Problem forwarding port 25 to Mail server (through router & pix)

Unanswered Question
Sep 8th, 2009

I have a Mail Server behind Firewall. With an ipcop firewall connected and port 25 forwarded to the mail server ip, the exchange server works perfectly.

Now I have a combination of Cisco router and PIX. I cannot seem to be able to configure the pix and router to allow smtp traffic to the mail server. HELP!

Internet -->Cisco 3700 --> Pix 515E --> Mail Server

What do I do to get the router and the pix to forward port 25 to the Mail Server.

Detail - http://pivweb.net/fun/Network.jpg

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 09/08/2009 - 10:46

Check the ACL on your PIX that is applied to the outside interface.

access-list OUT-IN permit tcp any host 10.10.11.80 eq smtp

It should be:

access-list OUT-IN permit tcp any host 201.13.12.102 eq smtp

You need to set the destination IP to the IP's located on the outside interface, not the private IPs.

Hope that helps.

prince.ibe Tue, 09/08/2009 - 11:53

Thanks. I have modified my config on both router & pix. And I see some improvement. I did a portqry on the mail server and I no longer get the NOT LISTENING message. I now get:-

TCP port 25 (smtp service): FILTERED.

I even turned fixup off on smtp 25. Still I can't get through. What else should I do?

Collin Clark Tue, 09/08/2009 - 11:55

Where are you seeing the message TCP port 25 (smtp service): FILTERED. ? The port scanner? What does the log in the PIX say?

prince.ibe Tue, 09/08/2009 - 12:16

The message is the response to my portqry on the mail server:-

portqry -n mail.gymnconference.org -e 25

The log does not show anything to on port 25 or the mail server..

XXXXXX# sh log

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Standby logging: disabled

Console logging: disabled

Monitor logging: level debugging, 0 messages logged

Buffer logging: level notifications, 1326593 messages logged

Trap logging: disabled

History logging: disabled

Device ID: disabled

401004: Shunned packet: 100.100.101.98 ==> 109.9.248.67 on interface inside

Collin Clark Tue, 09/08/2009 - 12:18

Please change your buffer logging to debug-

logging buffer debug

Then try portqry again and post the log results.

prince.ibe Tue, 09/08/2009 - 12:37

I just copied some of the log:- 100.100.101.80 is the mail server

401004: Shunned packet: 100.100.101.98 ==> 59.47.169.9 on interface inside

710005: UDP request discarded from 100.100.101.80/137 to inside:100.255.255.255/netbios-ns

302014: Teardown TCP connection 1820309 for outside:217.14.83.102/25 to inside:100.100.101.80/1216 duration 0:02:01 bytes 0 SYN Timeout

connection 1820358 for outside:67.195.168.31/25 (67.195.168.31/25) to inside:100.100.101.80/1407 (192.168.8.253/1407)

Collin Clark Tue, 09/08/2009 - 12:41

Message 302014 shows that a connection is being built, so that's good. It does show 0 bytes though. Everything is working on the mail server right? Can you telnet to port 25 from the local LAN?

prince.ibe Tue, 09/08/2009 - 12:45

telnet 100.100.101.80 25 gives:-

220 mail.gymconference.org Microsoft ESMTP MAIL Service, Version: 6.0.3790.0 ready at Tue, 8 Sep 2009 21:44:03 +0100

helo

250 mail.gymconference.org Hello [100.100.100.11]

ehlo

250-mail.gymconference.org Hello [100.100.100.11]

250-TURN

250-SIZE

250-ETRN

250-PIPELINING

250-DSN

250-ENHANCEDSTATUSCODES

250-8bitmime

250-BINARYMIME

250-CHUNKING

250-VRFY

250-X-LINK2STATE

250-XEXCH50

250 OK

quit

221 2.0.0 mail.gymconference.org Service closing transmission channel

Collin Clark Tue, 09/08/2009 - 12:52

You mail server goes out this PIX to get to the outside correct? Typically when you see a connection and 0 bytes, the mail server can't respond. It's usually a service has stopped, asymmetric routing, etc.

prince.ibe Tue, 09/08/2009 - 13:10

So what do I do to solve the problem? I have even turned off fixup on smtp

Collin Clark Tue, 09/08/2009 - 13:15

You can enable packet capture on the PIX and make sure the packets come back. Do you have other routes out?

prince.ibe Tue, 09/08/2009 - 13:22

Nope. The route is just through the Cisco 3700 router out. I need to be sure which device is blocking/dropping the traffic. How can I test if port 25 is allowed on the router?

Collin Clark Tue, 09/08/2009 - 13:24

Create an ACL logging SMTP-

access-list 101 permit tcp any any eq 25 log

access-list 101 permit ip any any

Then apply to your interfaces. Make sure your logging is set appropriately too. Once you test with your port scanner, you should hit counts on the ACL and a message in the log.

prince.ibe Tue, 09/08/2009 - 13:48

From the hit count, there does not seem to be any activity through the smtp.

access-list out-in line 1 permit tcp any host 217.14.83.102 eq smtp (hitcnt=0)

access-list 101; 2 elements

access-list 101 line 1 permit tcp any any eq smtp log 6 interval 300 (hitcnt=0)

access-list 101 line 2 permit ip any any (hitcnt=14)

prince.ibe Wed, 09/09/2009 - 04:10

I did some tweaking on the config used nmap to test the ports. Result now shows that port 25 is open but I still get FILTERED from portqry on the mail server.

Result of nmap on the pix interface:-

PORT STATE SERVICE VERSION

23/tcp open telnet Cisco telnetd (IOS 6.X)

25/tcp open tcpwrapped

80/tcp open tcpwrapped

81/tcp open tcpwrapped

110/tcp open tcpwrapped

Result of nmap on the router interface:-

PORT STATE SERVICE VERSION

23/tcp open telnet Cisco IOS telnetd

25/tcp open tcpwrapped

80/tcp open http Cisco IOS administrative httpd

81/tcp open tcpwrapped

110/tcp open tcpwrapped

Command used: nmap -sT -sV -p 1-120 -v -PN x.x.x.x

------------------

What does tcpwrapped mean?

Actions

This Discussion