Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

No receiving e-mail from PIX firewall

Posted on 2004-08-16
10
Medium Priority
?
1,491 Views
Last Modified: 2008-01-09
I replaced an ISA server with a PIX 515 firewall. Internet as well as sending e-mail are working fine, but still cannot receive e-mail.The echange server/domain controller has a private ip: 192.168.150.6 located in the internal network. We only use one pubblic ip: X.X.230.130.
Being new on firewall configuration, I am wondering what I am missing....
This is the config. file:

PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Yn8Esq3NcXIHL35v encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Mypix
domain-name Mydomain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol http 8080
names
access-list outside_access_in permit tcp any host x.x.230.130 eq smtp
access-list outside_access_in permit icmp any host x.x.230.130
access-list outside_access_in permit icmp any host x.x.230.130 time-exceeded
access-list outside_access_in permit icmp any host x.x.230.130 unreachable
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside x.x.230.130 255.255.255.224
ip address inside 192.168.150.4 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.230.130 smtp 192.168.150.6 smtp netmask 255.25
5.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.230.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodgu
ard enable
no sysopt route dnat
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh timeout 5
terminal width 80
Cryptochecksum:77eb367db63b049189216e1d3081e306

Thanks for your help!!!
0
Comment
Question by:ggmisadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 7

Expert Comment

by:Robing66066
ID: 11814829
Don't use the same address for your outside address as your email server.  Theoretically it should work, but in practice it really doens't work very well at all.
0
 

Author Comment

by:ggmisadmin
ID: 11815011
The outside address is also the IP that my ISP`s DNS resolves for my domain. If I changed that address, how would I receive e-mail from external smtp?
Thanks for your help.....
0
 
LVL 7

Accepted Solution

by:
Robing66066 earned 600 total points
ID: 11815520
It appears as though you only have a mail server on the inside that needs access from the Internet.  If that is the case, you would need to have your ISP assign you an additional address.  Use the additional address for your outside address and keep the old one for your mail server.  (If this can't be done, you will have to get your ISP to change the DNS mx record for your mail server to the new address.)
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 79

Expert Comment

by:lrmoore
ID: 11815750
For Exchange, you need to disable fixup:
>fixup protocol smtp 25

change to
no fixup protocol smtp 25
^
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 11816354
lrmoore is correct, but doesn't explain why.

Exchange talks *ESMTP*, not vanilla SMTP.  The PIX fixup only talks SMTP; take out the fixup, and Exchange will be happy.

0
 

Author Comment

by:ggmisadmin
ID: 11817240
OK,
First: I will try to change the command "fixup protocol smtp 25" to "NO fixup protocol smtp 25".
Second: According to what  Robin66066 suggested, pretending my ISP assigned me an extra public IP, let`s say x.x.230.131, in that case I would have to change the line: ip address outside x.x.230.130  255.255.255.224 to ip address outside x.x.230.131 255.255.255.224 and the rest will stay the same (including the NAT, Global and Static lines). At this point if someone will send me an e-mail to x.x.230.130 (wich is the DNS mx record for my e-mail server) where would it be forward to, now that the external interface's IP has been changed to x.x.230.131 ??
Sorry for my confusing but a nice explanation would give me a better sleep.....  
0
 
LVL 2

Assisted Solution

by:AndyJG247
AndyJG247 earned 600 total points
ID: 11819386
You have a 255.255.255.224 mask so you 'possibly' have 32 addresses already. 30 of which are useable but that is another point.

If you had an internal server on 192.168.150.6
AN MX record pointing to x.x.230.130 and spare addresses including 230.131 etc you would use these commands.

ip address outside x.x.230.131 255.255.255.224
route outside 0 0 x.x.230.129 1
static (inside,outside) x.x.230.130 192.168.150.6
access-list inbound permit tcp any host x.x.230.130 eq smtp
access-group inbound in interface outside

Theory being:
-The static is what maps your internal server to the external ip address not your PIX's external ip address.
-Your current static (with the tcp and port 25 bits) is only mapping port 25 from the external address to your internal server.  This means you need to use the nat/global commands to provide internet access for this server.  If you just use the static (in,out) x.x.230.130 192.168.150.6 command you can ditch the nat and global commands as this static will also provide an outbound 'route' for this server.  Of course assuming nothing else needs these nat and globals...
-Your PIX external ip would then not be relevant in regards to the mail coming in as it would all be handled by this static.

Hope that makes sense, apologies if not.

cheers
Andy
0
 

Author Comment

by:ggmisadmin
ID: 11824225
Thanks very much for your help guys....it seems to be fine now. I was able to get an extra IP from my ISP and I reconfigured it the way you suggested me. I am able to either send and receive e-mail.
Before I close this question.....do I have to open www port in order for users to be able access web e-mail (OWA)??
Thanks again!!

0
 
LVL 7

Expert Comment

by:Robing66066
ID: 11824242
Depends.  If you are using SSL security, you'll need to open 443.  Otherwise, 80 will do.
0
 
LVL 2

Expert Comment

by:AndyJG247
ID: 11825034
Good Luck

cheers
Andy
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question