07-26-2006 01:45 AM - edited 02-21-2020 01:04 AM
Hi,
My current setup is like this
Internal -- ISA FW -- PIX515E-R -- ROUTER -- INTERNET. I wrote a static mapping between internal mail server and public ip and allowed through accesslist (only smtp). Now i can able tos end emails and all but not able to receive emails. Once PIX forward email traffic to ISA server, isa will publish the traffic to internal email server. Without PIX its working fine but not working when i connected PIX.
ISA EXT: 10.100.4.1
PIX INT: 10.100.4.1, 4.2, 4.3
INTERNAL: 172.XXX.XXX.XXX
07-27-2006 12:45 AM
See the following url;
http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K11355672
hopefully that will resolve your problem.
07-28-2006 10:36 PM
Hi,
Information was useful.After no fixup i am not able to fixit. Any more suggestions. BTW when i found some traffic in Show Conn statement stating "xxx.xxx.xxx.xxx:25 yyy.yyy.yyy.yyy 1143 UIOB. Does it means that firewall is forwarding the traffic? (yyy.yyy.yyy.yyy is static mapped with xxx.xxx.xxx.xxx public IP)
Thanks
Shabbir
07-27-2006 01:22 AM
Hi,
I strongly feel that the issue is with your NAT/PAT thing. AFAI understand, you have tried to NAT all your SMTP Traffic to a host (via your ISA Server) 172.16.25.0 255.255.255.0.
Now PIX is NOT able to make a static translation for this Host unless it owns the Subnet itself.
You have not mentioned the Subnet 172.16.25.0 255.255.255.0 on the PIX hence it wont be able to make a translation table for the same.
I shall suggest that, you change the entry static (inside,outside) xxx.xxx.xxx.xxx 172.16.xxx.xxx netmask 255.255.255.255 0 0 (email) to an ip address which PIX owns itself, i.e. 10.100.4.0/24 and it will work.
Ofcourse prior to that you MUST make sure that any SMTP connections arriving on ISA, it must be able to relay to the actual Mail SErver.
Hope that it will work.
Kindly rate if it helps.
Regards,
Wilson Samuel
07-29-2006 07:23 AM
Hi Wilson,
I totally agree with you. Actually now i changed the whole setup, removed ISA and connected directly. So the current setup is Internet router - - Firewall - -internal core switch. As you know Firewall address (External) xxx.xxx.xxx.xxx and internal i gave 172.16.xxx.4 (which is again in the same vlan of mail server). given static command and allowed through static. This setup is just to make sure it works. But still i failed to do so. I can be able to access internet (http traffic no issues), but i can't receive or send mails.
Any suggestions please specify. is it possible for you to just give me a command list to configure this kind of setup?
07-29-2006 12:51 PM
Hi ... by looking at your config .. You have several mistakes ... As I understand you incoming email should be routed from the ASA to the ISA and then to your internal mail server correct ..? then your static needs to point to the external interface of the ISA box ... i.e let's say that the external interface of the ISA is 10.100.4.5 then your static needs to be
static (inside,outside) 82.205.159.78 10.100.4.5 netmask 255.255.255.255
where 82.205.159.78 is the public address of your mail server.
The access-list applied to the external interface needs to also allow that access. I believe this has been already done by this entry Correct ..?
access-list out-in permit tcp any host 82.205.159.78 eq smtp
By following the above steps ... inbound traffic will flow Internet->ASA->your ISA box .. now you need to make sure the ISA forwards that traffic to your email server 172.16.x.x.
I don't know how the ISA handles publishing but you need to make sure that any incoming traffic for port 25 reaching its external interface is forwarded to your internal mail server.
I hope it helps ... please rate it if ti does !!!
07-31-2006 01:36 AM
Hi,
I'm taking your config line by line try to explain what you need to correct.
static (inside,outside) zzz.zzz.zzz.zzz 10.100.4.4 netmask 255.255.255.255 0 0
This statement, doesnt serve any purpose because there is NO Outside Access-List that permit any traffic to this IP Address.
static (inside,outside) xxx.xxx.xxx.xxx 172.16.xxx.xxx netmask 255.255.255.255 0 0 (email)
This Statement will NOT work, because at any point of time there is NO WAY PIX could maintain a PAT/NAT table for the IP Address 172.16.X.X as this Subnet is NOT mentioned in the PIX.
Now, to make the configuration work lets assume that your ISA Server's IP Address is 10.100.4.5/24 and Mail Server's IP Address 172.16.X.X/24.
Now you need to change the IP Address of the Mail Server from 172.16.X.X to 10.100.4.6/24 (example) and then enter the following statements in the PIX
static (inside,outside) 82.205.159.78 10.100.4.6 netmask 255.255.255.255
I can vouch that, given the details I have had its BOUND to WORK...
All The BEST..
Please Rate if it helps.
Regards,
Wilson Samuel
08-07-2006 07:02 AM
Hello Wilson,
As per your message was clear to me. Now i upgraded with 7.0(1) version and connected directly to 172.16.xxx.xxx network. Internal network---PIX --- Router --- Internet.Exchange is in internal network
ip address xxx.xxx.xxx.xxx 255.255.255.224
ip address 172.16.zzz.2z 255.255.255.248
access-list out-in extended permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list out-in extended permit tcp any host xxx.xxx.xxx.xxx eq domain
access-list out-in extended permit tcp any host xxx.xxx.xxx.xxx eq pop3
access-list inside extended permit tcp 172.16.zzz.0 255.255.255.0 any
global (outside) 1 interface
nat (inside) 1 172.16.xxx.0 255.255.255.0
nat (inside) 1 172.16.xxx.0 255.255.255.0
static (inside,outside) xxx.xxx.xxx.xxx 172.16.zzz.2z netmask 255.255.255.255
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 yyy.yyy.yyy.yyy 1
route inside 172.16.zzz.0 255.255.255.0 172.16.xxx.2 1
NO esmtp inspection
Do you think i missed anything? Please help
Regards,
Sha
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide