Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX DMZ relay smtp server problem

Hi

Have a 515E PIX with a "Internet" ip range for both the outside and DMZ interface.

I'm having a problem when I specify and access list to allow the mail relay to forward mail to the internal mail server.

This is my config

fixup protocol smtp 25

access-list Sydney2match permit ip 192.168.107.0 255.255.255.0 192.168.33.0 255.255.255.0

access-list Sydney2match permit ip 192.168.107.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list Sydney2match permit ip 192.168.184.0 255.255.248.0 192.168.33.0 255.255.255.0

access-list Sydney2match permit ip 192.168.184.0 255.255.248.0 192.168.100.0 255.255.255.0

access-list SMTP permit tcp any host x.y.163.178 eq smtp

access-list NONAT permit ip 192.168.184.0 255.255.248.0 192.168.100.0 255.255.255.0

access-list NONAT permit ip 192.168.184.0 255.255.248.0 192.168.33.0 255.255.255.0

access-list NONAT permit ip 192.168.107.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list NONAT permit ip 192.168.107.0 255.255.255.0 192.168.33.0 255.255.255.0

access-list dmz_outbound_nat0_acl permit ip x.y.163.176 255.255.255.240 any

access-list SMTPINSIDE permit tcp host x.y.163.178 host 192.168.185.50 eq smtp

access-list SMTPINSIDE permit tcp host x.y.163.178 any eq smtp

ip address outside x.y.165.22 255.255.255.248

ip address inside 192.168.185.1 255.255.255.0

ip address dmz x.y.163.177 255.255.255.240

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 192.168.185.0 255.255.255.0 0 0

nat (dmz) 0 access-list dmz_outbound_nat0_acl

static (inside,dmz) 192.168.185.0 192.168.185.0 netmask 255.255.255.0 0 0

access-group SMTP in interface outside

access-group SMTPINSIDE in interface dmz

route outside 0.0.0.0 0.0.0.0 x.y.165.21 1

route inside 192.168.107.0 255.255.255.0 192.168.185.253 1

crypto map SYDIMC 100 match address Sydney2match

PS. If I remove "access-group SMTPINSIDE " I can telnet to the relay server, but not the inside mail server.

Thanks

  • Other Security Subjects
1 REPLY
Cisco Employee

Re: PIX DMZ relay smtp server problem

I'm a little confused as to what you're trying to do here. You mention you can telnet to the relay server, from where? To get to the relay server from the outside you need:

static (dmz,outside) x.y.163.178 x.y.163.178 netmask 255.255.255.255

along with your SMTP access-list. From there, if the DMZ server is supposed to send mail to the inside server, then your SMTPINSIDE and static that you have shown should be enough. What do you get if, from the DMZ server, type:

> telnet 192.168.185.50 25

If you get connected then the static/ACL is working as it should. If this is a Exchange server you may need to turn of the SMTP fixup with:

> no fixup protocol smtp 25

Other than that, whenever you have connectivity problems, always enable syslogging with:

logging on

logging cons debug

and try a connection, the PIX will then tell you exactly what it's allowing and/or denying.

183
Views
0
Helpful
1
Replies
This widget could not be displayed.