08-22-2010 08:45 PM - edited 03-11-2019 11:29 AM
Attached is my PIX running-config with 6.3
It's a simple straight-forward Small Business Server setup. RDP, HTTPS, HTTP, is all working, but SMTP (25) is not. I'm trying to verify that it is not a problem with the firewall.
I do
capture test interface inside
Initiate some SMTP traffic via telnet (or even Postini)
sh capture test | grep .25
Nothing.
I also try and "telnet 99.99.99.99 25" and it times out.
Can't I enable telneting through the PIX for basic troubleshooting?
Does anyone see anything in the config that could be preventing SMTP traffic to reach 192.168.2.5?
Thanks for any help
Solved! Go to Solution.
08-22-2010 09:02 PM
Hello,
Your configuration looks good. Most likely, your ISP is blocking SMTP
traffic. Please contact your ISP and make sure that they unblock that port.
Regards,
NT
08-22-2010 09:02 PM
Hello,
Your configuration looks good. Most likely, your ISP is blocking SMTP
traffic. Please contact your ISP and make sure that they unblock that port.
Regards,
NT
08-22-2010 09:27 PM
Gah,
I think you're right. I just added in port 26 to the ACL and was able to see packets going through just fine (show access-list incoming).
Anyone know anything about OptOnline.net blocking 25?
I doubt they have people up this late
08-22-2010 09:45 PM
You won't be able to telnet on port 25 from your internal network towards the server public ip address. Test needs to be done from outside and perform a packet capture on the outside interface.
Is inbound or outbound mail not working?
For outbound, you can test to telnet on port 25 to postini, and on your inside capture you should see the traffic. If you don't see that in the capture, that means the traffic is not even coming into the PIX firewall.
For inbound, you can test to telnet on port 25 to your mail server public ip address (in your case: 99.99.99.99), and on your outside interface capture you should see the traffic. If you don't see the traffic in the capture, again that means the traffic is not even coming into the PIX firewall.
In both scenario, you should be looking elsewhere (path between the actual mail server and PIX, OR/ outside towards the PIX) if you can't see the traffic coming towards the PIX firewall.
08-22-2010 09:59 PM
Incoming mail is the issue.
99.99.99.99 is the client server public IP address. They use Postini mail filtering. We are unable to add that public IP address to Postini; unable to connect (uses port 25).
I'm currently remoting into the server from home, so all my telnet tests are from the outside.
Right now I have this:
access-list incoming permit tcp any host 99.99.99.99 eq 25
access-list incoming permit tcp any host 99.99.99.99 eq 26
When I "telnet 99.99.99.99 25" and "telnet 99.99.99.99 26" from home, then I do "show access-list" I get:
access-list incoming line 6 permit tcp any host 99.99.99.99 eq smtp (hitcnt=0)
access-list incoming line 7 permit tcp any host 99.99.99.99 eq 26 (hitcnt=4)
This tells me that the packets aren't even getting the PIX. So the ISP must be blocking it.
Is that a valid assumption?
08-22-2010 11:46 PM
Absolutely correct assumption.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide