Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1531
  • Last Modified:

No receiving e-mail from PIX firewall

I replaced an ISA server with a PIX 515 firewall. Internet as well as sending e-mail are working fine, but still cannot receive e-mail.The echange server/domain controller has a private ip: 192.168.150.6 located in the internal network. We only use one pubblic ip: X.X.230.130.
Being new on firewall configuration, I am wondering what I am missing....
This is the config. file:

PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Yn8Esq3NcXIHL35v encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Mypix
domain-name Mydomain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol http 8080
names
access-list outside_access_in permit tcp any host x.x.230.130 eq smtp
access-list outside_access_in permit icmp any host x.x.230.130
access-list outside_access_in permit icmp any host x.x.230.130 time-exceeded
access-list outside_access_in permit icmp any host x.x.230.130 unreachable
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside x.x.230.130 255.255.255.224
ip address inside 192.168.150.4 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.230.130 smtp 192.168.150.6 smtp netmask 255.25
5.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.230.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodgu
ard enable
no sysopt route dnat
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh timeout 5
terminal width 80
Cryptochecksum:77eb367db63b049189216e1d3081e306

Thanks for your help!!!
0
ggmisadmin
Asked:
ggmisadmin
  • 3
  • 3
  • 2
  • +2
2 Solutions
 
Robing66066Commented:
Don't use the same address for your outside address as your email server.  Theoretically it should work, but in practice it really doens't work very well at all.
0
 
ggmisadminAuthor Commented:
The outside address is also the IP that my ISP`s DNS resolves for my domain. If I changed that address, how would I receive e-mail from external smtp?
Thanks for your help.....
0
 
Robing66066Commented:
It appears as though you only have a mail server on the inside that needs access from the Internet.  If that is the case, you would need to have your ISP assign you an additional address.  Use the additional address for your outside address and keep the old one for your mail server.  (If this can't be done, you will have to get your ISP to change the DNS mx record for your mail server to the new address.)
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
lrmooreCommented:
For Exchange, you need to disable fixup:
>fixup protocol smtp 25

change to
no fixup protocol smtp 25
^
0
 
PennGwynCommented:
lrmoore is correct, but doesn't explain why.

Exchange talks *ESMTP*, not vanilla SMTP.  The PIX fixup only talks SMTP; take out the fixup, and Exchange will be happy.

0
 
ggmisadminAuthor Commented:
OK,
First: I will try to change the command "fixup protocol smtp 25" to "NO fixup protocol smtp 25".
Second: According to what  Robin66066 suggested, pretending my ISP assigned me an extra public IP, let`s say x.x.230.131, in that case I would have to change the line: ip address outside x.x.230.130  255.255.255.224 to ip address outside x.x.230.131 255.255.255.224 and the rest will stay the same (including the NAT, Global and Static lines). At this point if someone will send me an e-mail to x.x.230.130 (wich is the DNS mx record for my e-mail server) where would it be forward to, now that the external interface's IP has been changed to x.x.230.131 ??
Sorry for my confusing but a nice explanation would give me a better sleep.....  
0
 
AndyJG247Commented:
You have a 255.255.255.224 mask so you 'possibly' have 32 addresses already. 30 of which are useable but that is another point.

If you had an internal server on 192.168.150.6
AN MX record pointing to x.x.230.130 and spare addresses including 230.131 etc you would use these commands.

ip address outside x.x.230.131 255.255.255.224
route outside 0 0 x.x.230.129 1
static (inside,outside) x.x.230.130 192.168.150.6
access-list inbound permit tcp any host x.x.230.130 eq smtp
access-group inbound in interface outside

Theory being:
-The static is what maps your internal server to the external ip address not your PIX's external ip address.
-Your current static (with the tcp and port 25 bits) is only mapping port 25 from the external address to your internal server.  This means you need to use the nat/global commands to provide internet access for this server.  If you just use the static (in,out) x.x.230.130 192.168.150.6 command you can ditch the nat and global commands as this static will also provide an outbound 'route' for this server.  Of course assuming nothing else needs these nat and globals...
-Your PIX external ip would then not be relevant in regards to the mail coming in as it would all be handled by this static.

Hope that makes sense, apologies if not.

cheers
Andy
0
 
ggmisadminAuthor Commented:
Thanks very much for your help guys....it seems to be fine now. I was able to get an extra IP from my ISP and I reconfigured it the way you suggested me. I am able to either send and receive e-mail.
Before I close this question.....do I have to open www port in order for users to be able access web e-mail (OWA)??
Thanks again!!

0
 
Robing66066Commented:
Depends.  If you are using SSL security, you'll need to open 443.  Otherwise, 80 will do.
0
 
AndyJG247Commented:
Good Luck

cheers
Andy
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

  • 3
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now