02-05-2003 07:23 AM - edited 03-09-2019 01:58 AM
I'm having an issue with recieving mail through my pix. The mail server sends out fine. And I can also surf the web. Here is my config:
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list permit_in permit tcp any host <public Ip translated to the mail server> eq smtp
pager lines 24
logging on
logging buffered critical
logging trap debugging
logging host inside 192.168.0.254
interface ethernet0 auto
interface ethernet1 auto shutdown
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside <public ip> <mask>
ip address inside 192.168.0.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 <3rd available public address the first 2 are used for the point to point connection between the pix and perimeter router>-<public>
global (outside) 1 <next available public address>
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) <saved public address for static connections> <mail server> netmask 255.255.255.255 0 0
access-group permit_in in interface outside
route outside 0.0.0.0 0.0.0.0 <2621 router> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
this is a pretty simple configuration so what am I missing?
BUT... There is one thing that I notice when I reload the router. I receive this message:
Warning: start and end addresses are on different subnets
Global <public address> will be Port Address Translated. Maybe this is my problem.
I have my PIX connected to my 2621 (point to point connection) using a public address for the PIX outside and a public address for the router connected to the pix. My ISP has assigned me a block of 32 addresses. I have excluded the first and last addresses (network and broadcast) in my list of useable addresses. I am using a subnet mask of 255.255.255.252 for the point to point connections. There is no mask specified in the global statement (above).
Should I change my addressing around on the point to point connection. I thought this was o.k. because I am getting web trafic back to my internal network. Hope this isn't to confusing.
Thanks in advance
02-05-2003 07:37 AM
It may be the subnet mask. The 255.255.255.252 puts your static mapping in a differenet network. You should try using the default subnet mask for you IP range given to you from your ISP and see if it acts differently. I would enter a clear xlate after you make the subnet change to clear any connections.
02-05-2003 09:59 AM
Well I changed the point to point IP's subnet mask to 255.255.255.224 and I'm still net getting any email in... Hmm... there is something small I'm missing.
I have the static command setup. I also have an ACL allowing traffic destined for that smtp address:
static (inside,outside)
access-list permit_in permit tcp any host
access-group permit_in in interface outside
Anyone think of anything? I am getting able to surf the net so I know packets are being routed back properly. The mail server is able to send internal email but Not Receive Email????.
Thanks again.
02-05-2003 10:33 AM
When you do a show xlate, do you see the static mapping? Also, if you have access to a computer outside of your firewall or a dialup account, you can try telneting to port 25 on the external Address that is mapped to the email server. You can start a debug before you telnet and see what the packets actually do as the pass through the PIX.
02-05-2003 12:21 PM
It could be your internal MX record pointer and not the PIX
02-05-2003 12:41 PM
Translation table shows the correct static mapping to the internal mail server.
Access to telnet into the mail server is denied by default on the PIX. My outside acl only specifies incoming traffic on port 25 not 23.
MX record pointer isn't the problem because mail comes in fine when I use my 2621 and CBAC. My DNS is hosted by the ISP.
Thanks
02-05-2003 12:57 PM
You do not need port 23 to telnet to port 25, since you are specifiying what port to connect to. Telnet uses port 23 when a port is not specified. The PIX does prevent a telnet connection to port 25, but it will usually connect with a header the is garbage if the connection goes through. I have tested SMTP this way in the past. The Header Usually looks something like the following.
220**********************************************220*******************************
02-05-2003 01:18 PM
I can't get access to my mail server that way. hmm. I used to be able to once upon a time. Anyway, mail still comes and goes.
I tried to connect like this telnet mail.myserver.com 25 220******************220**************
and couldnt connect...
02-05-2003 01:24 PM
The email server can send mail okay? Can it access everything else through the firewall, internet, etc? Also, has your Internet Router been rebooted at all during this process? I run into problems when adding IP Address mapping on a PIX, and for some reason some Routers would not accept traffice going to the staticly mapped IP on the PIX until it was rebooted. I know this is a stretch, but it is really weird that you can send mail and not receive. If you can reboot the router, you may try rebooting the PIX at the same time to clear anything in either of their caches.
02-05-2003 01:38 PM
Well thats one thing I haven't done yet.. I will reboot both of them.
As for the previous post. I will remove the fixup protocol smtp 25 and see if that does the trick...
Thanks again for everyones help... I will let you guys know what I find tomorrow.
02-05-2003 01:50 PM
Just remember if the no fixup command works, you really need to do some research because when you turn it off your system is vulnerable to potential risks.
02-05-2003 01:25 PM
I am not a mail guy at all, however, I remember running into some troubles like this before with email support people. Just as a quick test, turn off fixup for smtp. (no fixup protocol smtp 25) I remember when we initially did this it fixed some mail issue, and then the email support person went back and did some research. If this potentially fixes it, it has to do with the fixup smtp flags that the pix lets through.
Just a suggestion....I have NO idea if this will help, but worth a shot.
02-05-2003 01:29 PM
This reminds me of another point. PIX's only support stmp, not esmtp. If the smtp server is setup to only except esmtp communication, the PIX cannot handle it.
02-08-2003 11:38 PM
The problem is fixed. My ISP has assigned my company a block of 32 public addresses. The ip address used for the MX record was the broadcast address. Because the PIX requires a subnet mask it had a conflict with incoming email.
The problem never showed before because because NAT was being done by the router using static commands. (no subnet mask required)....
Thanks for everyones help... email me if you have further questions.
PS... What is recommended for Url Filtering for internal users.. Websense or Sentian or something better........
02-27-2003 06:41 AM
Hi
Try with Websense .. It's well fit in PIX environment. .. Also both cisco and websense provide good documentation for implement & configuration.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: