Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NEWBIE - same server all services responding except SMTP

Hi there,

We just have a PIX 515-E and 1721 router in the office. As I'm new to CLI, PIX, and 1721 router, I can't figure out why the SMTP in our Domino Server is not responding from outside while port 1352 and http on the same server works well. I recall that the last thing we did was that we ran the Security Audit from SDM of 1721 and the engineer did some changes from telnet and few days later, SMTP stops responding. So I think the problem lies in the 1721.

Can you PLEASE PLEASE check the running configs of our PIX 515-E and 1721 router?

For 1721:

! Last configuration change at 04:16:19 UTC Sat Jan 3 2004

! NVRAM config last updated at 04:16:20 UTC Sat Jan 3 2004

!

version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname eemct01

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret xxx.

!

username archie privilege 15 password xxxxxxxxxxxx ip subnet-zero

no ip source-route

!

!

ip tcp synwait-time 10

no ip domain lookup

ip domain name elwatt.com

ip name-server 212.72.1.186

ip name-server 212.72.23.4

!

no ip bootp server

ip cef

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 smtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip inspect name DEFAULT100 icmp

ip audit notify log

ip audit po max-events 100

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh rsa keypair-name sshkeys

no ftp-server write-enable

!

!

!

!

!

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0

description $FW_INSIDE$

ip address x.x.x.89 255.255.255.248

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

speed auto

no cdp enable

!

interface Serial0

description $FW_OUTSIDE$

ip address x.x.x.x 255.255.255.252

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect DEFAULT100 out

ip route-cache flow

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 212.72.26.177

ip http server

ip http access-class 10

ip http authentication local

ip http secure-server

!

!

logging trap debugging

logging 212.72.26.89

access-list 10 permit x.x.x.88 0.0.0.7

access-list 10 deny any

access-list 100 remark VTY Access-class list

access-list 100 remark SDM_ACL Category=1

access-list 100 permit ip x.x.x.88 0.0.0.7 any

access-list 100 deny ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 deny ip x.x.x.176 0.0.0.3 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip x.0.0.0 0.255.255.255 any

access-list 101 permit ip any any

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 deny ip x.x.x.88 0.0.0.7 any

access-list 102 deny ip 10.0.0.0 0.255.255.255 any

access-list 102 deny ip 172.16.0.0 0.15.255.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip host 0.0.0.0 any

access-list 102 deny ip any any log

no cdp run

!

banner login ^C***Authorised access only***

This system is the property of Electrowatt Engineering.

Disconnect IMMEDIATELY as you are not an authorised user!

^C

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

access-class 100 in

privilege level 15

password xxxx

login local

transport input telnet ssh

line vty 5 15

access-class 100 in

privilege level 15

password xxxx

login local

transport input telnet ssh

!

scheduler allocate 4000 1000

scheduler interval 500

!

end

For 515-E:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security4

enable password xxxxx

passwd xxxxx

hostname eemct02

domain-name elwatt.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 90.0.0.3 ewemctserver

name 90.0.0.7 archie

name 90.0.0.226 srini

name 90.0.0.44 genny

name 90.0.0.192 dheeraj

name 90.0.0.6 julius

name 90.0.0.229 bruce

name 90.0.0.112 walter

name 90.0.0.111 heidi

name 90.0.0.119 patrick

name 90.0.0.136 russell

object-group network HTTPUsers

description HTTP Users in the private LAN

network-object archie 255.255.255.255

network-object srini 255.255.255.255

network-object genny 255.255.255.255

network-object dheeraj 255.255.255.255

network-object julius 255.255.255.255

network-object bruce 255.255.255.255

network-object walter 255.255.255.255

network-object heidi 255.255.255.255

network-object patrick 255.255.255.255

network-object russell 255.255.255.255

access-list acl_out permit tcp any gt 1023 host 212.72.26.90 eq smtp

access-list acl_out permit tcp any gt 1023 host 212.72.26.90 eq lotusnotes

access-list acl_out permit tcp any gt 1023 host 212.72.26.90 eq www

access-list acl_out permit tcp any gt 1023 host 212.72.26.90 eq https

access-list private permit tcp object-group HTTPUsers gt 1023 any eq www

access-list private permit tcp host ewemctserver gt 1023 any eq smtp

access-list private permit tcp object-group HTTPUsers gt 1023 any eq ftp

access-list private permit tcp host ewemctserver gt 1023 any eq pop3

access-list private permit tcp object-group HTTPUsers gt 1023 any eq https

access-list private permit tcp any any eq 1080

access-list private permit tcp 90.0.0.0 255.255.255.0 gt 1023 any eq 8000

access-list private permit tcp any any eq citrix-ica

access-list private permit tcp any any eq domain

access-list private permit udp any any eq domain

access-list private permit tcp host archie any eq telnet

access-list dmz permit tcp any any eq domain

access-list dmz permit udp any any eq domain

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside x.x.x.x 255.255.255.248

ip address inside 90.0.0.2 255.255.255.0

ip address dmz 10.0.0.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface dmz

ip audit info action alarm

ip audit attack action alarm drop

pdm location archie 255.255.255.255 inside

pdm location 90.0.0.13 255.255.255.255 inside

pdm location 10.0.0.2 255.255.255.255 dmz

pdm location ewemctserver 255.255.255.255 inside

pdm location srini 255.255.255.255 inside

pdm location genny 255.255.255.255 inside

pdm location dheeraj 255.255.255.255 inside

pdm location julius 255.255.255.255 inside

pdm location bruce 255.255.255.255 inside

pdm location walter 255.255.255.255 inside

pdm location heidi 255.255.255.255 inside

pdm location patrick 255.255.255.255 inside

pdm location russell 255.255.255.255 inside

pdm group HTTPUsers inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 90.0.0.0 255.255.255.0 0 0

static (dmz,outside) x.x.x.x 10.0.0.2 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

access-group private in interface inside

access-group dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 212.72.26.89 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http archie 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 90.0.0.0 255.255.255.0 inside

telnet timeout 15

ssh timeout 5

console timeout 0

username archie password xxxxprivilege 15

terminal width 80

Cryptochecksum:xxxxx

: end

3 REPLIES
Gold

Re: NEWBIE - same server all services responding except SMTP

Hi,

Can you post your syslog output please from the PIX side. Also can you connect to port 25 on you internal SMTP server from the outside?

For syslog on PIX do following:

logging on

logging buffer debug

sho logging

Let me know the above output.

Regards, Jay.

New Member

Re: NEWBIE - same server all services responding except SMTP

Thanks for your reply.

To answer your question, no I can't connect to the port 25 to internal server and the DMZ server from outside. But, I can if I connect from our private LAN.

Here's the sh logging result that you requested:

eemct02(config)# logging on

eemct02(config)# logging buffer debug

eemct02(config)# sh logging

Syslog logging: enabled

Facility: 20

Timestamp logging: disabled

Standby logging: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: level debugging, 21479 messages logged

Trap logging: disabled

History logging: disabled

Device ID: disabled

0) by access-group "private"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.139.218 (type 8, code 0) by access-group "pr

ivate"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.139.219 (type 8, code 0) by access-group "pr

ivate"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.139.220 (type 8, code 0) by access-group "pr

ivate"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.139.221 (type 8, code 0) by access-group "pr

ivate"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.139.222 (type 8, code 0) by access-group "pr

ivate"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.139.223 (type 8, code 0) by access-group "pr

ivate"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.139.224 (type 8, code 0) by access-group "pr

ivate"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.139.225 (type 8, code 0) by access-group "pr

ivate"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.139.226 (type 8, code 0) by access-group "pr

ivate"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.139.227 (type 8, code 0) by access-group "pr

ivate"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.139.228 (type 8, code 0) by access-group "pr

ivate"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.139.229 (type 8, code 0) by access-group "pr

ivate"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.139.230 (type 8, code 0) by access-group "pr

ivate"

18, code 0) by access-group "private"

1.0.0.77 dst outside:90.0.141.220 (type 8, code 0) by access-group "private"

17 dst outside:90.0.142.3 (type 8, code 0) by access-group "private"

1e 0) by access-group "private"

18, code 0) by access-group "private"

1e:90.0.142.120 (type 8, code 0) by access-group "private"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.142.121 (type 8, code 0) by access-group "pr

ivate"

1.0.0.77 dst outside:90.0.142.160 (type 8, code 0) by access-group "private"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.142.161 (type 8, code 0) by access-group "pr

ivate"

1ccess-group "private"

1 (type 8, code 0) by access-group "private"

1.0.0.77 dst outside:90.0.143.99 (type 8, code 0) by access-group "private"

17 dst outside:90.0.143.136 (type 8, code 0) by access-group "private"

1ype 8, code 0) by access-group "private"

1.0.0.77 dst outside:90.0.143.213 (type 8, code 0) by access-group "private"

1.0.0.77 dst outside:90.0.143.252 (type 8, code 0) by access-group "private"

1 0) by access-group "private"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.144.36 (type 8, code 0) by access-group "pri

vate"

1up "private"

1(type 8, code 0) by access-group "private"

189 (type 8, code 0) by access-group "private"

1.0.0.77 dst outside:90.0.144.229 (type 8, code 0) by access-group "private"

1.0.145.12 (type 8, code 0) by access-group "private"

18, code 0) by access-group "private"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.145.52 (type 8, code 0) by access-group "pri

vate"

18, code 0) by access-group "private"

1 8, code 0) by access-group "private"

1.0.0.77 dst outside:90.0.145.208 (type 8, code 0) by access-group "private"

1.0.0.77 dst outside:90.0.145.247 (type 8, code 0) by access-group "private"

1 code 0) by access-group "private"

18, code 0) by access-group "private"

108 (type 8, code 0) by access-group "private"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.146.109 (type 8, code 0) by access-group "pr

ivate"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.146.110 (type 8, code 0) by access-group "pr

ivate"

1.0.0.77 dst outside:90.0.146.149 (type 8, code 0) by access-group "private"

1.0.0.77 dst outside:90.0.146.188 (type 8, code 0) by access-group "private"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.146.189 (type 8, code 0) by access-group "pr

ivate"

1.0.0.77 dst outside:90.0.146.229 (type 8, code 0) by access-group "private"

1.0.147.12 (type 8, code 0) by access-group "private"

106023: Deny icmp src inside:90.0.0.77 dst outside:90.0.147.13 (type 8, code 0) by access-group "pri

vate"

18, code 0) by access-group "private"

18, code 0) by access-group "private"

Archie

New Member

Re: NEWBIE - same server all services responding except SMTP

Might be a good idea to hide ip's and passwords next time you post. Sure you have access-lists on the 1700, but the passwords are easy unencrypted.

163
Views
0
Helpful
3
Replies