configuring cisco pix 506e firewall for mails problem

Unanswered Question
Mar 5th, 2007


I am Hemant, We have pix 506e firewall, D-link ADSL dsl-502t and my IBM xseries 236 server.

I have fix static live ip which i have got ISP (MTNL), and the same ip is given in fqdn in (a company from where we have registered domaim name and taken space)

My problem is i am not able to send mail through my mail server ( i am receiving mails from any server.

My network design is as fallows:-

ADSL (WAN), ADSL (LAN) Pix 506e (out), Pix 506e (in) My domain mail server (Exchange server) ip

I am tryied with (ADSL)natting and without natting but the problem is same.

If i am removing the pix 506e and directly connecting the server to adsl i am able to receive and send mails properly

anybody who can support me?.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ROBERTO TACCON Mon, 03/05/2007 - 05:14

Have you verufy the fixup smtp ?

If you use exchange with ESMTP protocol disable the fixup with no fixup smtp.



hemanttandel Wed, 03/07/2007 - 20:59

Hi Roberto

I have given the command "no fixup protocol smtp" but it did not solved my problem.

Anyother command for pix which i can try. My network design is ok or it should be changed.

Design is as:

adsl (wan),

adsl (lan),

cisco pix 506e (wan),

cisco pix 506e (lan),

Domain controler( mail server (Exchange 2003) ip is

is this network design ok

or i have to make some changes.

Please let me know. waiting for the reply.


suschoud Thu, 03/08/2007 - 07:21

hi hemant,

you need the follwoing on the pix,

static (inside,outside) tcp interface 25 25 netmask

access-list out_in permit tcp any interface outside eq 25

access-g out_in in interface outside

what this is doing ?

opening port 25 on pix's oustdie interface

the mx record of this mail server should point to the outside interface of the firewall.

hope this takes care of your issue.



hemanttandel Sat, 03/10/2007 - 04:58

no" it did not solved my problem.

should i changed the mx record, fqdn ip ( which is register with the dns.

My static live ip 59.x.x.220

My network Design is as:

adsl (wan) 59.x.103.220,

adsl (lan)59.x.103.221,

cisco pix 506e (wan) 59.x.103.222,

cisco pix 506e (lan),

Domain controler( mail server (Exchange 2003) ip is

My config.

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname loyal


fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


name 59.x.103.221 adsl

name mail

access-list smtp_in permit tcp any interface outside eq smtp

access-list smtp_in permit tcp any host eq smtp

access-list out_in permit tcp any interface outside eq smtp

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 59.x.x.222

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm location mail inside

pdm location adsl outside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0 0

static (inside,outside) tcp interface smtp mail smtp netmask 0 0

access-group out_in in interface outside

route outside adsl 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http mail inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80


: end

you wil get the idea.


ROBERTO TACCON Sat, 03/10/2007 - 05:45


the conf. is ok.

The SMTP server is the (the outside interface of the pix !).

P.S.:insert also the following conf. on the pix:

logging on

logging timestamp

logging monitor warnings

logging buffered warnings

logging trap warnings

no logging console


vitripat Sat, 03/10/2007 - 08:40


I checked the DNS databases and found this-

- is your domain, the MX record for it is which points to

Your current configuration on PIX, binds the mail server to use (PIX WAN interface IP) to send outbound mails and recieve mails. That is fine. The reason your outbound mails might be failing is due to reverse-dns lookup. When the destination mail server does a reverse lookup for, it sees, however it is recieving the mails from so it rejects the mail giving reverse-lookup failure error.

Here is what you need to do-

- Have the MX record IP changed to

This should solve your issues for outbound mails. Hope that helps.



hemanttandel Mon, 03/12/2007 - 06:11

But this ip is not live ip

It will work? or i have to purchased the new static ip.

I had also changed my network design with (Purchased) new static ip which was not live and also did not solved my problem. It was not sending and receiving mails.

my design was as fallows:

MX record IP (FQDN)

adsl (wan)

adsl (lan)

pix 506e (out)

pix 506e (in)

domain mail server (exchange) ip

so what should i do? plz. let me know. waiting for the reply.



This Discussion