Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Pix 501 - Not allowing Outbound mail

We have a MS Small Business Server as a Domain Controller running DNS Active Directory and Exchange and an W2K Server running applications. Both have static ips 192.168.0.3 and 192.168.0.2 respectively. VPN is working fine also!

The PIX is dishing out IP's to the client machines.

We have internet connectivity throughout but cannot seem get any ingoing mail through the PIX. We can see that the PIX is dropping all ingoing mail.

I have attached the firewall configuration in the hope someone may identify some problem with the rules we have set?

Building configuration...

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxx encrypted

passwd xxxxxx encrypted

hostname pixfirewall

domain-name prokinetics.com.au

clock timezone EST 10

clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 192.168.0.3 mailgateway

name 192.168.0.2 SERVER

access-list inside_outbound_nat0_acl permit ip any 192.168.0.0 255.255.255.128

access-list outside_access_in permit udp any eq nameserver any

access-list outside_access_in permit tcp any eq pop3 host 150.101.214.18 eq pop3

access-list outside_access_in permit tcp any eq smtp host 150.101.214.18 eq smtp

access-list outside_access_in permit tcp any eq pcanywhere-data host 150.101.214

.18

access-list outside_access_in permit tcp any eq pcanywhere-data host 150.101.214

.18 eq pcanywhere-data

access-list outside_access_in permit udp any eq pcanywhere-status host 150.101.2

14.18 eq pcanywhere-status

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

access-list outside_access_in permit icmp any any echo-reply

access-list inside_access_in permit ip any any

access-list inside_access_in permit udp any any

access-list inside_access_in permit icmp any any

access-list inside_access_in permit tcp any any

pager lines 24

logging on

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any mobile-redirect outside

icmp permit any traceroute inside

mtu outside 1500

mtu inside 1500

ip address outside 150.101.214.18 255.255.255.248

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNClients 192.168.0.50-192.168.0.70

pdm location 192.168.0.0 255.255.255.128 outside

pdm location mailgateway 255.255.255.255 inside

pdm location SERVER 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp mailgateway smtp netmask 255.255.255.

255 0 0

static (inside,outside) tcp interface pop3 mailgateway pop3 netmask 255.255.255.

255 0 0

static (inside,outside) tcp interface pcanywhere-data SERVER pcanywhere-data net

mask 255.255.255.255 0 0

static (inside,outside) udp interface pcanywhere-status SERVER pcanywhere-status

netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 150.101.214.17 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

no sysopt route dnat

telnet timeout 5

ssh timeout 5

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto

vpdn group PPTP-VPDN-GROUP client configuration address local VPNClients

vpdn group PPTP-VPDN-GROUP client configuration dns mailgateway SERVER

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username jgroves password *********

vpdn enable outside

dhcpd address 192.168.0.4-192.168.0.35 inside

dhcpd dns mailgateway 192.231.203.3

dhcpd lease 691200

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxxxx

: end

Thanks in advance..............

4 REPLIES
Gold

Re: Pix 501 - Not allowing Outbound mail

Hi - Jason,

Try placing this cmd on your pix -

> no fixup protocol smtp 25

Hope this helps - let us know how you get on.

Silver

Re: Pix 501 - Not allowing Outbound mail

I was just able to send the postmaster@prokinetics.com.au a test message by telnet. x.x.x.18 is open for smtp, and his MX records are correct. Was no fixup the fix? I know with E5.5, having it enabled meant repeated reception of the same message from certain smtp servers, but I don't think it ever stopped us from getting any mail

New Member

Re: Pix 501 - Not allowing Outbound mail

I have the old router device installed while I try to fix. I will be trying to fix again tonite. Client needed to operate business today and is heavily dependant on email. Thanks for your help!

Gold

Re: Pix 501 - Not allowing Outbound mail

Hi Jason again -

I hope that 'no fixup worked for port smtp 25' - I thought that if security is a concern for you, you shoud try placing ' icmp deny any outside' in this way any one trying to comprimise your pix then they will be denied i.e. goto http://www.grc.com and try 'shields Up' (which is secure and free) and see if any ports are open for abuse from the outside world. - this is just a thought.

Hope it worked... let us know how you got on...

366
Views
0
Helpful
4
Replies
CreatePlease to create content