cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
468
Views
0
Helpful
7
Replies

SMTP out with VPN?

dsingleterry
Level 1
Level 1

I Don't exactly understand this, but after recently setting up a PIX 501 and establishing a VPN between two offices, I at the time tested email and only emailed to myself which worked, but was only within the same email pop3 server.

Since that time my users in the remote office have informed me that they are unable to email anyone outside our yearroundpool.com. They receive emails just fine, but cant send.

The message is:

The following recipient(s) could not be reached:

'***@aol.com' on 01/04/2003 11:48 AM

550 5.7.1 <***@aol.com>... Relaying denied. Please check your mail first.

Now the part that confuses me is that I have a permit IP 192.168.51.0 255.255.255.0 any on outbound traffic. That shouldnt be limiting smtp traffic out.

Is the VPN possibly causing the mail to attempt to jump across the VPN to send out and that the issue? If so, is there a way for me to tell the firewall to directly send smtp traffic out to the internet?

Thanks,

Dave

7 Replies 7

travis-dennis_2
Level 7
Level 7

Is this a mesage they recieve in the form of an e-mail from the e-mail server? The first thing that popped to mind was that since they are at a different IP address the e-mail server sees them as an outside entitiy trying to relay out the SMTP in the same manner as a spammer would do. Is this an Exchange box? If so then it can be corrected by allowing certain IP address to relay.

Yes, it is a message they receive from the email server as an undeliverable.

Our email is run outside the company for the time being. It is a pop3 server at mail.yearroundpool.com that I just setup the outlook clients to point to for both pop3 and smtp.

So if the email server sees smtp traffic coming from x.x.71.8 which is the outside interface of that PIX, are you saying it might not think that IP is allowable?

Just for histories sake, I took out a VPN supplied by the ISP (DSL) and the same external IP addresses were used there and I didnt have any issues then, but I also couldnt tell you what sort of rulesets they had on those routers that did the VPN and NAT'ing.

vghosh
Level 1
Level 1

Hi Dave,

From what you describe here is seems that your mail server is on 192.168.51.0 network. Just wanted you to check if you have a "global" statement on your configs using which outbound connection from your network to the INTERNET is made.

If not i suggest you add a global statement with a public IP Addresses using which outbound traffic can flow.

From the NDR which you have mentioned it clearly seems that the PIX Cannot communicate on SMTP outbound to any other mail server on the open internet.

Regards

Vikram

Im sorry, I must not have described it well. The mail server is external. That server is on x.x.6.213. I do not control that server, it is controlled by an ISP as a service we are renting.

The clients from the main office, 192.168.50.0, all connect and send to email fine through the 515e placed in that office.

The clients from the remote office, 192.168.51.0, can connect and pull down email from pop3, but cannot send email via smtp.

The access-lists on both pix's has a permit 192.168.50.0 (or 51.0 respectively) to any.

On the remote site with the 501 I have a global and nat statements as such:

global (outside) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 192.168.51.0 255.255.255.0 0 0

If anyone has any more ideas on this, I would greatly appreciate it, I need to get this offices emails going out as soon as possible.

Thanks

I guess u r not able to connect on SMTP after your VPN/Firewall implementation. Can u check a) whether u are able to connect on SMTP to your mail server. I mean can u do a telnet x.x.6.213 25 and see if you can connect.

If u cant i guess the SMTP is going thru the NAT 0 command and hence unable to connect. U would need to check ACL inside_nat0_outbound in that scenario.

yes, i can connect via smtp at that office. Now something that sorta dawns on me here, I only have one DNS server, and its located at my 515e site. The 501 site users that cant send email out are getting their dns over the vpn from the 515e site.

Im gonna try going over to that site and changing the email smtp from the dns name to the actual ip address and see if it makes a difference,

if anyone can think of anything else that would help, I appreciate it.

Dave

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: