Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
294
Views
0
Helpful
4
Replies

SMTP not going in or coming out

irweazel
Level 1
Level 1

‎11-27-2003 10:48 AM - edited ‎03-09-2019 05:41 AM

I have just put the PIX 501 firewall on this is the first time i have played with one.

I set up PAT for one external address x.x.x.3, where firewalls external IP is x.x.x.2. This works fine browsing downloading ETC for all internal clients. But i have an Exchange server (5.5) so i want a static route in and out of the firewall for mail and eventually OWA. I can't get the ports open. From the outside i can't ping, telnet(on port 25) to the server, but it does resolve name to address and from the inside i can't ping anything but can resolve. I have tried a static mapping from the external Ip to the exchange server but this does not work. I have i opened a TAC case but all their tips have not help. Mail NDR's come back internally - host unknown and from the outside i can't make the connection.

Any help would be great

Cheers

Chris

Labels:
0 Helpful
4 Replies 4

steven.wilson
Level 1
Level 1

‎11-27-2003 12:46 PM

A PIX will not allow anything in unless you specifically allow it to. To get SMTP type traffic in you should apply an access control list to the outside interface that allows SMTP traffic to the specific IP address that the inside exchange server is network address translated to.

0 Helpful

irweazel
Level 1
Level 1
In response to steven.wilson

‎11-27-2003 12:56 PM

access-list outside_access_in permit tcp any interface outside object-group mail

this service group has DNS smtp and WWW

static (inside,outside) tcp interface www dtr-xchnge www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp dtr-xchnge smtp netmask 255.255.255.255 0 0

I was thinking that this should allow the mail to go through but it doesn;t work

0 Helpful

steven.wilson
Level 1
Level 1
In response to irweazel

‎11-28-2003 05:43 AM

listed below is a simplified version of how I usually configure a pix to allow incoming smtp traffic only and be a vpn server. I hope that this helps.

mgw-pix# wr t

Building configuration...

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password bigsecret

passwd littlesecret

hostname mgw-pix

domain-name steve.co.uk

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name xxx.xxx.xxx.y default-gateway

name 192.168.0.0 inside-network

name 192.168.0.1 mail-server

access-list 100 permit tcp any host xxx.xxx.xxx.z eq smtp

pager lines 24

logging on

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside xxx.xxx.xxx.x 255.255.255.248

ip address inside 192.168.0.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location mail-server 255.255.255.255 inside

pdm logging debugging 100

pdm history enable

arp timeout 14400

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) xxx.xxx.xxx.z mail-server netmask 255.255.255.255 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 default-gateway 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http mail-server 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set steve esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set steve

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup pix506 address-pool home

vpngroup pix506 dns-server mail-server

vpngroup pix506 wins-server mail-server

vpngroup pix506 default-domain mgw.co.uk

vpngroup pix506 split-tunnel 110

vpngroup pix506 idle-time 1800

vpngroup pix506 password 1steve2

telnet 172.16.1.21 255.255.255.255 outside

telnet mail-server 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Steve

0 Helpful

irweazel
Level 1
Level 1
In response to steven.wilson

‎11-28-2003 05:50 AM

spent a couple of hours on the phone to cisco i can recive mail and can send mail to a couple of hosts but can't figure out why it come's back NDR from most. Thansk for the config

0 Helpful
Customers Also Viewed These Support Documents