Solved

No receiving e-mail from PIX firewall

Posted on 2004-08-16
10
1,423 Views
Last Modified: 2008-01-09
I replaced an ISA server with a PIX 515 firewall. Internet as well as sending e-mail are working fine, but still cannot receive e-mail.The echange server/domain controller has a private ip: 192.168.150.6 located in the internal network. We only use one pubblic ip: X.X.230.130.
Being new on firewall configuration, I am wondering what I am missing....
This is the config. file:

PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Yn8Esq3NcXIHL35v encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Mypix
domain-name Mydomain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol http 8080
names
access-list outside_access_in permit tcp any host x.x.230.130 eq smtp
access-list outside_access_in permit icmp any host x.x.230.130
access-list outside_access_in permit icmp any host x.x.230.130 time-exceeded
access-list outside_access_in permit icmp any host x.x.230.130 unreachable
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside x.x.230.130 255.255.255.224
ip address inside 192.168.150.4 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.230.130 smtp 192.168.150.6 smtp netmask 255.25
5.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.230.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodgu
ard enable
no sysopt route dnat
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh timeout 5
terminal width 80
Cryptochecksum:77eb367db63b049189216e1d3081e306

Thanks for your help!!!
0
Comment
Question by:ggmisadmin
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 7

Expert Comment

by:Robing66066
ID: 11814829
Don't use the same address for your outside address as your email server.  Theoretically it should work, but in practice it really doens't work very well at all.
0
 

Author Comment

by:ggmisadmin
ID: 11815011
The outside address is also the IP that my ISP`s DNS resolves for my domain. If I changed that address, how would I receive e-mail from external smtp?
Thanks for your help.....
0
 
LVL 7

Accepted Solution

by:
Robing66066 earned 150 total points
ID: 11815520
It appears as though you only have a mail server on the inside that needs access from the Internet.  If that is the case, you would need to have your ISP assign you an additional address.  Use the additional address for your outside address and keep the old one for your mail server.  (If this can't be done, you will have to get your ISP to change the DNS mx record for your mail server to the new address.)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11815750
For Exchange, you need to disable fixup:
>fixup protocol smtp 25

change to
no fixup protocol smtp 25
^
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 11816354
lrmoore is correct, but doesn't explain why.

Exchange talks *ESMTP*, not vanilla SMTP.  The PIX fixup only talks SMTP; take out the fixup, and Exchange will be happy.

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:ggmisadmin
ID: 11817240
OK,
First: I will try to change the command "fixup protocol smtp 25" to "NO fixup protocol smtp 25".
Second: According to what  Robin66066 suggested, pretending my ISP assigned me an extra public IP, let`s say x.x.230.131, in that case I would have to change the line: ip address outside x.x.230.130  255.255.255.224 to ip address outside x.x.230.131 255.255.255.224 and the rest will stay the same (including the NAT, Global and Static lines). At this point if someone will send me an e-mail to x.x.230.130 (wich is the DNS mx record for my e-mail server) where would it be forward to, now that the external interface's IP has been changed to x.x.230.131 ??
Sorry for my confusing but a nice explanation would give me a better sleep.....  
0
 
LVL 2

Assisted Solution

by:AndyJG247
AndyJG247 earned 150 total points
ID: 11819386
You have a 255.255.255.224 mask so you 'possibly' have 32 addresses already. 30 of which are useable but that is another point.

If you had an internal server on 192.168.150.6
AN MX record pointing to x.x.230.130 and spare addresses including 230.131 etc you would use these commands.

ip address outside x.x.230.131 255.255.255.224
route outside 0 0 x.x.230.129 1
static (inside,outside) x.x.230.130 192.168.150.6
access-list inbound permit tcp any host x.x.230.130 eq smtp
access-group inbound in interface outside

Theory being:
-The static is what maps your internal server to the external ip address not your PIX's external ip address.
-Your current static (with the tcp and port 25 bits) is only mapping port 25 from the external address to your internal server.  This means you need to use the nat/global commands to provide internet access for this server.  If you just use the static (in,out) x.x.230.130 192.168.150.6 command you can ditch the nat and global commands as this static will also provide an outbound 'route' for this server.  Of course assuming nothing else needs these nat and globals...
-Your PIX external ip would then not be relevant in regards to the mail coming in as it would all be handled by this static.

Hope that makes sense, apologies if not.

cheers
Andy
0
 

Author Comment

by:ggmisadmin
ID: 11824225
Thanks very much for your help guys....it seems to be fine now. I was able to get an extra IP from my ISP and I reconfigured it the way you suggested me. I am able to either send and receive e-mail.
Before I close this question.....do I have to open www port in order for users to be able access web e-mail (OWA)??
Thanks again!!

0
 
LVL 7

Expert Comment

by:Robing66066
ID: 11824242
Depends.  If you are using SSL security, you'll need to open 443.  Otherwise, 80 will do.
0
 
LVL 2

Expert Comment

by:AndyJG247
ID: 11825034
Good Luck

cheers
Andy
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now