I am trying to configure a Cisco router, a pix and a switch for a charity. I have a Win2k3 server running ISA2000 and a web and mail server behind a Cisco router, firewall and switch. The problem is sending email from remote locations.
The cabling is a bit confusing, but I will try to explain it and include a sketch.
The charity just switched from DSL to dual T-1 for voice and data behind this new Cisco equipment. The first T-1 line comes in and splits or separates into two patch cables.
The first patch cord on this first T-1 goes to a Netvanta 3200 (csu/dsu and router???)
From the Netvanta a cable runs to a Pix 501 firewall
From the Pix, a cable runs to a Catalyst ST 3560G switch
From the switch a patch cord runs to each user's Cisco IP phone
From the phone a cable runs to the user's PC
The second cable from this split or separation goes to a Cisco 2800 series router
A second T-1 line comes in and goes directly to the router
There are two Cisco servers for the phones also plugged into the switch
I got the ISA box and IIS and Exchange to work by plugging ISA into the Pix firewall and my Exchange/IIS box into the switch. Outlook and Entourage work on client machines at the site.
I have read that Cisco Pix firewall's don't pass POP3/SMTP traffic under some circumstances, could this be my problem? Can I set up an ACL entry to allow outside users to reach the Exchange box? This ISA/IIS/Exchange combination worked perfectly with the DSL connection and users could send and receive when off site. Can anyone give me some guidance on what to do to allow users to send and receive email when not at the charity?
Attaching a sketch didn't work, so here's a link to sketch of the cabling layout: http://www.thenetpros.net/images/cablingDiagram.gif
The diagram also shows how my DSL was cabled on the right side of the drawing. Again, thanks for any help.
You haven't mentioned anything about the Ip address details involved in this setup.
When you say that the users are not able to access the mail from outside, do you mean accessibility through internet.
If so, Do you have proper public ip address natted to your internal servers. and proper rules configured in the firewall
to allow incoming pop3/smtp requests to your internal servers.
Have you tested whether the pop3/smtp ports to the Nat'ed public address are responding from the internet?
Thank you for your reply. Yes, users can not send mail using Outlook Express or Entorage when not at the charity(ie: when they are at home, they can not send). I set up Outlook Web Access (OWA) and users can send if they use OWA, which runs on port 80.
The internal (LAN) addresses are all in the 192.168.1.??? range with a default C mask. I think nating is set up correctly, at least in part, as their public web site works and mail to and from the Exchange server from or to outside parties works. That is my question, what rules do I need on the Pix, or the router to allow POP3 and SMTP for users when they are not at the charity? The public IP address is: 126.96.36.199 and the Internet domain name is mendpoverty.org. And, yes, there are proper A, MX and pointer records for the domain. DNS is handled by dual T-1 provider.
If I telnet from my office which is 30 miles from the charity, to 188.8.131.52 25, I get 200 and 220 back. If I telnet to port 110, I get an OK and a ready.
My Win 2K3 Exchange server was able to process mail from users not at the charity before switching to the T-1 lines.
Thanks again for your help; is that the issue, do I need to add rules to the Pix to allow POP3 and SMTP when users are at home? The charity is in a managed environment for their phones and I have no access to the router connecting to the T-1 connection, so I had the provider open the router and send all ports through to the Pix, which I can modify.
I removed the DSL part of the picture to improve clarity and labeled the server and workstation placement, hopefully this will make the picture easier to understand.
Further notes on IP address scheme of the charity:
The ISA box is multihomed with the WAN NIC having an address of 192.168.3.1 and a gateway of 192.168.3.1 which is the LAN address of the Cisco firewall. The ISA box's second NIC is at 192.168.1.2 and goes to the switch to communicate with all of the workstations
The Webmail server's address is 192.168.1.3 and it goes into the switch. Webmail server hosts the Exchange server and IIS. Let me know if any additional details would help.
If the POP3 and SMTP ports to your mail server is responding fine from internet, then there is no issue with the firewall and routing.
Additionally you have also mentioned that other mail servers are able to relay the mails properly to your mail domain.
This clearly indicates that there are no issues with firewall configuration.
It must be an application layer issue. Not sure. We would have to do some debugs to understand what is happening.
Hope the mail client configurations are fine.
When the clients try to connect to the mail server from internet, do they receive any error message in their client. Can you check that. Proably those messages will give us some clues to debug further.
Thank you for your help. Yes, mail flows to and from the Exchange Server 2003 box fine. The problen is when domain users try to send email through the mail server from home. The error message received is:
The message could not be sent because one of the recipients was rejected by the server. The rejected e-mail address was 'email@example.com'. Subject 'can i send from mend', Account: 'mend---brad', Server: '184.108.40.206', Protocol: SMTP, Server Response: '550 5.7.1 Unable to relay for firstname.lastname@example.org', Port: 25, Secure(SSL): No, Server Error: 550, Error Number: 0x800CCC79
Which looks like an Exchange Server error, but I was able to send from home before I switched over to the T-1 connections through the Cisco firewall and router. That is why I thought it was the hardware (firewall) that is blocking the mail.
Do you think the problem is with my Exchange 2003 server? As I said, it allowed outside users to send mail prior to switching to the new connection and new Cisco router/firewall configuration. Thanks for your help, I will check my Exchange settings.
This clearly indicates an application layer issue.
Check this link, which discuss the settings that you need to check in the outlook client.
If this is not helping, then have a look at this link.
Similar errors are discussed in microsoft site.
If firewall is causing this issue, the only reason might be SMTP inspection.
If this is the case, then you can disable the SMTP inspection and check whether things are working normal.
Do let us know the results.
To disable the SMTP inspection in the firewall, follow these steps.
no inspect esmtp
I will try the no inspect esmtp first, and if unsuccessful, I will try setting up a new virtual server in Exchange 2k3 requiring TLS encryption to send and see if that gets around the problem. I need to do this for my Exchange server anyway. I will post here after I try these. Thanks for the help.