Cisco Support Community
Community Member

SMTP not going in or coming out

I have just put the PIX 501 firewall on this is the first time i have played with one.

I set up PAT for one external address x.x.x.3, where firewalls external IP is x.x.x.2. This works fine browsing downloading ETC for all internal clients. But i have an Exchange server (5.5) so i want a static route in and out of the firewall for mail and eventually OWA. I can't get the ports open. From the outside i can't ping, telnet(on port 25) to the server, but it does resolve name to address and from the inside i can't ping anything but can resolve. I have tried a static mapping from the external Ip to the exchange server but this does not work. I have i opened a TAC case but all their tips have not help. Mail NDR's come back internally - host unknown and from the outside i can't make the connection.

Any help would be great



Community Member

Re: SMTP not going in or coming out

A PIX will not allow anything in unless you specifically allow it to. To get SMTP type traffic in you should apply an access control list to the outside interface that allows SMTP traffic to the specific IP address that the inside exchange server is network address translated to.

Community Member

Re: SMTP not going in or coming out

access-list outside_access_in permit tcp any interface outside object-group mail

this service group has DNS smtp and WWW

static (inside,outside) tcp interface www dtr-xchnge www netmask 0 0

static (inside,outside) tcp interface smtp dtr-xchnge smtp netmask 0 0

I was thinking that this should allow the mail to go through but it doesn;t work

Community Member

Re: SMTP not going in or coming out

listed below is a simplified version of how I usually configure a pix to allow incoming smtp traffic only and be a vpn server. I hope that this helps.

mgw-pix# wr t

Building configuration...

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password bigsecret

passwd littlesecret

hostname mgw-pix


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


name default-gateway

name inside-network

name mail-server

access-list 100 permit tcp any host eq smtp

pager lines 24

logging on

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm location mail-server inside

pdm logging debugging 100

pdm history enable

arp timeout 14400

nat (inside) 1 0 0

static (inside,outside) mail-server netmask 0 0

access-group 100 in interface outside

route outside default-gateway 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http mail-server inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set steve esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set steve

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup pix506 address-pool home

vpngroup pix506 dns-server mail-server

vpngroup pix506 wins-server mail-server

vpngroup pix506 default-domain

vpngroup pix506 split-tunnel 110

vpngroup pix506 idle-time 1800

vpngroup pix506 password 1steve2

telnet outside

telnet mail-server inside

telnet timeout 5

ssh timeout 5

terminal width 80


Community Member

Re: SMTP not going in or coming out

spent a couple of hours on the phone to cisco i can recive mail and can send mail to a couple of hosts but can't figure out why it come's back NDR from most. Thansk for the config

CreatePlease to create content