Solved

mail forwarding on a Cicso PIX 501

Posted on 2004-04-06
21
760 Views
Last Modified: 2013-11-16
Hello

Recently changed our connections to adsl and have put a pix 501 on it. I am new to the whole cisco firewall thing. Most things are fine, we can browse out through it but I cant seem to get our mail to come in and be forwarded to our exchange mail server. Any help would be greatly appricated. Here is my current config:

: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password blahblahblah encrypted
passwd blahblahblah encrypted
hostname GWpix
domain-name GRAINGER
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_access_in permit ip 192.196.61.0 255.255.255.0 any
access-list acl_out permit tcp any any eq smtp
pager lines 24
logging on
logging standby
mtu outside 1500
mtu inside 1500
ip address outside 87.125.128.101 255.255.255.255
ip address inside 192.196.61.15 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.196.61.1 255.255.255.255 inside
pdm location 218.189.138.123 255.255.255.255 outside
pdm location 218.189.138.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 218.189.138.123 192.196.61.1 netmask 255.255.255.255 0 0
static (outside,inside) 192.196.61.1 218.189.138.123 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group inside_access_in in interface inside
established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0
route outside 0.0.0.0 0.0.0.0 87.125.128.101 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.196.61.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.196.61.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.196.61.16-192.196.61.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:51191145b24125a0a9914ba9f1af06b6
: end
[OK]
0
Comment
Question by:GWbjones
  • 8
  • 8
  • 3
  • +1
21 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Suggest:
Assuming:
Mail server = 192.196.61.1
Public MX Record points to 218.189.138.123
Your ISP routes this IP (218.189.138.123) through your interface ip
Your PIX Inside IP 192.196.61.15 is the Mail server's default gateway

- remove this line:
>static (outside,inside) 192.196.61.1 218.189.138.123 netmask 255.255.255.255 0 0

pix(config)#no static (outside,inside) 192.196.61.1 218.189.138.123 netmask 255.255.255.255
                 ^^
- remove these two lines. All outbound traffic is permitted without an acl:
access-list inside_access_in permit ip 192.196.61.0 255.255.255.0 any
access-group inside_access_in in interface inside

- change this:
>access-list acl_out permit tcp any any eq smtp
to this:
access-list acl_out permit tcp any host 218.189.138.123 eq smtp


0
 

Author Comment

by:GWbjones
Comment Utility
I have done those changes and i think i understand them, a little bit anyway. Am i right in thinking those will only really effect mails that are going out? As i still dont seem to be getting any mails coming in
F.Y.I - if it helps:
On-site Exchange mail Server 192.196.61.1
PIX local IP 192.196.61.15
Outside IP 87.125.128.101  - this is the IP on the internet of the PIX (i have "altered" this for security reasons)
ISP mail server 218.189.138.123 - were the mail is been sent from.
At the current moment the ISP sends the mail from 218.189.138.123 to 87.125.128.101, I then ned it to be forwarded to 192.196.61.1.
Thanks so far but any ideas?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>only really effect mails that are going out?
Not at all, only the inbound.

>ISP mail server 218.189.138.123 - were the mail is been sent from.
Big clue!
Now it all makes sense...

Remove all static lines:
no static (inside,outside) 218.189.138.123 192.196.61.1 netmask 255.255.255.255 0 0

Create Port static:
static (inside,outside) tcp interface 25 192.196.61.1 25 netmask 255.255.255.255

Permit inbound SMTP from the ISP's host only and re-apply the acl:

access-list acl_out permit tcp host 218.189.138.123 host 87.125.128.101 eq smtp
access-group acl_out in interface outside


0
 
LVL 4

Expert Comment

by:hawgpig
Comment Utility
Check to make sure your ISP is pointing your mail to the correct address
you can look this up on www.dnsreport.com
type in your mail server name and see what comes up
Good Luck

0
 

Author Comment

by:GWbjones
Comment Utility
I am still not getting any joy unfortunatly, however I was looking at the logs and when i think the emails tryed to come in there was a Deny entry but the IP was of the actual adsl router.
The routers ip is 87.125.128.106 where the PIX is 87.125.128.101. We have 5 static IP's and the ISP are sending mail to 87.125.128.101.
As i think im learning as we go i tryed let that through as-well. Here is my current config, if it does look ok could this be the way the isp is sending the data?

: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password blahblahblah encrypted
passwd blahblahblah encrypted
hostname GWpix
domain-name GRAINGER
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit tcp host 218.189.138.123 host 87.125.128.101 eq smtp
access-list acl_out permit tcp host 87.125.128.106 host 87.125.128.101 eq smtp
pager lines 24
logging on
logging standby
mtu outside 1500
mtu inside 1500
ip address outside 87.125.128.101 255.255.255.248
ip address inside 192.196.61.15 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.196.61.1 255.255.255.255 inside
pdm location 218.189.138.123 255.255.255.255 outside
pdm location 218.189.138.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.196.61.1 smtp netmask 255.255.255.255 0 0
access-group acl_out in interface outside
established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0
route outside 0.0.0.0 0.0.0.0 87.125.128.106 1
route outside 218.189.138.123 255.255.255.255 87.125.128.101 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.196.61.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.196.61.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.196.61.16-192.196.61.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:0f988e454a108b92da7607233f1113a6
: end
[OK]

Really appreciate everything so far....
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You see with "show access-list" and look at the hit counts which access-list line is getting used

Can you post the actual log entries with the deny?


0
 
LVL 4

Expert Comment

by:hawgpig
Comment Utility
Try using this for your access-list

access-list acl_out permit tcp host 218.189.138.123 interface outside eq smtp

instead of this

access-list acl_out permit tcp host 218.189.138.123 host 87.125.128.101 eq smtp

Good Luck
0
 
LVL 6

Expert Comment

by:Pascal666
Comment Utility
> route outside 218.189.138.123 255.255.255.255 87.125.128.101 1

Remove this line.  You do not want the PIX routing 218.189.138.123 to itself.

-Pascal
0
 

Author Comment

by:GWbjones
Comment Utility
This is the deny message that comes up in the logs

Deny udp src outside:87.125.128.106/53 dst inside:87.125.128.101/8375 by access-group "acl_out"

I am assume this is the mail trying to get in as its the only message that seems relevent. At no point do i see the IP from the isp's mail server!

Sorry for the delay in responding but to make things extra fun BT keep losing the connection!!!
0
 
LVL 6

Expert Comment

by:Pascal666
Comment Utility
UDP port 53 is DNS.  That message has nothing to do with your e-mail problem.

-Pascal
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 4

Expert Comment

by:hawgpig
Comment Utility
Did you try the access-list I gave you....
Change your access-list to "interface outside" instead of the outside ip address....
This will make the pix use the external address of the pix....no matter what it is....this seems to work better in 6.3 code.

I agree with Pascal.....The deny statement in your syslog has nothing to do with mail....
but it is an interesting message.....

Also if you are not seeing the ip address of your ISP mail server in the syslogs it means that the ISP is not sending you a packet.....OR you are not running in DEBUGGING mode....

I would check with the ISP again....and check www.dnsreport.com to see what is happening on their side....and what your server looks like to the world

Sounds like an ISP issue to me.....

A good way to test this is to telnet to port 25 from an external connection (dial-up or from home, etc) do a
telnet 1.1.1.1 25 (where 1.1.1.1 is the outside address of the pix)
If you get a blank screen that sayes ESMTP, the pix is passing the traffic....If the pix is not passing or if the routing is wrong you will get a connection timed out...or something to that effect...
Good Luck
0
 

Author Comment

by:GWbjones
Comment Utility
Below is my current config, i have tryed adding some acces lists which maybe wrong but am i right that

access-list acl_out permit tcp any interface outside eq smtp

means any smtp traffic from the outside will get passed through and that

static (inside,outside) tcp interface smtp 192.196.61.1 smtp netmask 255.255.255.255 0 0

will direct all smtp traffic from the pix to 192.196.61.1 which is the exchange server?

If so then those 2 lines are all that actually need?

The cause of the problem is looking more and more likely to be ISP. The connection is up and down and currently more down then up, and even when it is up people cannot ping the router, i have even put a PC outside the firewall on its own static IP and that can not be reached either.

All help is appreciated as ever - thanks

: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password blahblah.blah encrypted
passwd blahblah.blah encrypted
hostname GWpix
domain-name GRAINGER
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit tcp host 218.189.138.123 interface outside eq smtp
access-list acl_out permit tcp host 217.206.220.212 interface outside eq smtp
access-list acl_out permit tcp host 87.125.128.106 interface outside eq smtp
access-list acl_out permit tcp any interface outside eq smtp
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 87.125.128.101 255.255.255.248
ip address inside 192.196.61.15 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.196.61.1 255.255.255.255 inside
pdm location 87.125.128.106 255.255.255.255 outside
pdm location 218.189.138.123 255.255.255.255 outside
pdm location 217.206.220.212 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.196.61.1 smtp netmask 255.255.255.255 0 0
access-group acl_out in interface outside
established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0
route outside 0.0.0.0 0.0.0.0 87.125.128.106 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.196.61.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.196.61.16-192.196.61.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:89cc325062855271cde0a1639f9a41e7
: end
[OK]
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
If you are using PING as testing connectivty, then you need to permit the icmp responses back in through your access-list:

access-list acl_out permit icmp any any echo-reply
access-list acl_out permit icmp any any unreachable
access-list acl_out permit icmp any any ttl-expired

Re-apply the acl to the interface when you make changes to it

access-group acl_out in interface outside

0
 

Author Comment

by:GWbjones
Comment Utility
I wasnt pinging the PIX just the adsl router which should be setup with no nat. I can not ping anything on the outside of the firewall.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>I can not ping anything on the outside of the firewall.

Because you have not yet explicitly permitted the icmp replys in your acl.
0
 

Author Comment

by:GWbjones
Comment Utility
Sorry - I should of explained better - I can not ping anything on the outside of the firewall FROM the outside of the firewall. I got a third party to try it and they couldnt get a response.

Anyway the ISP problems are seperate, do the config lines

access-list acl_out permit tcp any interface outside eq smtp

static (inside,outside) tcp interface smtp 192.196.61.1 smtp netmask 255.255.255.255 0 0

mean any smtp traffic will be let through and sent to the the 192.196.61.1 exchange server?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility

Yes, any traffic inbound to port 25 should be allowed in.
Try putting a PC on the outside subnet and try telnet to port 25:
C:\>telnet 218.189.138.123 25

You should get an Exchange message and > prompt
0
 

Author Comment

by:GWbjones
Comment Utility
Cool and the

static (inside,outside) tcp interface smtp 192.196.61.1 smtp netmask 255.255.255.255 0 0

re-directs it to the exchange server on 192.196.61.1 ?

The link is down atm so i cant try the telnet.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
Comment Utility
Yes, this static entry points all inbound traffic destined for port 25 to the inside host.
0
 

Author Comment

by:GWbjones
Comment Utility
Thanks for everyones help - although the problem isnt fixed i think this is because of the ISP.
My question was how to direct mail to the the exchange server and this has been answered.
I am happy and looking forward to the fun tomorrow when the connection is hopefully fixed.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Glad to help, but hawgpig deserves some credit for pointing out the option of using "interface" instead of the IP in the inbound acl..

0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now