Solved

No receiving e-mail from PIX firewall

Posted on 2004-08-16
10
1,469 Views
Last Modified: 2008-01-09
I replaced an ISA server with a PIX 515 firewall. Internet as well as sending e-mail are working fine, but still cannot receive e-mail.The echange server/domain controller has a private ip: 192.168.150.6 located in the internal network. We only use one pubblic ip: X.X.230.130.
Being new on firewall configuration, I am wondering what I am missing....
This is the config. file:

PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Yn8Esq3NcXIHL35v encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Mypix
domain-name Mydomain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol http 8080
names
access-list outside_access_in permit tcp any host x.x.230.130 eq smtp
access-list outside_access_in permit icmp any host x.x.230.130
access-list outside_access_in permit icmp any host x.x.230.130 time-exceeded
access-list outside_access_in permit icmp any host x.x.230.130 unreachable
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside x.x.230.130 255.255.255.224
ip address inside 192.168.150.4 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.230.130 smtp 192.168.150.6 smtp netmask 255.25
5.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.230.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodgu
ard enable
no sysopt route dnat
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh timeout 5
terminal width 80
Cryptochecksum:77eb367db63b049189216e1d3081e306

Thanks for your help!!!
0
Comment
Question by:ggmisadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 7

Expert Comment

by:Robing66066
ID: 11814829
Don't use the same address for your outside address as your email server.  Theoretically it should work, but in practice it really doens't work very well at all.
0
 

Author Comment

by:ggmisadmin
ID: 11815011
The outside address is also the IP that my ISP`s DNS resolves for my domain. If I changed that address, how would I receive e-mail from external smtp?
Thanks for your help.....
0
 
LVL 7

Accepted Solution

by:
Robing66066 earned 150 total points
ID: 11815520
It appears as though you only have a mail server on the inside that needs access from the Internet.  If that is the case, you would need to have your ISP assign you an additional address.  Use the additional address for your outside address and keep the old one for your mail server.  (If this can't be done, you will have to get your ISP to change the DNS mx record for your mail server to the new address.)
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 
LVL 79

Expert Comment

by:lrmoore
ID: 11815750
For Exchange, you need to disable fixup:
>fixup protocol smtp 25

change to
no fixup protocol smtp 25
^
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 11816354
lrmoore is correct, but doesn't explain why.

Exchange talks *ESMTP*, not vanilla SMTP.  The PIX fixup only talks SMTP; take out the fixup, and Exchange will be happy.

0
 

Author Comment

by:ggmisadmin
ID: 11817240
OK,
First: I will try to change the command "fixup protocol smtp 25" to "NO fixup protocol smtp 25".
Second: According to what  Robin66066 suggested, pretending my ISP assigned me an extra public IP, let`s say x.x.230.131, in that case I would have to change the line: ip address outside x.x.230.130  255.255.255.224 to ip address outside x.x.230.131 255.255.255.224 and the rest will stay the same (including the NAT, Global and Static lines). At this point if someone will send me an e-mail to x.x.230.130 (wich is the DNS mx record for my e-mail server) where would it be forward to, now that the external interface's IP has been changed to x.x.230.131 ??
Sorry for my confusing but a nice explanation would give me a better sleep.....  
0
 
LVL 2

Assisted Solution

by:AndyJG247
AndyJG247 earned 150 total points
ID: 11819386
You have a 255.255.255.224 mask so you 'possibly' have 32 addresses already. 30 of which are useable but that is another point.

If you had an internal server on 192.168.150.6
AN MX record pointing to x.x.230.130 and spare addresses including 230.131 etc you would use these commands.

ip address outside x.x.230.131 255.255.255.224
route outside 0 0 x.x.230.129 1
static (inside,outside) x.x.230.130 192.168.150.6
access-list inbound permit tcp any host x.x.230.130 eq smtp
access-group inbound in interface outside

Theory being:
-The static is what maps your internal server to the external ip address not your PIX's external ip address.
-Your current static (with the tcp and port 25 bits) is only mapping port 25 from the external address to your internal server.  This means you need to use the nat/global commands to provide internet access for this server.  If you just use the static (in,out) x.x.230.130 192.168.150.6 command you can ditch the nat and global commands as this static will also provide an outbound 'route' for this server.  Of course assuming nothing else needs these nat and globals...
-Your PIX external ip would then not be relevant in regards to the mail coming in as it would all be handled by this static.

Hope that makes sense, apologies if not.

cheers
Andy
0
 

Author Comment

by:ggmisadmin
ID: 11824225
Thanks very much for your help guys....it seems to be fine now. I was able to get an extra IP from my ISP and I reconfigured it the way you suggested me. I am able to either send and receive e-mail.
Before I close this question.....do I have to open www port in order for users to be able access web e-mail (OWA)??
Thanks again!!

0
 
LVL 7

Expert Comment

by:Robing66066
ID: 11824242
Depends.  If you are using SSL security, you'll need to open 443.  Otherwise, 80 will do.
0
 
LVL 2

Expert Comment

by:AndyJG247
ID: 11825034
Good Luck

cheers
Andy
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question