Solved: PIX 6.3, ACL, SMTP 25 issue

scott.bridges · ‎08-22-2010

Attached is my PIX running-config with 6.3

It's a simple straight-forward Small Business Server setup. RDP, HTTPS, HTTP, is all working, but SMTP (25) is not. I'm trying to verify that it is not a problem with the firewall.

I do

capture test interface inside

Initiate some SMTP traffic via telnet (or even Postini)

sh capture test | grep .25

Nothing.

I also try and "telnet 99.99.99.99 25" and it times out.

Can't I enable telneting through the PIX for basic troubleshooting?

Does anyone see anything in the config that could be preventing SMTP traffic to reach 192.168.2.5?

Thanks for any help

Nagaraja Thanthry · ‎08-22-2010

Hello,

Your configuration looks good. Most likely, your ISP is blocking SMTP

traffic. Please contact your ISP and make sure that they unblock that port.

Regards,

NT

View solution in original post

Nagaraja Thanthry · ‎08-22-2010

Hello,

Your configuration looks good. Most likely, your ISP is blocking SMTP

traffic. Please contact your ISP and make sure that they unblock that port.

Regards,

NT

scott.bridges · ‎08-22-2010

Gah,

I think you're right. I just added in port 26 to the ACL and was able to see packets going through just fine (show access-list incoming).

Anyone know anything about OptOnline.net blocking 25?

I doubt they have people up this late

Jennifer Halim · ‎08-22-2010

You won't be able to telnet on port 25 from your internal network towards the server public ip address. Test needs to be done from outside and perform a packet capture on the outside interface.

Is inbound or outbound mail not working?

For outbound, you can test to telnet on port 25 to postini, and on your inside capture you should see the traffic. If you don't see that in the capture, that means the traffic is not even coming into the PIX firewall.

For inbound, you can test to telnet on port 25 to your mail server public ip address (in your case: 99.99.99.99), and on your outside interface capture you should see the traffic. If you don't see the traffic in the capture, again that means the traffic is not even coming into the PIX firewall.

In both scenario, you should be looking elsewhere (path between the actual mail server and PIX, OR/ outside towards the PIX) if you can't see the traffic coming towards the PIX firewall.

scott.bridges · ‎08-22-2010

Incoming mail is the issue.

99.99.99.99 is the client server public IP address. They use Postini mail filtering. We are unable to add that public IP address to Postini; unable to connect (uses port 25).

I'm currently remoting into the server from home, so all my telnet tests are from the outside.

Right now I have this:

access-list incoming permit tcp any host 99.99.99.99 eq 25

access-list incoming permit tcp any host 99.99.99.99 eq 26

When I "telnet 99.99.99.99 25" and "telnet 99.99.99.99 26" from home, then I do "show access-list" I get:

access-list incoming line 6 permit tcp any host 99.99.99.99 eq smtp (hitcnt=0)

access-list incoming line 7 permit tcp any host 99.99.99.99 eq 26 (hitcnt=4)

This tells me that the packets aren't even getting the PIX. So the ISP must be blocking it.

Is that a valid assumption?

Jennifer Halim · ‎08-22-2010

Absolutely correct assumption.