POP Mail not Working with Cisco PIX 506 Firewall

the static nat and the access rule are generally all you need for any port.
Can you post your config ? ( be sure to mask out an passwords and your public IP)

Here is my config...thanks for the help...

Result of firewall command: "show run"
 
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password fYGjIZ.r.8FYvTjF encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname <deleted>
domain-name <deleted>
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 10.1.5.192 255.255.255.192
access-list outside_access_in permit tcp any interface outside eq https
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any interface outside eq pop3
access-list outside_access_in permit tcp any eq 81 interface outside eq 81
access-list outside_access_in permit tcp any host <external IP> eq pop3
access-list outside_cryptomap_dyn_20 permit ip any 10.10.5.192 255.255.255.192
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside <external IP> 255.255.255.240
ip address inside 10.1.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.1.5.20 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (inside) 2004 10.1.5.51
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 10.1.5.20 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 10.1.5.20 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.1.5.20 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 10.1.5.20 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 81 10.1.5.20 81 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 <external gateway ip> 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.5.51-10.1.5.200 inside
dhcpd dns <primary DNS> <secondary DNS>
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain <domainname>
dhcpd auto_config outside
dhcpd enable inside
username sctadmin password WeuL3s8PP7LAFX5X encrypted privilege 15
username randym password t5Q1R3kVzz2m535A encrypted privilege 15
terminal width 80
Cryptochecksum:e7830a96a44a638f266bac00cad9de77
: end

Okay did that, and still POP fails.

Show access-list shows no hits on POP3.

I am curious...about the results of show access-list

Result of firewall command: "show access-list"

What is access-list outside_access_in line 6 permit tcp any host <external ip> eq pop3 (hitcnt=0)?  I notice the other access list don't have this associated with them.

Randy


access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list inside_outbound_nat0_acl; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip any 10.1.5.192 255.255.255.192 (hitcnt=0)
access-list outside_access_in; 6 elements
access-list outside_access_in line 1 permit tcp any interface outside eq https (hitcnt=0)
access-list outside_access_in line 2 permit tcp any interface outside eq www (hitcnt=10)
access-list outside_access_in line 3 permit tcp any interface outside eq smtp (hitcnt=1)
access-list outside_access_in line 4 permit tcp any interface outside eq pop3 (hitcnt=0)
access-list outside_access_in line 5 permit tcp any eq 81 interface outside eq 81 (hitcnt=0)
access-list outside_access_in line 6 permit tcp any host <external ip> eq pop3 (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.10.5.192 255.255.255.192 (hitcnt=0)

>access-list outside_access_in line 6 permit tcp any host <external ip> eq pop3 (hitcnt=0)
This line accepts pop3 from any, to the IP address, instead of using the keyword "interface"
It is redundant to this line, and is not necessary
>access-list outside_access_in line 4 permit tcp any interface outside eq pop3 (hitcnt=0)

You are actually trying this from an external client, right?

My  next suggestion would be to make sure the server's default gateway is set correctly, but since the web service works on that same server, it appears that would have to be correct....
Can you confirm that pop3 is actually working on that server? Can you connect to it with it's private IP address OK?

Yes, good question though.  It should also work internally b/c I have pop and smtp defined with "A" records in my DNS server.

But from the outside everything works....except it can not log on to the POP server successfully.  And before you ask...I did verify my username and password ;)

Has this hitcount increased?
access-list outside_access_in line 4 permit tcp any interface outside eq pop3 (hitcnt=0)
You should get a hit every attempt, whether your login is accepted or not..
You are using the Public IP address of the outside interface?

You need to verify that you can open a POP3 client and connect to the server inside. Perhaps the pop3 service is not running?

It has increased...so it is getting hit, why would the logon atempt fail?  Or is it something else?  yes the POP3 service is running.

I am not sure what you mean by "you are using the public IP address of outside interface"?  I am accessing through pop.domain.com and smtp.domain.com

Randy

Result of firewall command: "show access-list"
 
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list inside_outbound_nat0_acl; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip any 10.1.5.192 255.255.255.192 (hitcnt=0)
access-list outside_access_in; 6 elements
access-list outside_access_in line 1 permit tcp any interface outside eq https (hitcnt=0)
access-list outside_access_in line 2 permit tcp any interface outside eq www (hitcnt=109)
access-list outside_access_in line 3 permit tcp any interface outside eq smtp (hitcnt=31)
access-list outside_access_in line 4 permit tcp any interface outside eq pop3 (hitcnt=45)
access-list outside_access_in line 5 permit tcp any eq 81 interface outside eq 81 (hitcnt=0)
access-list outside_access_in line 6 permit tcp any host <external ip> eq pop3 (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.10.5.192 255.255.255.192 (hitcnt=0)

It is obvously hitting the correct IP address of the outside IP of the PIX because the hitcount is increasing.
There is nothing in the config that could prevent the login once you connect.
I would look at the pop3 server itself and make sure it is configured correctly.

> yes the POP3 service is running
But, can you actually use the POP3 client on the inside network and log in to the server?

No, not using pop I can not connect inside.

Curious...what could that mean?  or be?

Okay...correction it is working from inside, when I use local IP for pop & smtp

Okay...it is also working by external IP but not pop.domain.com, :)  Now what!

Okay...I think I got it all working.  Thanks for your HELP!

Good work!