translation isn't working for mail server

[panini]

I've got a 515R firewall which is allowing access out no problem for users on the internal LAN, but when I try to direct mail and web flow through it to our mail server, the translation just doesn't seem to work - I've followed

http://www.cisco.com/warp/public/110/single-net.shtml

pretty closely - my config (ip's changed) is below:

Any help really appreciated - I need to go to bed!

: Saved
: Written by enable_15 at 14:07:59.632 UTC Sat Jul 6 2002
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2Av431E9tdni5Rtb encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name abc.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol sqlnet 1521
no fixup protocol h323 ras 1718-1719
no fixup protocol h323 h225 1720
fixup protocol domain 53
no names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 213.24.142.2 eq smtp
access-list 100 permit tcp any host 213.24.142.2 eq www
access-list 100 permit tcp any host 213.24.142.2 eq https
pager lines 24
logging on
logging timestamp
access-group 100 in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 213.24.142.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:51214826cacf7d96032ae5a941da095f

 

[yizhar]

HI.

You didn't post the whole relevant config with statements like "static", "global" and "ip".

What about the perimeter router - is it doing any NAT or filtering?
Are the addresses you're using routed to your pix by the ISP?
Is there any conflict between pix interface, global statements and static?
What syslog messages do you get if any?
Have you updated DNS?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[panini]

Hi Yizhar - I was hoping you'd answer!

Sorry about the config - not sure what happened there - it's below.... the perimeter router isn't nating or filtering, I've not updated dns yet - want to get the http traffic flowing then i'll point the dns from another domain at the server to see if mails flowing - not sure where to check syslog messages.... and i didn't think there was a conflict - but then it's not working.....

: Written by enable_15 at 14:07:59.632 UTC Sat Jul 6 2002
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2Av431E9tdni5Rtb encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name abc.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol sqlnet 1521
no fixup protocol h323 ras 1718-1719
no fixup protocol h323 h225 1720
fixup protocol domain 53
no names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 213.24.142.2 eq smtp
access-list 100 permit tcp any host 213.24.142.2 eq www
access-list 100 permit tcp any host 213.24.142.2 eq https
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging buffered debugging
logging facility 23
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 213.24.142.6 255.255.255.248
ip address inside 192.168.141.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 213.24.142.2 192.168.141.2 netmask 255.255.255.255 0 0
access-group 100 in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 213.24.142.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:51214826cacf7d96032ae5a941da095f

 

[yizhar]

HI.

The pix configuration seems fine to me for allowing inbound traffic.
Check for routing and DNS problems on the outside.

Try to access the server from the router if you can by using telnet to port 25 or 80 (for port 80, simply try to connect and hit Enter twice).
From the router command line type:
telnet 213.24.142.2 25

Also check for arp problems at the router and try to reboot it or clear arp table.

Bye

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Javamahn]

If you recently changed your static configuration do a show xlate to see if any traffic is coming in to the server. Also do a clear xlate to allow the router to rebuild the NAT/PAT tables.

 

[panini]

OK, this is really starting to do my head in - I've built an IPCop firewall as a temporary measure and told it to port forward port 80 and port 25 to the internal mail servers ip and it's still not working - the ipcop firewall is saying that inbound connections (from a browser on a machine on an external network) are coming in on port 1501, then 1502, 1503, etc.... rather than port 80.

I've also tried a different switch on th internal LAN in case it was something internal.....

Another company is currently providing the connection and web and smtp traffic is working fine, (they're closing down hence new ISP), owa is working fine on the internal LAN.
I've checked with the new ISP and they're not doing anything unusual, it's just a straight through connection, no filtering, rebooted router, etc


Please help!!!! Am I going mad? - I've got other boxes through other firewalls forwarding these ports fine...

Many thanks for any advice...

 

[N0ktar]

conduit statement is messing up your config. remove the "conduit permit icmp any any" line, add "no fixup protocol smtp 25" to prevent looping. reboot.
also shouldn't you assign a spare live ip address for global translation?? unless you're using PAT i would think "global (outside) 1 interface" wouldn't work for ya.
once you have that taken care of start thinking of an outbound access-list, it's quite essential nowdays. hope it helps.

 

[gbiello]

Panini,
Did you try and reboot the external router like Yizhar suggested? I've seen the problem you describe a few times, and that is the fix.
-gbiello

 

[brontosaurus]

I think those IP addresses in your Static command are in the wrong order?

 

[brontosaurus]

Sorry, my mistake, i was looking at something else...

 

[sophiatan]

I don't know if this will help, as I've only started playing with a cisco pix 515 firewall last month.

I have a mailserver behind the firewall, and I have to explicitly grant smtp access out from the mailserver before I can send and receive external mail. (And I thought out-bound traffic is granted by default).

You might need to grant domain protocol as well (to allow dns lookup). If you do, you'll need 2 entries, one for tcp another for udp.

 

[panini]

right you guys, i have to post this in case anyone else finds this and makes the same mistake - despite how embarrassing it is -

the config is right - but i had it set up within an existing infrastructure and hence the mail server HAD ANOTHER DEFAULT GATEWAY.

What an idiot.

The mail server needs to know where it's replying to so in this case it the default gateway needs to be the PIX.

Thanks for all of your help.