Re: Email traffic not coming in from outside?

adisegna · ‎02-05-2003

I'm having an issue with recieving mail through my pix. The mail server sends out fine. And I can also surf the web. Here is my config:

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list permit_in permit tcp any host <public Ip translated to the mail server> eq smtp

pager lines 24

logging on

logging buffered critical

logging trap debugging

logging host inside 192.168.0.254

interface ethernet0 auto

interface ethernet1 auto shutdown

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside <public ip> <mask>

ip address inside 192.168.0.1 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 <3rd available public address the first 2 are used for the point to point connection between the pix and perimeter router>-<public>

global (outside) 1 <next available public address>

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) <saved public address for static connections> <mail server> netmask 255.255.255.255 0 0

access-group permit_in in interface outside

route outside 0.0.0.0 0.0.0.0 <2621 router> 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

this is a pretty simple configuration so what am I missing?

BUT... There is one thing that I notice when I reload the router. I receive this message:

Warning: start and end addresses are on different subnets

Global <public address> will be Port Address Translated. Maybe this is my problem.

I have my PIX connected to my 2621 (point to point connection) using a public address for the PIX outside and a public address for the router connected to the pix. My ISP has assigned me a block of 32 addresses. I have excluded the first and last addresses (network and broadcast) in my list of useable addresses. I am using a subnet mask of 255.255.255.252 for the point to point connections. There is no mask specified in the global statement (above).

Should I change my addressing around on the point to point connection. I thought this was o.k. because I am getting web trafic back to my internal network. Hope this isn't to confusing.

Thanks in advance

wolfrikk · ‎02-05-2003

It may be the subnet mask. The 255.255.255.252 puts your static mapping in a differenet network. You should try using the default subnet mask for you IP range given to you from your ISP and see if it acts differently. I would enter a clear xlate after you make the subnet change to clear any connections.

adisegna · ‎02-05-2003

Well I changed the point to point IP's subnet mask to 255.255.255.224 and I'm still net getting any email in... Hmm... there is something small I'm missing.

I have the static command setup. I also have an ACL allowing traffic destined for that smtp address:

static (inside,outside) netmask 255.255.255.255 0 0

access-list permit_in permit tcp any host eq smtp

access-group permit_in in interface outside

Anyone think of anything? I am getting able to surf the net so I know packets are being routed back properly. The mail server is able to send internal email but Not Receive Email????.

Thanks again.

wolfrikk · ‎02-05-2003

When you do a show xlate, do you see the static mapping? Also, if you have access to a computer outside of your firewall or a dialup account, you can try telneting to port 25 on the external Address that is mapped to the email server. You can start a debug before you telnet and see what the packets actually do as the pass through the PIX.

uhajari · ‎02-05-2003

It could be your internal MX record pointer and not the PIX

adisegna · ‎02-05-2003

Translation table shows the correct static mapping to the internal mail server.

Access to telnet into the mail server is denied by default on the PIX. My outside acl only specifies incoming traffic on port 25 not 23.

MX record pointer isn't the problem because mail comes in fine when I use my 2621 and CBAC. My DNS is hosted by the ISP.

Thanks

wolfrikk · ‎02-05-2003

You do not need port 23 to telnet to port 25, since you are specifiying what port to connect to. Telnet uses port 23 when a port is not specified. The PIX does prevent a telnet connection to port 25, but it will usually connect with a header the is garbage if the connection goes through. I have tested SMTP this way in the past. The Header Usually looks something like the following.

220**********************************************220*******************************

adisegna · ‎02-05-2003

I can't get access to my mail server that way. hmm. I used to be able to once upon a time. Anyway, mail still comes and goes.

I tried to connect like this telnet mail.myserver.com 25 220******************220**************

and couldnt connect...

wolfrikk · ‎02-05-2003

The email server can send mail okay? Can it access everything else through the firewall, internet, etc? Also, has your Internet Router been rebooted at all during this process? I run into problems when adding IP Address mapping on a PIX, and for some reason some Routers would not accept traffice going to the staticly mapped IP on the PIX until it was rebooted. I know this is a stretch, but it is really weird that you can send mail and not receive. If you can reboot the router, you may try rebooting the PIX at the same time to clear anything in either of their caches.

adisegna · ‎02-05-2003

Well thats one thing I haven't done yet.. I will reboot both of them.

As for the previous post. I will remove the fixup protocol smtp 25 and see if that does the trick...

Thanks again for everyones help... I will let you guys know what I find tomorrow.

b-pelphrey · ‎02-05-2003

Just remember if the no fixup command works, you really need to do some research because when you turn it off your system is vulnerable to potential risks.

b-pelphrey · ‎02-05-2003

I am not a mail guy at all, however, I remember running into some troubles like this before with email support people. Just as a quick test, turn off fixup for smtp. (no fixup protocol smtp 25) I remember when we initially did this it fixed some mail issue, and then the email support person went back and did some research. If this potentially fixes it, it has to do with the fixup smtp flags that the pix lets through.

Just a suggestion....I have NO idea if this will help, but worth a shot.

wolfrikk · ‎02-05-2003

This reminds me of another point. PIX's only support stmp, not esmtp. If the smtp server is setup to only except esmtp communication, the PIX cannot handle it.

adisegna · ‎02-08-2003

The problem is fixed. My ISP has assigned my company a block of 32 public addresses. The ip address used for the MX record was the broadcast address. Because the PIX requires a subnet mask it had a conflict with incoming email.

The problem never showed before because because NAT was being done by the router using static commands. (no subnet mask required)....

Thanks for everyones help... email me if you have further questions.

PS... What is recommended for Url Filtering for internal users.. Websense or Sentian or something better........

sgorivale · ‎02-27-2003

Hi

Try with Websense .. It's well fit in PIX environment. .. Also both cisco and websense provide good documentation for implement & configuration.