SMTP static routing question

[jmconsulting]

I am attempting to set up an smtp server behind the 515e on a dmz. I have the dns records (external) pointing to a public IP address. The MX and A records appear to be correct.

The question is when i attempt to trace the public IP address, the trace stops at the last hop before the 515e firewall. I have checked with the T1 provider and IP's x.10 thru x.14 are available. x.10 is the firewall outside interface, x.11 is a static mapping to an internal smtp server.

Is there something that I need to insert in order to be able to get to the exchange box? I have the necessary smtp access list point to the x.11 address, established the dmz, created the static mapping and applied it to the outside interface. Am I missing something?????

Thanks in advance for any info available

 

[KiscoKid]

I'd have thought if the hop before the PIX is timing out, that's where you should look. Chances are this device doesn't have a route for your public address range.

 

[jmconsulting]

Yes, it has a static route from the inside smtp nic to the public x.11 ip address.

static (dmz,outside) x.x.x.11 192.168.10.10 netmask 255.255.255.255 0 0

 

[KiscoKid]

That's just a NAT translation you've listed there - not an IP route.

Can you clarify something but when you say you trace to .11 and it times out, is that from the Internet (outside) of the PIX or from inside the network? I'm presuming outside as that is the side that has knowledge of the public address range.

If it is the outside, then does a ping and traceroute to PIX's outide address (.10) work? I suspect the routing is not in place on this device and therefore I would expect this to fail also.

 

[jmconsulting]

You're correct. I have been assuming the NAT is equal to the Route, brain cramp....

I have a route that looks like this....

route outside 0.0.0.0 0.0.0.0 x.x.x.9 1

Do I need to create a static from outside x.11 to inside 192.168.10.10?

I can ping the x.10 pix ip address....so it may just be a route issue.....

thanks.....

 

[KiscoKid]

That route you've listed on the PIX is fine assuming that the x.x.x.9 next hop is your router connected to the ISP network.

I think the routes are likely correct on your router as well if you can ping the .10 address of the PIX.

I wonder if you would do 2 things for me:

1. Paste a copy of the PIX config here
2. Try a ping from the PIX to the real address of the SMTP server to see if that works.

 

[jmconsulting]

Yes I can ping the smtp nic address from the 515e

here is the config....

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network SunnysideRemote
network-object 192.191.140.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 192.191.140.0 255.255.255.0 192.1
68.20.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.191.140.0 255.255.255.0 192.1
68.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.20.128 255.255.255.19
2
access-list outside_cryptomap_20 permit ip 192.191.140.0 255.255.255.0 192.168.1
.0 255.255.255.0
access-list splitunnel permit ip 192.191.140.0 255.255.255.0 192.168.20.0 255.25
5.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.20.128 255.255.255.19
2
access-list acl-out permit icmp any any
access-list smtp permit tcp any host x.x.x.11 eq smtp
no pager
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.x.10 255.255.255.248
ip address inside 192.191.140.24 255.255.255.0
ip address dmz 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool RP001 192.168.20.151-192.168.20.175
pdm location 192.191.140.1 255.255.255.255 inside
pdm location 192.191.140.128 255.255.255.192 outside
pdm location 192.168.20.0 255.255.255.0 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.191.140.0 255.255.255.0 inside
pdm location 192.168.20.128 255.255.255.192 outside
pdm location 192.168.10.10 255.255.255.255 dmz
pdm group SunnysideRemote outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.191.140.0 255.255.255.0 0 0
static (dmz,outside) 155.212.78.11 192.168.10.10 netmask 255.255.255.255 0 0
access-group smtp in interface outside
route outside 0.0.0.0 0.0.0.0 155.212.78.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.191.140.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 24.75.246.230
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 24.75.246.230 netmask 255.255.255.255 no-xauth no-co
nfig-mode
: end

 

[KiscoKid]

Not a lot wrong with that config except I can see why you can't traceroute/ping however the server as it's not specifically allowed in the access list called smtp.

Incidentally have you tried 'telnet x.x.x.11 25' from the outside? Do you see an SMTP response? As you have Mailguard enabled on the PIX (that's the fixup protocol smtp statement), only certain SMTP commands are allowed from a connecting mail server.

If you can telnet to the SMTP server on port 25 then your PIX config is fine. However if SMTP still doesn't work from an external mail server, try disabling the fixup, i.e. 'no fixup protocol smtp' and try again from the external mail server.

 

[jmconsulting]

Thanks....

I cannot telnet into 25 on the server. That might be the issue. I'll give it a go and post the results.

 

[jmconsulting]

Still not able to get to the address.

I added this entry to attempt the exposure "?"
access-list smtp permit icmp any any

I removed the fixup for smtp but still same results.

 

[KiscoKid]

Tell you what would be useful: A traceroute from outside to the .10 address which works and another to the .11 which doesn't

I'm still not sure the routing is in place on the router (the PIX is fine in my opinion)

 

[jmconsulting]

The tracert is identical until it gets to the ip address of the T1 appliance prior to my firewall. x.10 goes thru, x.11 does not ???? If you want I'l trace it and post it for you.

 

[jmconsulting]

Z:\>tracert x.x.x.10

Tracing route to host10.x.x.x.conversent.net [x.x.x.10]
over a maximum of 30 hops:

1 24 ms 21 ms 10 ms londonderry-cuda1-68-170-128-1.lndnnh.adelphia.n
et [68.170.128.1]
2 11 ms 9 ms 7 ms 24.48.246.49
3 18 ms 15 ms 14 ms 24.48.204.205
4 17 ms 16 ms 15 ms unk-426d0e99.adelphiacom.net [66.109.14.153]
5 18 ms 15 ms 17 ms p1-00-00-00.a0.cdp00.adelphiacom.net [66.109.1.4
6]
6 24 ms 22 ms 22 ms p3-02-00-00.r0.nyc90.adelphiacom.net [66.109.1.2
1]
7 32 ms 23 ms 23 ms g1-00-00-00.p0.nyc90.adelphiacom.net [66.109.1.1
4]
8 22 ms 24 ms 24 ms g-x-x-x.a1-6-NWYKNYA1.broadwing.net [198.32.118.
30]
9 23 ms 25 ms 24 ms 216.140.10.221
10 26 ms 23 ms 22 ms so7-0-0.a1.nwaknj.broadwing.net [216.140.8.198]

11 22 ms 23 ms 21 ms p2-2.a0.nwaknj.broadwing.net [216.140.8.201]
12 28 ms 25 ms 24 ms 65.89.249.42
13 31 ms 34 ms 32 ms ma1-bb1-as0.conversent.net [209.113.217.229]
14 33 ms 33 ms 34 ms nh1-gw2-atm6-0-10254.conversent.net [209.113.217
.166]
15 34 ms 33 ms 34 ms nh1-gw1-gi0-2.conversent.net [209.113.217.50]
16 42 ms 39 ms 38 ms host86.216.41.23.conversent.net [216.41.23.86]
17 40 ms 47 ms 41 ms host10.x.x.x.conversent.net [x.x.x.10]


Trace complete.

Z:\>tracert x.x.x.11

Tracing route to host11.x.x.x.conversent.net [x.x.x.11]
over a maximum of 30 hops:

1 13 ms 18 ms 19 ms londonderry-cuda1-68-170-128-1.lndnnh.adelphia.n
et [68.170.128.1]
2 41 ms 7 ms 10 ms 24.48.246.49
3 74 ms 15 ms 13 ms 24.48.204.205
4 16 ms 14 ms 12 ms unk-426d0e99.adelphiacom.net [66.109.14.153]
5 15 ms 15 ms 15 ms p1-00-00-00.a0.cdp00.adelphiacom.net [66.109.1.4
6]
6 25 ms 34 ms 21 ms p3-02-00-00.r0.nyc90.adelphiacom.net [66.109.1.2
1]
7 124 ms 20 ms 33 ms g1-00-00-00.p0.nyc90.adelphiacom.net [66.109.1.1
4]
8 24 ms 24 ms 24 ms g-x-x-x.a1-6-NWYKNYA1.broadwing.net [198.32.118.
30]
9 25 ms 21 ms 26 ms 216.140.10.221
10 29 ms 23 ms 26 ms so0-1-0.a1.nwaknj.broadwing.net [216.140.10.198]

11 23 ms 23 ms 23 ms p2-2.a0.nwaknj.broadwing.net [216.140.8.201]
12 30 ms 25 ms 25 ms 65.89.249.42
13 33 ms 31 ms 30 ms ma1-bb1-as0.conversent.net [209.113.217.229]
14 31 ms 32 ms 30 ms nh1-gw2-atm6-0-10254.conversent.net [209.113.217
.166]
15 32 ms 31 ms 33 ms nh1-gw1-gi0-2.conversent.net [209.113.217.50]
16 41 ms 41 ms 41 ms host86.216.41.23.conversent.net [216.41.23.86]
17 * * * Request timed out.
18 ^C
Z:\>

 

[jmconsulting]

Just got off the phone with conversent and x.10 thru x.14 is being passed thru the router.

 

[ChrisAC]

From the Exchange server can you get outbound access? Is the mail service running? Also, issue a "sh access-list smtp" and see if the hit count is going up. If you see hits on the access list then the pix is seeing the traffic. If not then it's not reaching the pix.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[hbalf1]

I am sure some-one advised to add a "no fixup protocol smtp 25" statement to get it to work with Exchange 2003. Unfortunately I cannot really explain why...
HB

 

[ChrisAC]

Having the smtp fixup on doesn't prevent smtp connections to the server. It just stops non-RFC commands. You would still see a connection if you telnet to the server on port 25 which the OP isn't seeing.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[jmconsulting]

Good morning,

I checked the hit counts for the smtp protocol and I see where the messages as well as the pings are getting to the 515e, but they don't get through.

Suggestions on where to look next???

Thanks in advance.....

Jim

 

[ChrisAC]

So on your access list that allows smtp you are seeing hits against that ACL, yes? Providing that your static statement is correct then I would presume that the problem lies on the mail server. Can the mail server send outbound email?

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[jmconsulting]

Yes, it is able to send out via the default smtp virtual server. I am still working out the final config of the exchange server. It is beginning to look like an exchange issue. If I understand this, since the hit count on the smtp protocol is incrementing, that the msgs are getting to the PIX, and the problem is on the other side of the appliance.

Why can't I trace to the x.11 ip address? What is preventing me from getting a response?