_user permit tcp 10.10.11.0 255.255.255.0 any eq www
access-list out-in permit tcp any host 201.13.12.102 eq smtp
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging buffered notifications
mtu outside 1500
mtu inside 1500
ip address outside 192.168.8.1 255.255.255.0
ip address inside 10.10.10.250 255.0.0.0
ip audit info action
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 10.10.10.11 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 192.168.8.5-192.168.8.250 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.8.251 10.10.10.70 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.8.252 10.10.10.251 netmask 255.255.255.255 0
0
static (inside,outside) 201.13.12.102 10.10.11.80 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 192.168.8.251 eq ftp any
conduit permit tcp host 192.168.8.252 eq telnet any
conduit permit icmp host 192.168.8.252 any
route outside 0.0.0.0 0.0.0.0 192.168.8.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
snmp-server host inside 10.10.10.250 trap
no snmp-server location
no snmp-server contact
snmp-server community etsd
snmp-server enable traps
floodguard enable
telnet 10.10.10.11 255.255.255.255 inside
telnet timeout 30
ssh timeout 20
console timeout 0
username kadmin password IpgK5i2cPtDbB3Ej encrypted privilege 15
terminal width 80
Cryptochecksum:3f62d84b32a6e944999ee67c6a71437d
: end
 
Upvote 0 Downvote
This needs to be an address ON the pix
access-list out-in permit tcp any host 201.13.12.102 eq smtp

Then there needs to be a static with
static (inside,outside) [address_on_pix] [internal_server_address] netmask 255.255.255.255

Now just add Burt's lines to the router and you should be up and running.

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Problem solved. I have successfully configured the router and pix and can now send and receive mails via the exchange server using only the internal IP (1 NIC). I got some more hint from This person had almost the same scenario like me. I’ll still work on getting a DMZ later for better security.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
518
XLNTech1
XLNTech1
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
670
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
585
Johnkite
Johnkite
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
149
brownmab53
brownmab53
ChrisFairley
  • Locked
  • Question
Downloads failing through ASA 5520
Replies
1
Views
138
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top