Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 6.3, ACL, SMTP 25 issue

Attached is my PIX running-config with 6.3

It's a simple straight-forward Small Business Server setup.  RDP, HTTPS, HTTP, is all working, but SMTP (25) is not.  I'm trying to verify that it is not a problem with the firewall.

I do

capture test interface inside

Initiate some SMTP traffic via telnet (or even Postini)

sh capture test | grep .25

Nothing.

I also try and "telnet 99.99.99.99 25" and it times out.

Can't I enable telneting through the PIX for basic troubleshooting?

Does anyone see anything in the config that could be preventing SMTP traffic to reach 192.168.2.5?

Thanks for any help

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: PIX 6.3, ACL, SMTP 25 issue

Hello,

Your configuration looks good. Most likely, your ISP is blocking SMTP

traffic. Please contact your ISP and make sure that they unblock that port.

Regards,

NT

5 REPLIES
Cisco Employee

Re: PIX 6.3, ACL, SMTP 25 issue

Hello,

Your configuration looks good. Most likely, your ISP is blocking SMTP

traffic. Please contact your ISP and make sure that they unblock that port.

Regards,

NT

New Member

Re: PIX 6.3, ACL, SMTP 25 issue

Gah,


I think you're right.  I just added in port 26 to the ACL and was able to see packets going through just fine (show access-list incoming).

Anyone know anything about OptOnline.net blocking 25?

I doubt they have people up this late

Cisco Employee

Re: PIX 6.3, ACL, SMTP 25 issue

You won't be able to telnet on port 25 from your internal network towards the server public ip address. Test needs to be done from outside and perform a packet capture on the outside interface.

Is inbound or outbound mail not working?

For outbound, you can test to telnet on port 25 to postini, and on your inside capture you should see the traffic. If you don't see that in the capture, that means the traffic is not even coming into the PIX firewall.

For inbound, you can test to telnet on port 25 to your mail server public ip address (in your case: 99.99.99.99), and on your outside interface capture you should see the traffic. If you don't see the traffic in the capture, again that means the traffic is not even coming into the PIX firewall.

In both scenario, you should be looking elsewhere (path between the actual mail server and PIX, OR/ outside towards the PIX) if you can't see the traffic coming towards the PIX firewall.

New Member

Re: PIX 6.3, ACL, SMTP 25 issue

Incoming mail is the issue.

99.99.99.99 is the client server public IP address.  They use Postini mail filtering.  We are unable to add that public IP address to Postini; unable to connect (uses port 25).

I'm currently remoting into the server from home, so all my telnet tests are from the outside.

Right now I have this:

access-list incoming permit tcp any host 99.99.99.99 eq 25

access-list incoming permit tcp any host 99.99.99.99 eq 26

When I "telnet 99.99.99.99 25" and "telnet 99.99.99.99 26" from home, then I do "show access-list" I get:

access-list incoming line 6 permit tcp any host 99.99.99.99 eq smtp (hitcnt=0)

access-list incoming line 7 permit tcp any host 99.99.99.99 eq 26 (hitcnt=4)

This tells me that the packets aren't even getting the PIX.  So the ISP must be blocking it.

Is that a valid assumption?

Cisco Employee

Re: PIX 6.3, ACL, SMTP 25 issue

Absolutely correct assumption.

582
Views
5
Helpful
5
Replies
CreatePlease to create content