configuring cisco pix 506e firewall for mails problem

Unanswered Question
Mar 5th, 2007

Hi

I am Hemant, We have pix 506e firewall, D-link ADSL dsl-502t and my IBM xseries 236 server.

I have fix static live ip 59.181.103.220 which i have got ISP (MTNL), and the same ip is given in fqdn in http://www.net4india.com (a company from where we have registered domaim name and taken space)

My problem is i am not able to send mail through my mail server (loyalindia.co.in)but i am receiving mails from any server.

My network design is as fallows:-

ADSL (WAN)59.181.103.220, ADSL (LAN)59.181.103.221. Pix 506e (out) 59.181.103.222, Pix 506e (in) 192.168.1.1. My domain mail server loyalindia.co.in (Exchange server) ip 192.168.1.2

I am tryied with (ADSL)natting and without natting but the problem is same.

If i am removing the pix 506e and directly connecting the server to adsl i am able to receive and send mails properly

anybody who can support me?.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ROBERTO TACCON Mon, 03/05/2007 - 05:14

Have you verufy the fixup smtp ?

If you use exchange with ESMTP protocol disable the fixup with no fixup smtp.

HTH

Roberto

hemanttandel Wed, 03/07/2007 - 20:59

Hi Roberto

I have given the command "no fixup protocol smtp" but it did not solved my problem.

Anyother command for pix which i can try. My network design is ok or it should be changed.

Design is as:

adsl (wan) 59.181.103.220,

adsl (lan)59.181.103.221,

cisco pix 506e (wan) 59.181.103.222,

cisco pix 506e (lan) 192.168.1.1,

Domain controler(loyalindia.co.in) mail server (Exchange 2003) ip is 192.168.1.2

is this network design ok

or i have to make some changes.

Please let me know. waiting for the reply.

Bye

suschoud Thu, 03/08/2007 - 07:21

hi hemant,

you need the follwoing on the pix,

static (inside,outside) tcp interface 25 192.168.1.2 25 netmask 255.255.255.255

access-list out_in permit tcp any interface outside eq 25

access-g out_in in interface outside

what this is doing ?

opening port 25 on pix's oustdie interface

the mx record of this mail server should point to the outside interface of the firewall.

hope this takes care of your issue.

Regards,

Sushil.

hemanttandel Sat, 03/10/2007 - 04:58

no" it did not solved my problem.

should i changed the mx record, fqdn ip (59.181.103.220) which is register with the dns.

My static live ip 59.x.x.220

My network Design is as:

adsl (wan) 59.x.103.220,

adsl (lan)59.x.103.221,

cisco pix 506e (wan) 59.x.103.222,

cisco pix 506e (lan) 192.168.1.1,

Domain controler(loyalindia.co.in) mail server (Exchange 2003) ip is 192.168.1.2

My config.

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname loyal

domain-name loyalfire.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 59.x.103.221 adsl

name 192.168.1.2 mail

access-list smtp_in permit tcp any interface outside eq smtp

access-list smtp_in permit tcp any host 59.181.103.222 eq smtp

access-list out_in permit tcp any interface outside eq smtp

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 59.x.x.222 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location mail 255.255.255.255 inside

pdm location adsl 255.255.255.255 outside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp mail smtp netmask 255.255.255.255 0 0

access-group out_in in interface outside

route outside 0.0.0.0 0.0.0.0 adsl 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http mail 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxx

: end

you wil get the idea.

Bye

ROBERTO TACCON Sat, 03/10/2007 - 05:45

Hi,

the conf. is ok.

The SMTP server is the 59.181.103.222 (the outside interface of the pix !).

P.S.:insert also the following conf. on the pix:

logging on

logging timestamp

logging monitor warnings

logging buffered warnings

logging trap warnings

no logging console

Regards.

vitripat Sat, 03/10/2007 - 08:40

Hemant,

I checked the DNS databases and found this-

- loyalindia.co.in is your domain, the MX record for it is mail.loyalindia.co.in which points to 59.181.103.220

Your current configuration on PIX, binds the mail server to use 59.181.103.222 (PIX WAN interface IP) to send outbound mails and recieve mails. That is fine. The reason your outbound mails might be failing is due to reverse-dns lookup. When the destination mail server does a reverse lookup for mail.loyalindia.co.in, it sees 59.181.103.220, however it is recieving the mails from 59.181.103.222 so it rejects the mail giving reverse-lookup failure error.

Here is what you need to do-

- Have the MX record IP changed to 59.181.103.222

This should solve your issues for outbound mails. Hope that helps.

Regards,

Vibhor.

hemanttandel Mon, 03/12/2007 - 06:11

But this ip is not live ip 59.181.103.222

It will work? or i have to purchased the new static ip.

I had also changed my network design with (Purchased) new static ip 59.181.111.159 which was not live and also did not solved my problem. It was not sending and receiving mails.

my design was as fallows:

MX record IP (FQDN) 59.181.111.159

adsl (wan) 59.181.103.220

adsl (lan) 59.181.111.158

pix 506e (out) 59.181.111.159

pix 506e (in) 192.168.1.1

domain mail server (exchange) ip 192.168.1.2

so what should i do? plz. let me know. waiting for the reply.

Bye.

Actions

This Discussion