Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
683
Views
0
Helpful
14
Replies

Simple Exchange Server Config

ohnnyj
Level 1
Level 1

‎12-29-2005 07:47 PM - edited ‎03-09-2019 01:29 PM

Hello all:

I can't seem to get our Exchange server to play well with our PIX 506E. We can access the internet just fine and send e-mails out but cannot recieve them. Is there a walkthrough for having an exchange server internally which needs to be accessed externally?

I altered the following things:

1. added an access list:

access-list acl_out permit tcp any host 10.34.1.1 eq smtp

access-group acl_out in interface outside

2. created a static route:

tcp interface smtp 10.34.1.1 smtp netmask 255.255.255.255 0 0

3. change the fixup for smtp:

no fixup protocol smtp 25

Did I do something wrong here? Any help would be appreciated. And I am not very keen with Cisco terminology so please be specific.

Thanks,

John

Labels:
0 Helpful
14 Replies 14

xbw
Level 1
Level 1

‎12-29-2005 07:54 PM

fixup protocol smtp 25 is'n removed.

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to xbw

‎12-29-2005 08:30 PM

The access-list should contain the destination public IP of the PIX ! The rest looks fine.

example:

access-list acl_out permit tcp any interface outside eq smtp

no access-list acl_out permit tcp any host 10.34.1.1 eq smtp

hope that helps

Patrick

0 Helpful

ohnnyj
Level 1
Level 1
In response to Patrick Iseli

‎01-03-2006 06:12 PM

Sorry it took so long to get back to you but I haven't had the chance to reconfigure the pix until tonight. From what you are saying is the only thing I need to do is change the 10.34.1.1 address to the public (outside interface) address of the PIX?

Thanks,

John

0 Helpful

ohnnyj
Level 1
Level 1
In response to ohnnyj

‎01-03-2006 06:35 PM

Well I have been trying any kind of setting I can think of but nothing seems to be working. I have tried using the public ip of the pix, the public ip of the router and changing the settings on the router as well to point to our exchange server. From my point of view I thought that the following would have worked:

1. Change the ip address in acl_out to the public ip of the PIX.

2. Add a pinhole to my router pointing to the ip of the pix for port 25 traffic.

These did not resolve the issue and neither did changing the ip of the pinhole to the 10.34.1.1 address of the exchanger server.

I'm completely lost and would appreciate any further assistance anyone can provide.

And just to give you an idea of what kind of network we have:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094768.shtml

this fits us pretty much exactly and was how I got internet access to work.

Thanks,

John

0 Helpful

jackko
Level 7
Level 7
In response to ohnnyj

‎01-03-2006 09:14 PM

just wondering if the pix is newly deployed and the email used to work; or this is a completely fresh deployment.

the issue may be related to the mx record for your mail server. to verify, contact your isp or issue "nslookup mail.yourcompany.com" and see whether it retrieves the pix public ip.

from a pc on the internet or outside the pix, issue "telnet 25". further, do "sh access-l" on the pix to verify whether the smtp traffic has ever hitted on the pix outside interface.

0 Helpful

ohnnyj
Level 1
Level 1
In response to jackko

‎01-04-2006 10:15 AM

This is not a new deployment. We are switching isps and currently running off a slower dsl line. Thus, I switch between two routers and bring back the old settings on the PIX to make sure everything works if I can not get the new config to function before the next working day.

0 Helpful

joe.oranday
Level 1
Level 1

‎01-04-2006 01:15 PM

Do you have a translation of your internal server to a routable external IP address?

The 10.x.x.x network is a private network, so I would start with trying to figure out if outside email is even trying to get to your perimeter router. Did you setup a DNS entry with a mx record?

Can you post a copy of your config? That would help in answering your questions,

0 Helpful

ohnnyj
Level 1
Level 1
In response to joe.oranday

‎01-04-2006 02:21 PM

Ok, thanks for getting back to me, I have attached the configuration I have for the PIX. If you want me to post it directly I will as well.

And this is how I got it to connect to the Internet:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094768.shtml

as this is basically how our network is setup.

Thanks,

John

Preview file
3 KB
0 Helpful

jackko
Level 7
Level 7
In response to ohnnyj

‎01-04-2006 06:21 PM

the posted config seems very straight forward and i can't see any error.

my previuos post:

from a pc on the internet or outside the pix, issue "telnet 25". further, do "sh access-l" on the pix to verify whether the smtp traffic has ever hitted on the pix outside interface.

just wondering if you had give it a go or not.

0 Helpful

ohnnyj
Level 1
Level 1
In response to jackko

‎01-04-2006 06:45 PM

Do you think it could be an issue with our router? We were given an ADSL Netopia which allows you to create what they call 'Pinholes' for certain ports. It asks for an internal ip address of the mail server. Should I put the internal 10.34 adress here or the public ip of the pix?

I will try your other suggestions as well. What exactly am I looking for in the output?

Thanks,

John

0 Helpful

jackko
Level 7
Level 7
In response to ohnnyj

‎01-04-2006 08:52 PM

pix public ip should be used on the adsl netopia, since this box has no knowledge about the ip 10.34. 10.34 is secured by pix and only pix knows this subnet.

regarding the output of those show commands, we can at least identify whether the pix has received the smtp traffic or not. assuming the hit count is increasing on the acl, that means either the pix is not forwarding the packet to the server, or the server doesn't response etc.

0 Helpful

ohnnyj
Level 1
Level 1
In response to jackko

‎01-05-2006 06:14 PM

Well I made sure to have teh pinhole set as the public ip of the pix and still can't get it to work. After running the sh access-l command all i get is:

pixfirewall(config)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)

alert-interval 300

access-list acl_out; 1 elements

access-list acl_out line 1 permit tcp any interface outside eq smtp (hitcnt=0)

John

0 Helpful

jackko
Level 7
Level 7
In response to ohnnyj

‎01-05-2006 07:23 PM

the "hitcnt" = 0 indicates that the pix has not receive any smtp packet.

just wondering if the adsl router has a firewall as well. alternatively, connect you pc to the pix outside interface directly and do "telnet 25" from command prompt. you should get to a blank page or email server something. then do "sh access-l" again on the pix. if there is an increase of the "hitcnt", then definitely the adsl router is blocking the smtp.

0 Helpful

srue
Level 7
Level 7
In response to jackko

‎01-05-2006 08:16 PM

I agree the config looks fine. I'm just going to repeat previous posts here.

1. Telnet to the outside interface IP of the PIX to port 25

2. If #1 didn't work, re-check config, specifically the IP address of the exchange server

3. if #1 did work, check the router/firewall which is 'in front' of your PIX

4. if #3 looks fine, check DNS, specifically your MX record. It should,if i understand your network, be the same as your PIX outside interface.

0 Helpful
Customers Also Viewed These Support Documents