telnet to port 25 - SMTP test

[cfwdude]

I am trying to test a mail server by telneting to it's public IP on port 25.
Here is the hardware scenario:
ISP - Cisco 1721 (config below)
Public outside address, public inside address
My Cisco PIX 501 (config below)
Public outside, Internal address inside, NAT and static route to mail server, conduits permit SMTP

I am able to telnet to the ISP router from outside, but not to the outside of the PIX, and not to the public address of the mail server.
I can ping the ISP router, but not the PIX outside or the mailserver.

Is something in the ISP router blocking this? or is it the PIX??

One command I am unsure of in the ISP route is the
ip route x.x.x.160 255.255.255.248 Null0 254 permanent
this is a little different than I typically use.

thanks

ISP Router Cisco 1721

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname xxxxxxxxxx
boot-start-marker
boot-end-marker
enable password xxxxxx
no aaa new-model
ip subnet-zero
ip name-server 206.13.28.12
ip name-server 206.13.31.12
ip cef
interface FastEthernet0
description TO LOCAL LAN
ip address x.x.x.161 255.255.255.248 - PUBLIC IP
speed auto
interface Serial0
description xxxxxx
no ip address
encapsulation frame-relay IETF
fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
interface Serial0.1 point-to-point
ip address x.x.x.250 255.255.255.252
frame-relay interface-dlci 16
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.1
ip route x.x.x.160 255.255.255.248 Null0 254 permanent
no ip http server
line con 0
password xxxxxxx
login
line aux 0
transport input all
flowcontrol hardware
line vty 0 4
password xxxxxxx
login
no scheduler allocate
end

PIX config

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nQuw3G9n8kjBJPDf encrypted
passwd nQuw3G9n8kjBJPDf encrypted
hostname SloppySeconds
domain-name xxxxxxxxxxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.162 255.255.255.248 - OUTSIDE IP
ip address inside 10.0.0.252 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.163 10.0.1.200 netmask 255.255.255.255 0 0
conduit permit icmp any any echo
conduit permit icmp any any echo-reply
conduit permit tcp host x.x.x.163 eq smtp any
conduit permit tcp host x.x.x.163 eq

http://www any

route outside 0.0.0.0 0.0.0.0 ISP Gateway 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 0.0.0.0 0.0.0.0 outside
telnet 10.0.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:7a815da4f8144863e7182f99bc6e2aab
: end
[OK]

 

[CiscoFreakazoid]

Hi cfwdude,

Blame the PIX (it's allways the PIX ;-) )

I prefer to use ACL's in stead of conduits. It makes things a lot more transparent I think. You can attach the "access-group in" command to an interface for example:

access-group 101 in interface outside
access-list 101 permit icmp any host x.x.x.x echo

In that way only entering traffic is processed and passing traffic will not be blocked by the outgoing interfaces.

Maybe the following article will help:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

Good luck!!

 

[lgarner]

The Null0 route shouldn't be a problem since it's got a metric of 254, while the connected route has a metric of 0. Try getting rid of it, anyway. I found some references to using this to manipulate route redistribution, but you're not using any dynamic routing protocols, so I can't see a reason for it.

Also, I don't see a "name x.x.x.161 ISP" statement in the Pix, but I think it has to be there or the "route outside 0.0.0.0 0.0.0.0 ISP" won't work (unless "ISP" is just a placeholder for the IP address in this posting).

Otherwise, as long as your mail server has its default route pointing to the Pix, nothing jumps out at me. Can your mail server access the Internet (web, smtp, etc) as a client?

Lee.

 

[cfwdude]

CiscoFrEaK,
i added the Access list and removed the conduit statements.

access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp host 206.13.51.163 eq smtp any
access-list 101 permit tcp host 206.13.51.163 eq

http://www any

access-group 101 in interface outside

still no change, get response after trying to telnet from ISP router:
% Connection timed out; remote host not responding



lgarner,
The ISP was jsut edited to get my public ip's off this posting. I use the real ip's in the config.
the mail server has the PIX as it's default gateway. Web access good. I have tried telneting to port 25 on the exchagne server form an internal ip and all is good there.

 

[lgarner]

OK, like CiscoFrEak, I recommend switching to access lists since conduits are being deprecated (and I know ACL's better). You have the addresses backwards, though. ACL's are opposite of conduits:

access-list permit/deny proto src port dest port ...

So, what you want is:
access-list 101 permit tcp any host 206.13.51.163 eq smtp
access-list 101 permit tcp any host 206.13.51.163 eq www

That should work. Also, remember that there is an implicit "deny ip any any" at the end of every access-list. So, if you use an ACL you need to be sure that everything is explicitly allowed, or end your list with "permit ip any any" (but explicit allowances is better).

Again, that should work...

 

[cfwdude]

Thanks for the correction lgarner.

Made the changes, still can't get to the public ip of the mail server.

I am able to ping outside interface of ISP router, and outside interface of PIX, but cannot ping outside ip of mail server, or telnet to port 25.

I am using a very similar config on a Cisco PIX 515, with the conduit statements, not access-lists, and everything works on it. I am beginning to wonder if it is a limitation of the PIX 501?

 

[lgarner]

It looks like it should work. As far as I know, FOS is FOS, regardless of the hardware platform. A 501 should work the same as a 535, except for licensing and capacity.

You could try "debug packet outside proto tcp dport 25" and variations of it to see if anything is hitting the Pix.

 

[ChrisAC]

Check in the logs of the pix to make sure that the traffic is not being blocked and that there is a translation.

Also, make sure that the mail server has one default route out via the pix.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************