Hi again,

I have Pix 515E in my network and there is no restruction for user licenses.

I have opened Port 80 and 443 only for Proxy server and port 25 and 110 for all network.

Sometime everything works fine, Internet users can browse, emails come and go without any problem. BUT sometime nothing works, browsing stops, emails send/receive also stop. When I do show xlat in PIX it shows no translation.

As soon as I remove access-list from the interface (no interface-group command), traffic starts flowing, Internet browsing and email traffic becomes normal. And if I re-apply the access-list on the interface on pix, it works for sometime but stops again till I remove the access-list.

I am really confused with this behavior.

What could be the problem?

Hi again,

I have this configuration on my PIX 515E:

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq pop3

access-list 100 permit tcp host 10.2.1.10 any eq www

access-list 100 permit tcp host 10.2.1.10 any eq 8080

access-list 100 permit tcp host 10.2.1.10 any eq https

access-group 100 in interface inside

It is passing web traffic but emails are not going through until I removed access-group command.

When I remove access-group command, things work but if I apply, sometime emails doesn't work, sometime web traffic doesn't work.

Please check and let me know what could be done

Try adding: access-list 100 permit ip any any

i.e.

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq pop3

access-list 100 permit tcp host 10.2.1.10 any eq www

access-list 100 permit tcp host 10.2.1.10 any eq 8080

access-list 100 permit tcp host 10.2.1.10 any eq https

access-list 100 permit ip any any

access-group 100 in interface inside

Save with: write mem and also issue: clear xlate

Let us know how you get on.

Jay

for outgoing email access, you are permitting smtp and pop3. how about imap? you need to permit this as well if you are using outlook to retrieve email.

with web traffic, i assume 10.2.1.10 is the proxy since it's the only host permited to browse the internet. maybe try to verify whether the pc is pointing the 10.2.1.10 as a proxy for internet.

What is the port number for imap to open?

Problem is that, sometime webtraffic and email all works fine, sometime only webtraffic works and emails do not work and sometime both do not work till I remove access-group command. And as soon as I remove access-group command, everything starts to work.

i was thinking maybe the issue is related to the internal user licence. but then i found that the model you've got is 515e, so it doesn't matter.

just wondering if the issue is with the internet link rather than the pix configuration. to verify, log on to the console when the issue occurs, then ping any internet ip.

with outlook (not express), imap needs to be permitted and it's tcp 143.

Dear Jack,

There is nothing wrong with the Internet connection because as soon as I remove the access-list from the interface (no access-group) command, internet browsing and emails smtp/pop3 starts working fine.

It concludes that there is nothing wrong with the Internet Connection.

2ndly, when Internet and emails are not working and I give show xlat command, it doesn't show me any translation.

I really wonder what is going on?

I have auditing enabled on the PIX for internal and external interfaces, is it something to do with that?

"sh xlate" is blank?! interesting. would you please post the config as ver as "sh ver"

I think I have solved the problem :)

I have opened the port 53 from my Internal DNS server to the forwarder IP address which is the DNS server of my ISP.

Everything is working fine, no one had complained so far. Lets see till tomorrow.

I hope it will stay smooth.