[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

POP Mail not Working with Cisco PIX 506 Firewall

Posted on 2004-10-22
14
Medium Priority
?
366 Views
Last Modified: 2012-05-05
My outbound mail is working, but POP mail is not.  I can telnet to port 25, but it fails on port 110.  Do I need to open port 110 on my Cisco Firewall?  I have a NAT created and an Access Rule for POP3, but am still not able to conect to POP Server.  Any ideas?

Thanks
0
Comment
Question by:rmefford
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
14 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12382089
the static nat and the access rule are generally all you need for any port.
Can you post your config ? ( be sure to mask out an passwords and your public IP)
0
 

Author Comment

by:rmefford
ID: 12382187
Here is my config...thanks for the help...

Result of firewall command: "show run"
 
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password fYGjIZ.r.8FYvTjF encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname <deleted>
domain-name <deleted>
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 10.1.5.192 255.255.255.192
access-list outside_access_in permit tcp any interface outside eq https
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any interface outside eq pop3
access-list outside_access_in permit tcp any eq 81 interface outside eq 81
access-list outside_access_in permit tcp any host <external IP> eq pop3
access-list outside_cryptomap_dyn_20 permit ip any 10.10.5.192 255.255.255.192
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside <external IP> 255.255.255.240
ip address inside 10.1.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.1.5.20 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (inside) 2004 10.1.5.51
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 10.1.5.20 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 10.1.5.20 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.1.5.20 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 10.1.5.20 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 81 10.1.5.20 81 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 <external gateway ip> 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.5.51-10.1.5.200 inside
dhcpd dns <primary DNS> <secondary DNS>
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain <domainname>
dhcpd auto_config outside
dhcpd enable inside
username sctadmin password WeuL3s8PP7LAFX5X encrypted privilege 15
username randym password t5Q1R3kVzz2m535A encrypted privilege 15
terminal width 80
Cryptochecksum:e7830a96a44a638f266bac00cad9de77
: end



0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12382240
>access-list outside_access_in permit tcp any interface outside eq pop3
>static (inside,outside) tcp interface pop3 10.1.5.20 pop3 netmask 255.255.255.255 0 0

Those two entries should be all you need.
Suggestions:
 1) try re-applying the acl to the interface:
      access-group outside_access_in in interface outside

 2) save your config, hard reboot the pix. Power off completely, wait 1 minute, power back up.

Use output of "show access-list" and look for hitcounts for pop3
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:rmefford
ID: 12382690
Okay did that, and still POP fails.

Show access-list shows no hits on POP3.

I am curious...about the results of show access-list

Result of firewall command: "show access-list"

What is access-list outside_access_in line 6 permit tcp any host <external ip> eq pop3 (hitcnt=0)?  I notice the other access list don't have this associated with them.

Randy


access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list inside_outbound_nat0_acl; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip any 10.1.5.192 255.255.255.192 (hitcnt=0)
access-list outside_access_in; 6 elements
access-list outside_access_in line 1 permit tcp any interface outside eq https (hitcnt=0)
access-list outside_access_in line 2 permit tcp any interface outside eq www (hitcnt=10)
access-list outside_access_in line 3 permit tcp any interface outside eq smtp (hitcnt=1)
access-list outside_access_in line 4 permit tcp any interface outside eq pop3 (hitcnt=0)
access-list outside_access_in line 5 permit tcp any eq 81 interface outside eq 81 (hitcnt=0)
access-list outside_access_in line 6 permit tcp any host <external ip> eq pop3 (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.10.5.192 255.255.255.192 (hitcnt=0)

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12382748
>access-list outside_access_in line 6 permit tcp any host <external ip> eq pop3 (hitcnt=0)
This line accepts pop3 from any, to the IP address, instead of using the keyword "interface"
It is redundant to this line, and is not necessary
>access-list outside_access_in line 4 permit tcp any interface outside eq pop3 (hitcnt=0)

You are actually trying this from an external client, right?

My  next suggestion would be to make sure the server's default gateway is set correctly, but since the web service works on that same server, it appears that would have to be correct....
Can you confirm that pop3 is actually working on that server? Can you connect to it with it's private IP address OK?

0
 

Author Comment

by:rmefford
ID: 12383035
Yes, good question though.  It should also work internally b/c I have pop and smtp defined with "A" records in my DNS server.

But from the outside everything works....except it can not log on to the POP server successfully.  And before you ask...I did verify my username and password ;)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12383082
Has this hitcount increased?
access-list outside_access_in line 4 permit tcp any interface outside eq pop3 (hitcnt=0)
You should get a hit every attempt, whether your login is accepted or not..
You are using the Public IP address of the outside interface?

You need to verify that you can open a POP3 client and connect to the server inside. Perhaps the pop3 service is not running?
0
 

Author Comment

by:rmefford
ID: 12383172
It has increased...so it is getting hit, why would the logon atempt fail?  Or is it something else?  yes the POP3 service is running.

I am not sure what you mean by "you are using the public IP address of outside interface"?  I am accessing through pop.domain.com and smtp.domain.com

Randy

Result of firewall command: "show access-list"
 
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list inside_outbound_nat0_acl; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip any 10.1.5.192 255.255.255.192 (hitcnt=0)
access-list outside_access_in; 6 elements
access-list outside_access_in line 1 permit tcp any interface outside eq https (hitcnt=0)
access-list outside_access_in line 2 permit tcp any interface outside eq www (hitcnt=109)
access-list outside_access_in line 3 permit tcp any interface outside eq smtp (hitcnt=31)
access-list outside_access_in line 4 permit tcp any interface outside eq pop3 (hitcnt=45)
access-list outside_access_in line 5 permit tcp any eq 81 interface outside eq 81 (hitcnt=0)
access-list outside_access_in line 6 permit tcp any host <external ip> eq pop3 (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.10.5.192 255.255.255.192 (hitcnt=0)

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12383301
It is obvously hitting the correct IP address of the outside IP of the PIX because the hitcount is increasing.
There is nothing in the config that could prevent the login once you connect.
I would look at the pop3 server itself and make sure it is configured correctly.

> yes the POP3 service is running
But, can you actually use the POP3 client on the inside network and log in to the server?

0
 

Author Comment

by:rmefford
ID: 12383342
No, not using pop I can not connect inside.

Curious...what could that mean?  or be?
0
 

Author Comment

by:rmefford
ID: 12383361
Okay...correction it is working from inside, when I use local IP for pop & smtp
0
 

Author Comment

by:rmefford
ID: 12383397
Okay...it is also working by external IP but not pop.domain.com, :)  Now what!
0
 

Author Comment

by:rmefford
ID: 12383465
Okay...I think I got it all working.  Thanks for your HELP!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12383543
Good work!

0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question