Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 515E Extrenal SMTP & POP access from DMZ

Hi All,

I need some help to resolve the problem I am facing on the configuration.

config : PIX515E Ver 6.3(1), with 6 interfaces, Outside interface is connected to Internet router and assigned Public IP. Internet access is configured for Users connected to Inside Interface only using Nat & Global command (Global Outside 1 Interface). I want to enable E-mail (SMTP & POP3) access from couple of hosts in one of the DMZ's.

configured NAT 1 on the interface & applied access list. If I permit SMTP & POP only I am not even getting any hit on the access-list. If I permit IP any from those hosts, I am able to browse the net, E-mail etc. After that when I restict for SMTP & POP only, it works for sometime, after some time I can see no hit coming to the access-list.

What could the case of such behaviour, have I missing anything...?, I am bit confused.

Thanks in advance.

Best regards,

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: PIX 515E Extrenal SMTP & POP access from DMZ

Make sure you allow DNS from these hosts too (UDP/53), as they'll be doing DNS queries first for the remote host IP address and MX record of the domain before they can make a connection to the relevant external mail host.

If you allow all IP then they'll be able to do the DNS query then make the SMTP/POP connection, and they'll cache those DNS queries for a while which is why it works for a while after removing the ACL. Once the DNS cache times out in those hosts they have to do another DNS query which then fails cause you haven't allowed it thru the ACL.

2 REPLIES
Cisco Employee

Re: PIX 515E Extrenal SMTP & POP access from DMZ

Make sure you allow DNS from these hosts too (UDP/53), as they'll be doing DNS queries first for the remote host IP address and MX record of the domain before they can make a connection to the relevant external mail host.

If you allow all IP then they'll be able to do the DNS query then make the SMTP/POP connection, and they'll cache those DNS queries for a while which is why it works for a while after removing the ACL. Once the DNS cache times out in those hosts they have to do another DNS query which then fails cause you haven't allowed it thru the ACL.

New Member

Re: PIX 515E Extrenal SMTP & POP access from DMZ

Hi,

Thank you for your Input.

I tried telneting from these hosts to the SMTP port of the server also, but there agian I used the name of the SMTP Server. Your input has been rally helpful.

Best regards,

130
Views
0
Helpful
2
Replies
CreatePlease login to create content