Cisco PIX 501 portforward 25 - not working

Answered Question
Oct 10th, 2010
User Badges:

Hi all!


Please see this running config:


pixfirewall# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_access_in permit ip any any
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp any any eq 3389
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp any any eq imap4
access-list outside_access_in permit tcp any any eq 54321
access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in deny ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 172.16.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 172.16.0.0 255.255.255.0 inside
pdm location 172.16.0.2 255.255.255.255 inside
pdm location 172.16.0.13 255.255.255.255 inside
pdm location 95.154.22.139 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 95.154.22.139 www 172.16.0.2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 95.154.22.139 3389 172.16.0.2 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 95.154.22.139 ftp 172.16.0.2 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 95.154.22.139 imap4 172.16.0.2 imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp 95.154.22.139 54321 172.16.0.13 54321 netmask 255.255.255.255 0 0
static (inside,outside) tcp 95.154.22.139 55555 172.16.0.2 55555 netmask 255.255.255.255 0 0
static (inside,outside) tcp 95.154.22.139 smtp 172.16.0.2 smtp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.0.10-172.16.0.40 inside
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:cbb655acc6e0376dd5d5c2ca3405428c
: end


As you can see I've done some portforwarding/porttranslation, and made some access-lists that should match those forwadings. Pretty simple..


All the portforwarding I've made are working, I've tested it from an external host - EXCEPT of port 25 aka SMTP - it does NOT work and i can't understand why.


I've tried telnetting my mail server on port 25 on my LAN on the server local IP address, and here I get an answers as i should. But if I take an external host and telnet on port 25 to my external IP, i do not get an answer.


I can understand why since the portforwading for port 25 is made that same what as i did for port 80 - and port 80 is working :/


Is there some special setting for port 25 for this PIX 501?


Any suggetions will be appreciated!


Regards, Steffen

Correct Answer by Kureli Sankar about 6 years 10 months ago

Whey you are in the inside you need to "telnet x.x.x.x 25" where x.x.x.x is the inside IP address of the smtp server and not the translated address.


I am sure if you telnet from your home laptop it will work.


There is no problem with your smtp server it is just working fine.


-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jitendriya Athavale Sun, 10/10/2010 - 06:15
User Badges:
  • Cisco Employee,

you seem to have other port forwarding to the same host and that seems to be working fine if understand you correctly


lets try the following


1. static (inside,outside)  95.154.22.139  172.16.0.2 netmask 255.255.255.255


       please try this, this will basically translate evrything on 0.2 to 22.139, i know this might not be what you want i just want you to try this


2. to look into the issue without changing any nat rules


lets check nat translation


show xlate | in 172.16.0.2


lets apply captures on both inside and outside


access-list capout permit tcp any 95.154.22.139 eq smtp

access-list capout permit tcp 95.154.22.139 eq 25 any


access-list capin permit tcp any 172.16.0.2 eq smtp

access-list capin permit tcp 172.16.0.2 eq smtp any


capture capo interface outside access-list capout

capture capi interface inside access-list capin


after this initiate traffic to port 25, like telnet


show capture capout

show capture capin


see if you see packets going to inside and see if they are coming back in

Steffen Frederiksen Sun, 10/10/2010 - 10:06
User Badges:

Hi and that you for your reply!


The funny thing is that even throgh the telnet on port 25 are not working from an external host to my external IP, that mail server is reciving mails. I didn't think that the mail server would recive mails if I could not telnet it on port 25 from the internet, but it does...


So its getting more and more strange, I can still telnet my mail server on port 25 on the local IP from a PC on my lan 172.16.0.0 /16..


I was uning Centos and IPtables as router/firewall before i got this PIX, and with that setup I was able to telnet my mailserver on port 25 from the WAN..


So everthing is actually working, the mail server is reciving mails, I just fint it strange that i cannot telnet the server on port 25 anymore..


Regards, Steffen

Namit Agarwal Sun, 10/10/2010 - 13:21
User Badges:
  • Cisco Employee,

Hi Steffen,


Please try the command "fixup protocol smtp 25" in the config mode.


Thanks,


Namit

Kureli Sankar Sun, 10/10/2010 - 18:40
User Badges:
  • Cisco Employee,

Hello Steffen,

I just tried and it appears to be working just fine and receiving e-mails.


rtp-8712:~$telnet 95.154.22.139 25
Trying 95.154.22.139...
Connected to 95.154.22.139.
Escape character is '^]'.
220 mail.jack68.dk Kerio Connect 7.1.0 ESMTP ready


I am not sure which client you are trying from. You may want to check that client.


-KS

Steffen Frederiksen Sun, 10/10/2010 - 23:31
User Badges:

Hmm. I've tried from my home at my laptop, and from my work on another PC. I've tried telnetting through putty and through "Windows Telnet" in cmd.exe and I still get no answer.


How did you manage to get an answers from the smtp server?

Correct Answer
Kureli Sankar Mon, 10/11/2010 - 07:13
User Badges:
  • Cisco Employee,

Whey you are in the inside you need to "telnet x.x.x.x 25" where x.x.x.x is the inside IP address of the smtp server and not the translated address.


I am sure if you telnet from your home laptop it will work.


There is no problem with your smtp server it is just working fine.


-KS

Actions

This Discussion