SMTP gremlins with Exchange and PIX OS 6.3

[jrcanfer]

When testing my config I seem to be having a whole host of SMTP problems.

Looking at the syslog output I have;

Built outbound TCP connection 921 for outside:195.92.195.160/25 (195.92.195.160/25) to inside:192.0.3.10/45197 (195.92.118.34/45197)

Which is positive, but then I have plenty of errors;

Deny TCP (no connection) from 192.0.3.10/25 to 195.92.193.221/48153 flags SYN ACK on interface inside

Which is a real pain as it terminates with;

Teardown TCP connection 921 for outside:195.92.195.160/25 to inside:192.0.3.10/45197 duration 0:02:01 bytes 0 SYN Timeout

Any ideas and help would be greatly appreciated because when I set up a PIX a few years back with a different SMTP mailer it worked perfectly!

Thanks

James

 

[netwrkr]

Paste your entire config?

 

[jrcanfer]

Here you go - thanks!

: Saved
: Written by enable_15 at 14:49:47.879 UTC Tue Jul 1 2003
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
enable password vHZoU0lOxvL2tfpX encrypted
passwd vHZoU0lOxvL2tfpX encrypted
hostname Firewall
domain-name mydomain.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.0.3.12 PC0005
name 192.0.3.10 Exchangethame
name 192.0.3.7 xyznetdc
name 192.0.2.102 xyznetdc2
name 192.0.5.2 Supportweb
name 192.0.5.3 SQL
access-list inside_access_in permit tcp host Exchangethame any eq smtp
access-list inside_access_in permit tcp host 192.0.3.6 any eq ftp
access-list inside_access_in permit tcp host 192.0.3.6 any eq ftp-data
access-list inside_access_in permit tcp host xyznetdc2 any eq domain
access-list inside_access_in permit tcp host xyznetdc any eq domain
access-list inside_access_in permit tcp host 192.0.3.6 any eq https
access-list inside_access_in permit tcp host 192.0.3.6 any eq pptp
access-list inside_access_in permit tcp host 192.0.3.6 any eq 1701
access-list inside_access_in permit tcp host PC0005 host Supportweb eq 3389
access-list inside_access_in permit tcp host PC0005 host SQL eq 3389
access-list inside_access_in permit icmp any any
access-list inside_access_in permit tcp host Exchangethame any eq domain
access-list inside_access_in permit udp host xyznetdc any eq time
access-list inside_access_in permit tcp host 192.0.3.6 any eq nntp
access-list inside_access_in permit udp host 192.0.3.6 any eq radius
access-list inside_access_in permit udp host 192.0.3.6 any eq radius-acct
access-list inside_access_in permit tcp host 192.0.3.6 any eq www
access-list inside_access_in permit tcp host 192.0.3.6 any eq domain
access-list inside_access_in permit tcp host PC0005 any eq 3389
access-list inside_access_in permit icmp host PC0005 any
access-list inside_access_in permit tcp host PC0005 host Supportweb eq ftp
access-list inside_access_in permit tcp host PC0005 host Supportweb eq ftp-data
access-list inside_access_in permit tcp host PC0005 host SQL eq ftp
access-list inside_access_in permit tcp host PC0005 host SQL eq ftp-data
access-list inside_access_in permit udp host 192.0.3.6 any eq domain
access-list inside_access_in permit tcp host PC0005 any eq ftp
access-list inside_access_in permit tcp host PC0005 any eq ftp-data
access-list outside_access_in permit tcp any host 19x.92.118.34 eq smtp
access-list outside_access_in permit tcp any host 19x.92.118.36 eq pptp
access-list outside_access_in permit tcp any host 19x.92.118.36 eq 1701
access-list outside_access_in permit tcp any host 19x.92.118.54 eq www
access-list outside_access_in permit tcp any host 19x.92.118.54 eq https
access-list outside_access_in permit udp any host 19x.92.118.36 eq radius
access-list outside_access_in permit udp any host 19x.92.118.36 eq radius-acct
access-list outside_access_in permit tcp host 194.152.65.230 host 19x.92.118.34 eq smtp
access-list outside_access_in permit tcp host 195.92.193.160 host 19x.92.118.34 eq smtp
access-list outside_access_in permit tcp host 195.92.193.207 host 19x.92.118.34 eq smtp
access-list outside_access_in permit tcp host 195.92.193.221 host 19x.92.118.34 eq smtp
access-list outside_access_in permit tcp host 195.92.193.222 host 19x.92.118.34 eq smtp
access-list outside_access_in permit tcp host 195.92.193.223 host 19x.92.118.34 eq smtp
access-list outside_access_in permit tcp host 195.92.195.229 host 19x.92.118.34 eq smtp
access-list outside_access_in permit tcp host 195.92.195.230 host 19x.92.118.34 eq smtp
access-list outside_access_in permit tcp host 195.92.195.233 host 19x.92.118.34 eq smtp
access-list outside_access_in permit tcp any host 19x.92.118.54 eq ftp
access-list outside_access_in permit tcp any host 19x.92.118.54 eq ftp-data
access-list outside_access_in permit icmp host 19x.92.118.33 any
access-list DMZ_access_in permit tcp host Supportweb any eq www
access-list DMZ_access_in permit tcp host Supportweb any eq https
access-list DMZ_access_in permit tcp host Supportweb any eq domain
pager lines 24
logging on
logging timestamp
logging trap debugging
logging facility 23
logging host inside 192.0.3.8 format emblem
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 19x.92.118.35 255.255.255.224
ip address inside 192.0.3.5 255.255.255.0
ip address DMZ 192.0.5.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
ip audit info action alarm
ip audit attack action alarm
pdm location PC0005 255.255.255.255 inside
pdm location Exchangethame 255.255.255.255 inside
pdm location xyznetdc2 255.255.255.255 inside
pdm location xyznetdc 255.255.255.255 inside
pdm location 192.0.3.8 255.255.255.255 inside
pdm location Supportweb 255.255.255.255 inside
pdm location Supportweb 255.255.255.255 DMZ
pdm location SQL 255.255.255.255 DMZ
pdm location 194.152.65.230 255.255.255.255 outside
pdm location 195.92.193.160 255.255.255.255 outside
pdm location 195.92.193.207 255.255.255.255 outside
pdm location 195.92.193.221 255.255.255.255 outside
pdm location 195.92.193.222 255.255.255.255 outside
pdm location 195.92.193.223 255.255.255.255 outside
pdm location 195.92.195.229 255.255.255.255 outside
pdm location 195.92.195.230 255.255.255.255 outside
pdm location 195.92.195.233 255.255.255.255 outside
pdm location 192.0.3.6 255.255.255.255 inside
pdm location 19x.92.118.33 255.255.255.255 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 10 19x.92.118.43-19x.92.118.48 netmask 255.255.255.224
nat (inside) 10 xyznetdc2 255.255.255.255 0 0
nat (inside) 10 xyznetdc 255.255.255.255 0 0
nat (inside) 10 PC0005 255.255.255.255 0 0
static (inside,outside) 19x.92.118.34 Exchangethame netmask 255.255.255.255 0 0
static (inside,outside) 19x.92.118.36 192.0.3.6 netmask 255.255.255.255 0 0
static (DMZ,outside) 19x.92.118.54 Supportweb netmask 255.255.255.255 0 0
static (DMZ,outside) 19x.92.118.55 SQL netmask 255.255.255.255 0 0
static (inside,DMZ) 192.0.5.4 PC0005 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 195.92.118.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http PC0005 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet PC0005 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:80356f184a89bd583af1138bdeb5a532
: end

 

[baddos]

That looks like your connection was shutdown after two minutes. This wouldn't normally be a problem. Are you having problem sending email?

 

[jrcanfer]

Yes, it just queues. I'm not convinced that transactions are happening in either direction as no test mails get through.

Once I revert back to the current Firewall the mail flows again.

 

[baddos]

try this "no fixup protocol smtp 25". See if the problem goes away.

 

[jrcanfer]

No joy, still no mail either way!

 

[baddos]

Try this...

no global (outside) 10 19x.92.118.43-19x.92.118.48 netmask 255.255.255.224
global (outside) 1 interface

 

[jrcanfer]

I'm not entirely sure what you're getting at, but I've ditched the global pool (10) and setup static mappings for everything that uses it.

So there are now no Global statements.

However, with or without fixup smtp 25 I'm still getting the same errors.

I've mailed CCO about it and they're scratching their heads about it too!

Thanks

James

 

[baddos]

I think your server might be trying to use the NAT pool, and running out of connections. Is there multiple IP address bound to your exchange server?

 

[jrcanfer]

I've killed off the NAT pools completely and just use static mappings now and the same thing happens.

There's just one IP address on the internal mail server, which is mapped to a public address.

I reckon Exchange is trying to do something odd or waiting for something on another port.

 

[jrcanfer]

Baddas, you should work for Cisco - they suggested more or less the same thing

I changed the public IP so I could at least test outbound traffic and then the syslog started reporting that the ISP's mail servers were sending inbound packets on TCP 113 (iauth).

With that enabled it works fine on the original public IP - odd how it never showed up before, but there you go!

Thanks for all your help!

 

[baddos]

lol... I must have their helpdesk FAQ in my head.

-Bad Dos