not receiving emails through pix

shabiersayed · ‎07-26-2006

Hi,

My current setup is like this

Internal -- ISA FW -- PIX515E-R -- ROUTER -- INTERNET. I wrote a static mapping between internal mail server and public ip and allowed through accesslist (only smtp). Now i can able tos end emails and all but not able to receive emails. Once PIX forward email traffic to ISA server, isa will publish the traffic to internal email server. Without PIX its working fine but not working when i connected PIX.

ISA EXT: 10.100.4.1

PIX INT: 10.100.4.1, 4.2, 4.3

INTERNAL: 172.XXX.XXX.XXX

8c-stone · ‎07-27-2006

See the following url;

http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K11355672

hopefully that will resolve your problem.

shabiersayed · ‎07-28-2006

Hi,

Information was useful.After no fixup i am not able to fixit. Any more suggestions. BTW when i found some traffic in Show Conn statement stating "xxx.xxx.xxx.xxx:25 yyy.yyy.yyy.yyy 1143 UIOB. Does it means that firewall is forwarding the traffic? (yyy.yyy.yyy.yyy is static mapped with xxx.xxx.xxx.xxx public IP)

Thanks

Shabbir

Wilson Samuel · ‎07-27-2006

Hi,

I strongly feel that the issue is with your NAT/PAT thing. AFAI understand, you have tried to NAT all your SMTP Traffic to a host (via your ISA Server) 172.16.25.0 255.255.255.0.

Now PIX is NOT able to make a static translation for this Host unless it owns the Subnet itself.

You have not mentioned the Subnet 172.16.25.0 255.255.255.0 on the PIX hence it wont be able to make a translation table for the same.

I shall suggest that, you change the entry static (inside,outside) xxx.xxx.xxx.xxx 172.16.xxx.xxx netmask 255.255.255.255 0 0 (email) to an ip address which PIX owns itself, i.e. 10.100.4.0/24 and it will work.

Ofcourse prior to that you MUST make sure that any SMTP connections arriving on ISA, it must be able to relay to the actual Mail SErver.

Hope that it will work.

Kindly rate if it helps.

Regards,

Wilson Samuel

shabiersayed · ‎07-29-2006

Hi Wilson,

I totally agree with you. Actually now i changed the whole setup, removed ISA and connected directly. So the current setup is Internet router - - Firewall - -internal core switch. As you know Firewall address (External) xxx.xxx.xxx.xxx and internal i gave 172.16.xxx.4 (which is again in the same vlan of mail server). given static command and allowed through static. This setup is just to make sure it works. But still i failed to do so. I can be able to access internet (http traffic no issues), but i can't receive or send mails.

Any suggestions please specify. is it possible for you to just give me a command list to configure this kind of setup?

Fernando_Meza · ‎07-29-2006

Hi ... by looking at your config .. You have several mistakes ... As I understand you incoming email should be routed from the ASA to the ISA and then to your internal mail server correct ..? then your static needs to point to the external interface of the ISA box ... i.e let's say that the external interface of the ISA is 10.100.4.5 then your static needs to be

static (inside,outside) 82.205.159.78 10.100.4.5 netmask 255.255.255.255

where 82.205.159.78 is the public address of your mail server.

The access-list applied to the external interface needs to also allow that access. I believe this has been already done by this entry Correct ..?

access-list out-in permit tcp any host 82.205.159.78 eq smtp

By following the above steps ... inbound traffic will flow Internet->ASA->your ISA box .. now you need to make sure the ISA forwards that traffic to your email server 172.16.x.x.

I don't know how the ISA handles publishing but you need to make sure that any incoming traffic for port 25 reaching its external interface is forwarded to your internal mail server.

I hope it helps ... please rate it if ti does !!!

Wilson Samuel · ‎07-31-2006

Hi,

I'm taking your config line by line try to explain what you need to correct.

static (inside,outside) zzz.zzz.zzz.zzz 10.100.4.4 netmask 255.255.255.255 0 0

This statement, doesnt serve any purpose because there is NO Outside Access-List that permit any traffic to this IP Address.

static (inside,outside) xxx.xxx.xxx.xxx 172.16.xxx.xxx netmask 255.255.255.255 0 0 (email)

This Statement will NOT work, because at any point of time there is NO WAY PIX could maintain a PAT/NAT table for the IP Address 172.16.X.X as this Subnet is NOT mentioned in the PIX.

Now, to make the configuration work lets assume that your ISA Server's IP Address is 10.100.4.5/24 and Mail Server's IP Address 172.16.X.X/24.

Now you need to change the IP Address of the Mail Server from 172.16.X.X to 10.100.4.6/24 (example) and then enter the following statements in the PIX

static (inside,outside) 82.205.159.78 10.100.4.6 netmask 255.255.255.255

I can vouch that, given the details I have had its BOUND to WORK...

All The BEST..

Please Rate if it helps.

Regards,

Wilson Samuel

shabiersayed · ‎08-07-2006

Hello Wilson,

As per your message was clear to me. Now i upgraded with 7.0(1) version and connected directly to 172.16.xxx.xxx network. Internal network---PIX --- Router --- Internet.Exchange is in internal network

ip address xxx.xxx.xxx.xxx 255.255.255.224

ip address 172.16.zzz.2z 255.255.255.248

access-list out-in extended permit tcp any host xxx.xxx.xxx.xxx eq smtp

access-list out-in extended permit tcp any host xxx.xxx.xxx.xxx eq domain

access-list out-in extended permit tcp any host xxx.xxx.xxx.xxx eq pop3

access-list inside extended permit tcp 172.16.zzz.0 255.255.255.0 any

global (outside) 1 interface

nat (inside) 1 172.16.xxx.0 255.255.255.0

static (inside,outside) xxx.xxx.xxx.xxx 172.16.zzz.2z netmask 255.255.255.255

access-group out-in in interface outside

route outside 0.0.0.0 0.0.0.0 yyy.yyy.yyy.yyy 1

route inside 172.16.zzz.0 255.255.255.0 172.16.xxx.2 1

NO esmtp inspection

Do you think i missed anything? Please help

Regards,

Sha