PIX configuration to allow smtp port 25

Hi,

I have a linux server running sendmail, i want it to send mail to our other linux server to relay the mail to where it needs to go.
The problem is that i can telnet into it on port 25, i get this error:

Sendmail is reporting

user@freshcomp.com.au... Deferred: Connection timed out with 172.19.0.2.

the servers are:  comp1 - 172.19.0.2 (proxy and mail server)
                         freshserver - 172.18.0.10

Is my pix not allowing me to telnet to comp1 from comp2 on port 25 or is there another problem?

Thanks In Advance
Anthony

the pix config is as follows:

PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 webserver security10
nameif ethernet3 contivity security15
nameif ethernet4 billing security20
nameif ethernet5 dmz security25
enable password zVGDzIda9vTx3Hs2 encrypted
passwd Kg5kpK2OvuRjMPMu encrypted
hostname brismarkpix
domain-name brismark.com.au
clock timezone EST 10
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 172.18.0.10 FreshServer
access-list inside_access_in permit ip host 10.0.10.201 host 172.17.0.3
access-list inside_access_in permit ip 10.0.10.0 255.255.255.0 172.18.0.0 255.255.0.0
access-list inside_access_in permit ip 10.0.10.0 255.255.255.0 host 172.19.0.2
access-list inside_access_in permit ip 10.0.10.0 255.255.255.0 any
access-list contivity_access_in permit ip host 172.17.0.3 host 172.17.0.4
access-list contivity_access_in permit ip 172.17.0.0 255.255.0.0 host 172.18.0.2
access-list webserver_access_in permit ip host 172.18.0.2 10.0.10.0 255.255.255.0
access-list webserver_access_in permit ip host 172.18.0.2 192.168.0.0 255.255.0.0
access-list webserver_access_in permit ip host FreshServer 192.168.0.0 255.255.0.0
access-list webserver_access_in permit icmp host FreshServer 10.0.10.0 255.255.255.0
access-list webserver_access_in permit ip host 172.18.0.2 172.17.0.0 255.255.0.0
access-list webserver_access_in permit tcp host FreshServer eq smtp host 172.19.0.2 eq smtp
access-list webserver_access_in permit icmp host FreshServer host 172.19.0.2
access-list billing_access_in permit ip 192.168.0.0 255.255.0.0 host 172.18.0.2
access-list billing_access_in permit ip 192.168.0.0 255.255.0.0 host FreshServer
access-list dmz_access_in permit ip host 172.19.0.2 10.0.10.0 255.255.255.0
access-list dmz_access_in permit tcp host 172.19.0.2 any
access-list dmz_access_in permit tcp host 172.19.0.2 eq smtp any
access-list dmz_access_in permit tcp host 172.19.0.2 eq pop3 any
access-list dmz_access_in permit udp host 172.19.0.2 any
access-list dmz_access_in permit icmp host 172.19.0.2 any
access-list dmz_access_in permit tcp host 172.19.0.2 eq smtp host FreshServer
access-list dmz_access_in permit icmp host 172.19.0.2 host FreshServer
access-list outside_access_in permit icmp any host 203.55.xxx.xxx
access-list outside_access_in permit tcp any host 203.55.xxx.xxx
access-list outside_access_in permit tcp any eq smtp host 203.55.xxx.xxx
access-list outside_access_in permit tcp any eq pop3 host 203.55.xxx.xxx
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 100full
interface ethernet5 auto
mtu outside 1500
mtu inside 1500
mtu webserver 1500
mtu contivity 1500
mtu billing 1500
mtu dmz 1500
ip address outside 203.55.xxx.xxx 255.255.255.248
ip address inside 10.0.10.200 255.255.255.0
ip address webserver 172.18.0.1 255.255.0.0
ip address contivity 172.17.0.1 255.255.0.0
ip address billing 172.20.0.1 255.255.0.0
ip address dmz 172.19.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address webserver 0.0.0.0
failover ip address contivity 0.0.0.0
failover ip address billing 0.0.0.0
failover ip address dmz 0.0.0.0
pdm location 10.0.10.201 255.255.255.255 inside
pdm location 172.17.0.4 255.255.255.255 contivity
pdm location 172.17.0.3 255.255.255.255 contivity
pdm location 172.19.0.2 255.255.255.255 dmz
pdm location 172.20.0.2 255.255.255.255 billing
pdm location 192.168.0.0 255.255.0.0 billing
pdm location 172.18.0.2 255.255.255.255 webserver
pdm location 172.20.0.3 255.255.255.255 billing
pdm location FreshServer 255.255.255.255 webserver
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 186 interface
global (contivity) 17 interface
nat (inside) 186 10.0.10.0 255.255.255.0 0 0
static (inside,webserver) 10.0.10.0 10.0.10.0 netmask 255.255.255.0 0 0
static (inside,contivity) 172.17.0.4 10.0.10.201 netmask 255.255.255.255 0 0
static (inside,dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0 0 0
static (billing,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
static (contivity,webserver) 172.17.0.0 172.17.0.0 netmask 255.255.0.0 0 0
static (dmz,outside) 203.55.xxx.xxx 172.19.0.2 netmask 255.255.255.255 0 0
static (billing,webserver) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
static (inside,billing) 10.0.10.0 10.0.10.0 netmask 255.255.255.0 0 0
static (inside,billing) 172.20.0.3 10.0.10.201 netmask 255.255.255.255 0 0
static (webserver,outside) FreshServer FreshServer netmask 255.255.255.255 0 0
static (dmz,webserver) 172.19.0.2 172.19.0.2 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group webserver_access_in in interface webserver
access-group contivity_access_in in interface contivity
access-group billing_access_in in interface billing
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 203.55.158.145 1
route billing 192.168.0.0 255.255.0.0 172.20.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
http 10.0.10.201 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 10.0.10.0 255.255.255.0 inside
telnet 10.0.10.200 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
username csc1 password aBO01WrC6LIeyeyq encrypted privilege 15
username cscsupport password KVP8UrbS7EANqtqd encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
terminal width 80
Cryptochecksum:f9d11756bb981fc10d6ac269a9bd3da8
: end
LVL 5
Anthony_EAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

martapCommented:

replace:

access-list webserver_access_in permit tcp host FreshServer eq smtp host 172.19.0.2 eq smtp

with

access-list webserver_access_in permit tcp host FreshServer host 172.19.0.2 eq smtp
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
martapCommented:

and if you defined this rule:

access-list dmz_access_in permit tcp host 172.19.0.2 eq smtp host FreshServer

for the return traffic, you can remove it. The PIX is a stateful firewall, no need to add rules for return traffic.
0
lrmooreCommented:
Change this access-list line:
  >access-list webserver_access_in permit tcp host FreshServer eq smtp host 172.19.0.2 eq smtp

To this:
  access-list webserver_access_in permit tcp host FreshServer host 172.19.0.2 eq smtp
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

martapCommented:

beat you to it, lrmoore :)
0
Anthony_EAuthor Commented:
ok thanks guys, i cant test it atm, the guy whos trying to telnet in wont be back for a few days hes on holidays and i cant get onto his system. so ill just wait and see if it works.
0
lrmooreCommented:
Damn, martap, you must have posted while I was typing...
<8-}
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.