not able to send/recieve email through pix

Answered Question
Mar 7th, 2007
User Badges:

hi, am very new to configuring pix firewall's so forgive me if it a silly mistake, i think ive misconfigured my acl because i have already turned off mailguard (no fixup smtp) and i am still not able to send/recieve any email from my internal exchange server(10.35.104.106) but i have access to the internet.

here's my config:



thanks


Alex



Correct Answer by vitripat about 10 years 3 weeks ago

Hi ..


Went through the logs and config and noticed a strange thing. Check the following syslog message-


%PIX-7-710005: UDP request discarded from 10.35.104.106/28536 to inside:10.35.104.100/domain


10.35.104.106 is trying to send domain traffic to 10.35.104.100. Now if I've checked your config correctly, 10.35.104.100 is the IP address of inside interface of PIX .. right? Is the mail server set to contact PIX's inside interface IP for DNS resolution? If so, please have it point to a legitimate DNS server because PIX cannot do name resolutions. Please reset the mail server to use a DNS server like 4.2.2.2 and then check if mails flow out.



Regards,

Vibhor.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
vitripat Wed, 03/07/2007 - 08:15
User Badges:
  • Gold, 750 points or more

Please enter following commands-


no access-list outside_in permit tcp any host 194.74.152.164 eq smtp

no access-list outside_in permit tcp any host 194.74.152.164 eq www

no access-list outside_in permit tcp any host 194.74.152.164 eq domain


access-list outside_in permit tcp any interface outside eq www

access-list outside_in permit tcp any interface outside eq domain


clear xlate local 10.35.104.106


Let me know if this helps.


Regards,

Vibhor.

handley88 Wed, 03/07/2007 - 08:56
User Badges:

hi, ive changed my acl's so they read like this and now i have recieved one of the email i sent from my gmail account


access-list outside_in permit tcp any interface outside eq smtp

access-list outside_in permit tcp any interface outside eq www

access-list outside_in permit tcp any interface outside eq domain

access-list outside_in permit icmp any any echo-reply

access-list outside_in permit icmp any any unreachable

access-list outside_in permit icmp any any time-exceeded


thanks

Alex


vitripat Wed, 03/07/2007 - 09:16
User Badges:
  • Gold, 750 points or more

Gr8 .. so things seem to be working now ?

handley88 Wed, 03/07/2007 - 09:22
User Badges:

sorry my post was not very clear i now can recieve emails but not send


Alex

vitripat Wed, 03/07/2007 - 09:31
User Badges:
  • Gold, 750 points or more

Ohh .. thats not good. I've gone through the configuration and its not supposed to block any outbound connections. Please make sure that your mail server is configured correctly.


Also, you can try chaning the maximum dns-length allowed-


no fixup protocol dns maximum-length 512

fixup protocol dns maximum-length 1024

clear xlate


Can you try collecting syslogs at the time you are trying to send outbound mails?


Regards,

Vibhor

handley88 Thu, 03/08/2007 - 02:55
User Badges:

hi, tryed changing max length on fixup dns with no luck, ive setup syslog and am geting lots of udp packets blocked from the server

ive attched the latest sho run and the output from syslog server during the time the emails were sent and checked the exchange server and messages are waiting to be sent and as soon as i remove the pix email are sent.


thanks

Alex



Attachment: 
Correct Answer
vitripat Fri, 03/09/2007 - 12:53
User Badges:
  • Gold, 750 points or more

Hi ..


Went through the logs and config and noticed a strange thing. Check the following syslog message-


%PIX-7-710005: UDP request discarded from 10.35.104.106/28536 to inside:10.35.104.100/domain


10.35.104.106 is trying to send domain traffic to 10.35.104.100. Now if I've checked your config correctly, 10.35.104.100 is the IP address of inside interface of PIX .. right? Is the mail server set to contact PIX's inside interface IP for DNS resolution? If so, please have it point to a legitimate DNS server because PIX cannot do name resolutions. Please reset the mail server to use a DNS server like 4.2.2.2 and then check if mails flow out.



Regards,

Vibhor.

handley88 Wed, 03/14/2007 - 02:03
User Badges:

hi,

i wiped the config on both the mail server and the pix and then reconfigured them both and now mail is flowing in and out.


thanks for all your help


Alex


Actions

This Discussion