I have two PIX 515's running in failover mode that were just upgraded to ver 8.03 from v 7.11.
Ever since the upgrade on Friday the PIX will work fine for about 10-15 hours. Then all of a sudden no one on my network can send mail? I have confirmed that when this happens my mail server (sitting on the outside of my network - so mail passes outbound on the PIX before getting to the mail server) does not see the attempt to send the email as it is not getting past the PIX.
The only thing that seems to get it going is a reset of the FW's.
MY understanding of this is. If your mail servers are running esmtp, the the inspect can be considered important by removing the ability for some of the extra command to be blocked by the firewall.
You could actually leave the inspection on but apply this via a policy map and not inspect esmtp for mail servers known to have problems sending to you.
You indicated your mail server is on the outside network, so if it recieves mail from the internet and then delivers it to an inside mail host you could disable inspection. If you have mail coming from the internet inside (not stricly via that server) then look to apply a policy map inspecting traffic according to the addresses you wish to inspect.
My mail server is on the outside but it is also used only for sending mail. That is also the only issue that I have, sending mail. Receiving is fine. Then I take the inspect esmtp off and it all works.
The strange thing is, if the inspect ESMTP is on , everything works fine for 10 hours or so, then clients call in complaining sending mail stopped working????
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...