I have an Exchange server inside my network that I need for other smtp servers to be able to reach. I have given it a static map IP and applied an access-list to allow smtp traffic to it. Problem is the firewall is still blocking the SMTP traffic to this IP. I have also scanned my mail IP with a port scanner and it cannot find port 25 open. Should it be able to find it open?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
SMTP problems making it to inside network
- Thread starter damaged58
- Start date
There is an issue with the PIX's MailGuard feature and MS Exchange. What you want to do is make sure that you have port 25 open to the Exchange server, and disable Mailguard feature by issuing this command:
no fixup protocol smtp 25
This command works on PIX running OS ver. 6.0(1) and 5.3(2) for sure.
See if this helps.
David K., MCSE, CCNA.
webnetwiz@hotmail.com
no fixup protocol smtp 25
This command works on PIX running OS ver. 6.0(1) and 5.3(2) for sure.
See if this helps.
David K., MCSE, CCNA.
webnetwiz@hotmail.com
I've had the same problem receiving mail through the firewall. Solution? Open ports 25 and 135 which is your RPC mapper and configure exchange server registry to use static ports for smtp sessions, add those ports to your configuration via "established" command to enable traffic to reach those ports once the connection has been made.
criticalUpdate
Vendor
certainly for a sanity check when testing the firewall do a no fixup smtp 25
Then from the outside use a telnet "address" 25
command you should be able to see the header something with the version of exchange on it.. if you can get this far you can then make the decision on fixup. the difference can be with smtp and esmtp...
Then from the outside use a telnet "address" 25
command you should be able to see the header something with the version of exchange on it.. if you can get this far you can then make the decision on fixup. the difference can be with smtp and esmtp...
Guest_imported
New member
- Jan 1, 1970
- 0
- 0
- 0
use the no fixup protocol smtp 25 command
reason being... exchange uses ESMTP and requires extra commands that the fixup protocol will block.
well documented.
reason being... exchange uses ESMTP and requires extra commands that the fixup protocol will block.
well documented.
Glad to see that I am not the only one who cannot get inbound mail to an Exchange server.
I have tried the no fixup protocol smtp 25 , and still cannot receive mail inbound.
My mail servers ip address is 192.168.1.150.
I am using PAT on the outside interface 213.121.173.2
ISP Router address is 213.121.173.1
Here is my Pix config PIX Version 6.1(1):
no fixup protocol smtp 25
access-list acl1 permit icmp any any echo-reply
access-list acl1 permit icmp any any time-exceeded
access-list acl1 permit icmp any any unreachable
access-list acl1 permit tcp any host 213.121.173.2 eq smtp
ip address outside 213.121.173.2 255.255.255.248
ip address inside 192.168.1.199 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl1 in interface outside
route outside 0.0.0.0 0.0.0.0 213.121.173.1 1
Any help would be greatly appreciated.
Ian Hunter
I have tried the no fixup protocol smtp 25 , and still cannot receive mail inbound.
My mail servers ip address is 192.168.1.150.
I am using PAT on the outside interface 213.121.173.2
ISP Router address is 213.121.173.1
Here is my Pix config PIX Version 6.1(1):
no fixup protocol smtp 25
access-list acl1 permit icmp any any echo-reply
access-list acl1 permit icmp any any time-exceeded
access-list acl1 permit icmp any any unreachable
access-list acl1 permit tcp any host 213.121.173.2 eq smtp
ip address outside 213.121.173.2 255.255.255.248
ip address inside 192.168.1.199 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl1 in interface outside
route outside 0.0.0.0 0.0.0.0 213.121.173.1 1
Any help would be greatly appreciated.
Ian Hunter
I am using a static nat here based on the MX record, have mailguard enabled, and am getting mail in and out.
This may be your issue. Have you done a static nat to your mail server? That may be why mail is not returning to your server....You only need to allow port 25 in from the outside to this host only.
I agree with the above two comments!
Ian, what you have is an access-list allowing mail to your PIX firewall and not your mail server! I very much doubt that your PIX is listening for connections on port 25!!
Presuming that you have an MX entry in your DNS record for your domain, what is it?
Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
Ian, what you have is an access-list allowing mail to your PIX firewall and not your mail server! I very much doubt that your PIX is listening for connections on port 25!!
Presuming that you have an MX entry in your DNS record for your domain, what is it?
Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
Finally got it working.
Here is my config might be of some use to others.
Thanks guys.
Ian H
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name us.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no names
access-list acl1 permit icmp any any echo-reply
access-list acl1 permit icmp any any time-exceeded
access-list acl1 permit icmp any any unreachable
access-list acl1 permit tcp any host 213.xxx.xxx.242 eq smtp
pager lines 24
logging console debugging
logging host inside 192.168.1.150
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 213.xxx.xxx.242 255.255.255.248
ip address inside 192.168.1.199 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 213.xxx.xxx.242 smtp 192.168.1.150 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 213.xxx.xxx.242 255.255.255.255 0 0
access-group acl1 in interface outside
route outside 0.0.0.0 0.0.0.0 213.xxx.xxx.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.199 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Here is my config might be of some use to others.
Thanks guys.
Ian H
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name us.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no names
access-list acl1 permit icmp any any echo-reply
access-list acl1 permit icmp any any time-exceeded
access-list acl1 permit icmp any any unreachable
access-list acl1 permit tcp any host 213.xxx.xxx.242 eq smtp
pager lines 24
logging console debugging
logging host inside 192.168.1.150
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 213.xxx.xxx.242 255.255.255.248
ip address inside 192.168.1.199 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 213.xxx.xxx.242 smtp 192.168.1.150 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 213.xxx.xxx.242 255.255.255.255 0 0
access-group acl1 in interface outside
route outside 0.0.0.0 0.0.0.0 213.xxx.xxx.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.199 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question
- Locked
- Question