Problem with emails through PIX

Unanswered Question
May 5th, 2009

I have a Linksys router and replaced with a pix unit. Since I replaced it I have some problem with emails through outlook. We use Mdaemon for emails and it is configured on the server 10.1.1.10. Here is what I observed with emails and the problem is

10.1.1.10 - Mdaemon software is installed on this mail server

11.12.13.14 is pointed to mail.testclient.com

Can see incoming/outgoing emails on mdaemon server in user queues

Webmail works internally http://10.1.1.10:3000 and externally http://11.12.13.14:3000 and emails are successful

Webmail externally http://mail.testclient.com:3000 - accessible

Problem

Outlook internally when configured to mail.testclient.com - mails don't work. When configured to 10.1.1.10, mails work.

Outlook externally when configured to mail.testclient.com or 11.12.13.14 - mails don't work.

So for some reason I cannot access mail.testclient.com internally. Telnet to mail.testclient.com on port 25 and 110 are unsuccessful. However telnet to mail.testclient.com and 11.12.13.14 on port 25 and 110 are successful.

I ran some debugs and the output as below. 10.1.1.80 is one of the systems on the network

debug packet outside src 11.12.13.14 dst 10.1.1.10 proto tcp both

debug packet inside src 10.1.1.80 dst 11.12.13.14 proto tcp both

-- IP --

10.1.1.80 ==> 11.12.13.14

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x30

id = 0xb8bd flags = 0x40 frag off=0x0

ttl = 0x80 proto=0x6 chksum = 0x1d16

-- TCP --

source port = 0xe95 dest port = 0x19syn

seq = 0x5709743a

ack = 0x0

hlen = 0x7 window = 0x7fff

checksum = 0x43a urg = 0x0

tcp options:

0x2 0x4 0x5 0xb4 0x1 0x1 0x4

0x2

--------- END OF PACKET ---------

I ran packet capture but nothing captured

capture TEST access-list tac

access-list tac extended permit ip any host 10.1.1.10

access-list tac extended permit ip host 10.1.1.10 any

access-list tac extended permit ip any host 10.1.1.80

access-list tac extended permit ip host 10.1.1.80 any

But I can see the translation happening in xlate.

PAT Global 74.94.207.69(25) Local 10.1.1.10(25)

Can someone please suggest on this?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.7 (3 ratings)
Loading.
r.sneekes Wed, 05/06/2009 - 05:49

so mail.testclient.com is pointing to 11.12.13.14 which is the external (nat) adres on the Pix firewall.

Assume when u say internal u mean behind the inside of the pix firewall the problem is inside users can't connect to the 11.12.13.14. thats the ip they are connecting to, when connecting to http://mail.testclient.com.

Since this is an (nat) ip adres on the outside interface on the pix its only accessible then the trafic is coming from the outside.

A solution is to use an diffrent URL for internal users and point that to the internal adres.

What kind of nat configuration are u using?

Btw i don't follow u here?

So for some reason I cannot access mail.testclient.com internally. Telnet to mail.testclient.com on port 25 and 110 are unsuccessful. However telnet to mail.testclient.com and 11.12.13.14 on port 25 and 110 are successful.

Do u mean its not working internaly but it is when ur connecting from the outside?

nigelb Wed, 05/06/2009 - 06:13

I'd agree that 11.12.13.14 is only accessible from outside - you'd have to configure outlook to use internal IP or use internal dns when in the office.

Try disabling fixup for port25 for the second issue?

sarat1317 Wed, 05/06/2009 - 08:34

I did no fixup protocol smtp 25 and see no changes. I will check the other link that you mentioned

sarat1317 Wed, 05/06/2009 - 06:59

Appreciate your response on this.

Since this is an (nat) ip adres on the outside interface on the pix its only accessible then the trafic is coming from the outside.

>> I thought the same while accessing http://mail.testclient.com or 11.12.13.14 from inside. However I am in other client environment unrelated to this and I can telnet to mail.client2.com on port 25 internally and client1 is unable to access the same.

So for some reason I cannot access mail.testclient.com internally. Telnet to mail.testclient.com on port 25 and 110 are unsuccessful. However telnet to mail.testclient.com and 11.12.13.14 on port 25 and 110 are successful.

Do u mean its not working internaly but it is when ur connecting from the outside?

>> Yes when I telnet from outside it is working.

Coming to the actual problem, I would not worry about webmail access. I am only worried about accessing outlook. I should have exactly asked what I need. What I am trying to accomplish is users should not change SMTP settings on the outlook whether inside the office or from outside.

SMTP was always configured to mail.testclient.com on the outlook and users were able to send and receive emails on outlook without any issues whethere inside or outside the office with Linksys unit.

Now this is not working with PIX. When the users change to 10.1.1.10 outlook works from inside however this setting will not work from outside as it is internal IP address.

I hope I am clear now

Thank you

sarat1317 Wed, 05/06/2009 - 10:07

Hello Nigel

This document makes sense to me. I totally forgot about same-security permit intra-interface command. But I cannot add that in this 6.3(5) version. So from the document I understand that I need to add the below statements

(this is the original one in the link, just FYR) static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns

This is the one I need to add

static (inside,outside) 11.12.13.14 10.1.1.10 netmask 255.255.255.255 dns

But I already have these commands in place. Do you think I will have any problems with adding the above statement for my internet connectivity or any other traffic as my pix outside interface ip is also 11.12.13.14? Please confirm this.

access-list outside_in remark Permit access from outside to inside networks

access-list outside_in permit tcp any host 11.12.13.14 eq 3389

access-list outside_in permit tcp any host 11.12.13.14 eq www

access-list outside_in permit tcp any host 11.12.13.14 eq pop3

access-list outside_in permit tcp any host 11.12.13.14 eq 21

access-list outside_in permit tcp any host 11.12.13.14 eq smtp

access-list outside_in permit tcp any host 11.12.13.14 eq 3000

access-list outside_in permit udp any host 11.12.13.14 eq 3000

access-list outside_in permit tcp any host 11.12.13.14 eq 4444

access-list outside_in permit udp any host 11.12.13.14 eq 4444

access-list outside_in permit tcp any host 11.12.13.14 eq 1000

access-list outside_in permit udp any host 11.12.13.14 eq 1000

access-list outside_in permit tcp any host 11.12.13.14 eq domain

access-list outside_in permit udp any host 11.12.13.14 eq domain

ip address outside 11.12.13.14 255.255.255.252

ip address inside 10.1.1.20 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nonat_outbound

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 11.12.13.15

static (inside,outside) tcp 11.12.13.14 3389 10.1.1.14 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp 11.12.13.14 21 10.1.1.14 21 netmask 255.255.255.255 0 0

static (inside,outside) tcp 11.12.13.14 www 10.1.1.10 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 11.12.13.14 pop3 10.1.1.10 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp 11.12.13.14 smtp 10.1.1.10 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 11.12.13.14 3000 10.1.1.10 3000 netmask 255.255.255.255 0 0

static (inside,outside) udp 11.12.13.14 3000 10.1.1.10 3000 netmask 255.255.255.255 0 0

static (inside,outside) tcp 11.12.13.14 1000 10.1.1.10 1000 netmask 255.255.255.255 0 0

static (inside,outside) udp 11.12.13.14 1000 10.1.1.10 1000 netmask 255.255.255.255 0 0

static (inside,outside) tcp 11.12.13.14 4444 10.1.1.10 4444 netmask 255.255.255.255 0 0

static (inside,outside) udp 11.12.13.14 4444 10.1.1.10 4444 netmask 255.255.255.255 0 0

static (inside,outside) tcp 11.12.13.14 domain 10.1.1.10 domain netmask 255.255.255.255 0 0

static (inside,outside) udp 11.12.13.14 domain 10.1.1.10 domain netmask 255.255.255.255 0 0

access-group outside_in in interface outside

Thanks for your time

sarat1317 Wed, 05/06/2009 - 12:22

I added the below command.

static (inside,outside) 11.12.13.14 10.1.1.10 netmask 255.255.255.255 dns

As soon as I added this my internet went down. I should have cleared the xlate and tested the internet again. But I just deleted the command. Internet came up and to my surprise "emails started working" I can now telnet to remote.testclient.com on port 25 internally which I was not able to do so previously.

I see in xlate

Global 11.12.13.14 Local 10.1.1.10

I am still wondering how this worked after the command is deleted. I want to reboot the pix and see if this still works.

Any thoughts?

static (inside,outside) 11.12.13.14 10.1.1.10 netmask 255.255.255.255 dns

sarat1317 Wed, 05/06/2009 - 15:04

No luck with this. I rebooted the pix unit and email failed. I added this command again and internet failed. Hoever I can access internet from the server.

I think when I added the below, I think I am doing static nat between 10.1.1.10 and 11.12.13.14 and thats the reason other things stop.

static (inside,outside) 11.12.13.14 10.1.1.10 netmask 255.255.255.255 dns

Any other advise on this much appreciated.

Thanks

r.sneekes Thu, 05/07/2009 - 06:10

U can't use your outside ip address configured on the interface for static translation. That setup is not possible, that the reason ur internet failed when u put on the static.

====

Now this is not working with PIX. When the users change to 10.1.1.10 outlook works from inside however this setting will not work from outside as it is internal IP address.

I hope I am clear now

Thank you

=====

>> yes i understand the problem. The url will be resolved to the outside adres.

When an user connects from the local network.He wil connect to 11.12.13.14 with port 25,110, this can't work.

The packet will arive at the inside interface of the pix.The pix wil drop this ip packet since it's addresed to its outside interface.

This is also why dns doctoring won't work. The traffic need to go thru the pix for that to work.

A possible workaround is an split dns solution. When u have 2 dns servers.

- 1 internal server which is used by the internal clients en points to the inside adres.

- 1 outside server which points to the external ip adres.

The problem is u need to maintain 2 dns servers. And things can become complicated in the future.

Things would be diffrent when the mailserver was on an seperate interface of the pix. For example an DMZ.

Then u could nat from outside to dmz and from inside to dmz. and then use the same ip adres. U still would need a free public ip addres for that.

sarat1317 Thu, 05/07/2009 - 07:45

Roy

Thanks for your input.

A possible workaround is an split dns solution. When u have 2 dns servers.

- 1 internal server which is used by the internal clients en points to the inside adres.

- 1 outside server which points to the external ip adres.

The problem is u need to maintain 2 dns servers. And things can become complicated in the future.

Can you please explain this in detail? The server is setup with static DNS ip pointed to itself 10.1.1.10 and the forwarders are configured to public IP.

So how can I configure split dns servers?

On the other hand, I have been thinking about providing Cisco VPN client for outlook users. So their smtp will be still configured to 10.1.1.10 and from outside if they connect to VPN client they will be on the internal network and should be able to access emails right?

And next solution would be an ASA unit instead of PIX which support same-security inter interface command?

Thanks

sarat1317 Fri, 05/08/2009 - 08:53

This problem is resolved now. The solution is to add a DNS entry for mail.testclient.com internally to point to 10.1.1.10 and can receive the emails. I can also telnet to mail.testclient.com on port 25 from inside the network.

Thanks for all your help

Actions

This Discussion