- Bronze, 100 points or more
Using ASDM, I have created an access rule for a pix 525 that allows as follows:
Source IP address: internal IP of inside server, e.g. 192.168.1.10
Destination IP address: external IP of an external mail server. I have tried several and it doesn't work for any - for instance, one example is the MX for Gmail, gmail-smtp-in.l.google.com which resolves to 220.127.116.11
Source port: any
Destination port: smtp
This is what happens:
Before the policy is added, attempting to telnet to the mail server IP on port 25 times out, as you might expect.
When the policy is added, the outbound connection starts, because when testing from the inside server I get this:
However nothing else happens, no ehlo commands can be entered or anything like that. Eventually it the external mail server just sends back a 421 SMTP timeout error.
It is not a problem with the destination server because they work from anywhere else - I have tried several 3rd party external servers as examples, such as Gmail. Connecting to the Gmail server works fine from elsewhere:
$ t 18.104.22.168 25
Connected to 22.214.171.124.
Escape character is '^]'.
220 mx.google.com ESMTP c24si20282948ika.4
250-mx.google.com at your service, [126.96.36.199]
221 2.0.0 mx.google.com closing connection c24si20282948ika.4
Connection closed by foreign host.
When I test the access rule with a packet trace it all passes - but strangely, the server never gets to communicate any further than the initial 220.
Has anyone else experienced this with a pix access rule to an external mail server?
you probably want to get the smtp application inspection (formerly called fixup) out of your way, since it is rather conservative in what kind of conversation it allows.
Try "no fixup smtp" for versions < 7.0.
In later versions you might be happy
with ESMTP instead of SMTP inspection.
It can be changed in ASDM under "Configuration > Security Police > Service Policy Rules".
Edit the inspection_default class and go to the "Rule Actions > Protocol Inspection" Tab.