I Don't exactly understand this, but after recently setting up a PIX 501 and establishing a VPN between two offices, I at the time tested email and only emailed to myself which worked, but was only within the same email pop3 server.
Since that time my users in the remote office have informed me that they are unable to email anyone outside our yearroundpool.com. They receive emails just fine, but cant send.
The message is:
The following recipient(s) could not be reached:
'***@aol.com' on 01/04/2003 11:48 AM
550 5.7.1 <***@aol.com>... Relaying denied. Please check your mail first.
Now the part that confuses me is that I have a permit IP 192.168.51.0 255.255.255.0 any on outbound traffic. That shouldnt be limiting smtp traffic out.
Is the VPN possibly causing the mail to attempt to jump across the VPN to send out and that the issue? If so, is there a way for me to tell the firewall to directly send smtp traffic out to the internet?
Is this a mesage they recieve in the form of an e-mail from the e-mail server? The first thing that popped to mind was that since they are at a different IP address the e-mail server sees them as an outside entitiy trying to relay out the SMTP in the same manner as a spammer would do. Is this an Exchange box? If so then it can be corrected by allowing certain IP address to relay.
Yes, it is a message they receive from the email server as an undeliverable.
Our email is run outside the company for the time being. It is a pop3 server at mail.yearroundpool.com that I just setup the outlook clients to point to for both pop3 and smtp.
So if the email server sees smtp traffic coming from x.x.71.8 which is the outside interface of that PIX, are you saying it might not think that IP is allowable?
Just for histories sake, I took out a VPN supplied by the ISP (DSL) and the same external IP addresses were used there and I didnt have any issues then, but I also couldnt tell you what sort of rulesets they had on those routers that did the VPN and NAT'ing.
From what you describe here is seems that your mail server is on 192.168.51.0 network. Just wanted you to check if you have a "global" statement on your configs using which outbound connection from your network to the INTERNET is made.
If not i suggest you add a global statement with a public IP Addresses using which outbound traffic can flow.
From the NDR which you have mentioned it clearly seems that the PIX Cannot communicate on SMTP outbound to any other mail server on the open internet.
I guess u r not able to connect on SMTP after your VPN/Firewall implementation. Can u check a) whether u are able to connect on SMTP to your mail server. I mean can u do a telnet x.x.6.213 25 and see if you can connect.
If u cant i guess the SMTP is going thru the NAT 0 command and hence unable to connect. U would need to check ACL inside_nat0_outbound in that scenario.
yes, i can connect via smtp at that office. Now something that sorta dawns on me here, I only have one DNS server, and its located at my 515e site. The 501 site users that cant send email out are getting their dns over the vpn from the 515e site.
Im gonna try going over to that site and changing the email smtp from the dns name to the actual ip address and see if it makes a difference,
if anyone can think of anything else that would help, I appreciate it.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :