[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

PIX 501 and SMTP issues

Posted on 2004-11-25
10
Medium Priority
?
598 Views
Last Modified: 2008-02-01
Hi

Hi have a PIX 501 running spilt tunelling to create a VPN and also alow the users iside of firewall to access interent

There are two issues which i 'm looking at currently
1. SMTP - faced issues where users where reciveing mails multiple times removed teh fixup for smtp and hopefully that woudl solve my issue

now the users are using MS outlook to access a SMTP server hosted outside of the firewall ,users can reciev mail but not send mails as SMTP timesout with error 0x800CCC79

been to follwing URL http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320027&gssnb=1 which points this error outto the maiguard

however even after removing fixup from pix and reloading to esnure the xlate is cleared i still cannot make ot work .

I doubt it is PIX as the same user can access the mail on MS Outlook on dialup to interenet.(applied lates Windows SP and Office 2000 SP)

Also surprsiingly the SMTP mails can be accessed uing lotus notes client

2. a intanet web server jhas business objects loaded on it and on accessing and runnning somke reports a number of redirects are run .

however what happens is after running a few reports a previously opened report is again opened thsi looks liek some sort of caching which is causing this will removing the fixup for http 80 solve in this issue
0
Comment
Question by:Avinash75
  • 5
  • 5
10 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 12679500
Hi Avinash75,
What are your questions?
0
 

Author Comment

by:Avinash75
ID: 12686126
Hi

Has oseone afced thsi issue and is there some way we can resolve the SMTP issue and also the HTTP issue listed in my query above
0
 
LVL 36

Expert Comment

by:grblades
ID: 12686536
It is difficult to follow what you have actually tried so far. Have you removed the fixup by entering 'no fixup protocol smtp 25' ?
This should cure your mail sending problems. You don't say where your users are connecting from and where the mail server is located and what  type of mail server it is.

The PIX does not cache pages. Are you using a proxy server internally?

If you paste a copy of the PIX configuration I will have a look at it.
0
Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

 

Author Comment

by:Avinash75
ID: 12693059
Hi

as i had mentioned in my intial post yes i did do the no fixup protocol smtp 25 however if you see my intial post i had tested if the mailguard was the issue for this using the microsoft KB document (FYI here i sthe link --> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320027&gssnb=1 ) doesnt look like the mailguard is the issue.

still i did use the no fixup command just to be sure.

the clients are on the inside of the PIX and the mail server is hosted by the ISP and is outside of PIX .

i have tried telneting the SMTP servre both from internet without the PIX in the picture and with PIX in the picture the telnet directly without PIX is much faster then the one with PIX in between.

Although the telnet to POP server with PIX in between is ok.

i have tried using the same pc's for SMTP mail access  without PIX in the picture and it works perfectly ok without any issues

as i sais i tried using lotus notes client and it works to however using MS OUtlook causes this issue.

at present its working but very slow for outgoing mails.



Now for HTTP :
No Proxies in the interneal network ,though as is the policy in middle east any ionternet traffic going out of middle east goes through proxy ,
however the issue is that when i tried to access the page i mentioned above which basically runs a number of redirects it randomly opens sometimes a previously accessed page .

the same situation is not occuring when i access the url without PIX in the picture. so doesnt look liek proxy issue

and a lot of things pointing out to something in the PIX causing this issue

here is the config as is requested by you
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.13.32.0 lan
name 10.13.32.10 fw-e1
name 10.13.32.65 logserver
name 213.42.81.26 fw-e0
name 213.42.81.25 defaultgw
name 10.13.32.140 Siteprtx1
name 10.13.32.142 Siteprtx2
name 10.13.32.171 Siteprtx3
name 192.168.252.0 natjupiter-Site-lan
name 192.168.252.28 natjupiter-Siteprtx1
name 192.168.252.29 natjupiter-Siteprtx2
name 192.168.252.30 natjupiter-Siteprtx3
name 192.168.32.0 jupiternet
name 192.168.35.24 exdsn1
name 192.168.34.134 mtonts37
name 192.168.34.135 mtonts38
name 192.168.34.39 mtonts91
name 192.168.35.96 mtots01
name 192.168.32.29 nfuse-eu
name 192.168.34.129 nfuse-na
name 192.168.252.27 natjupiter-logserver
name 192.168.1.10 Siteprtx4
name 192.168.1.11 Siteprtx5
name 192.168.0.10 Siteprtx6
name 192.168.0.11 Siteprtx7
name 192.168.252.25 natjupiter-Siteprtx4
name 192.168.252.26 natjupiter-Siteprtx5
name 192.168.252.23 natjupiter-Siteprtx6
name 192.168.252.24 natjupiter-Siteprtx7
name 10.13.32.120 inside-gw
name 193.38.167.20 jupiter-vpngw
name 192.168.0.0 Transmed
name 192.168.35.90 EBUYSERVER
name 192.168.1.0 AbuDhabi
name 192.168.34.42 mto-sapaep
name 192.168.35.146 mto-mou106
name 192.168.35.147 mto-mou049sg
name 192.168.35.121 mto-mou043
object-group network jupiter-NFUSE
  description jupiter Nfuse portals
  network-object host nfuse-eu
  network-object host nfuse-na
object-group network jupiter-TS-Servers-1
  description jupiter Citrix Terminal servers
  network-object host mtonts37
  network-object host mtonts38
  network-object host mtonts91
  network-object host mtots01
object-group network Site-Printers
  description Site Printers
  network-object host natjupiter-Siteprtx1
  network-object host natjupiter-Siteprtx2
  network-object host natjupiter-Siteprtx3
  network-object host natjupiter-Siteprtx4
  network-object host natjupiter-Siteprtx5
  network-object host natjupiter-Siteprtx6
  network-object host natjupiter-Siteprtx7
object-group service LPD-Print9100 tcp
  port-object eq lpd
  port-object eq 9100
object-group service Internet-Access tcp
  port-object eq www
  port-object eq 8080
object-group network MTO-SAPR3
  description MTO SAPR3 AEP AEB BEP BEB
  network-object host mto-sapaep
  network-object host mto-mou106
  network-object host mto-mou049sg
  network-object host mto-mou043
object-group service SAPR3-TCP3200-3299 tcp
  port-object eq 3200
  port-object eq 3299
access-list outbound permit tcp lan 255.255.254.0 any eq https
access-list outbound permit tcp lan 255.255.254.0 any eq ftp
access-list outbound permit tcp lan 255.255.254.0 any eq domain
access-list outbound permit udp lan 255.255.254.0 any eq domain
access-list outbound permit tcp lan 255.255.254.0 any eq pop3
access-list outbound permit tcp lan 255.255.254.0 any eq smtp
access-list outbound deny tcp host logserver any eq 8080
access-list outbound permit tcp lan 255.255.254.0 any eq 2478
access-list outbound permit udp lan 255.255.254.0 any eq isakmp
access-list outbound permit tcp host 10.13.32.29 any eq 34200
access-list outbound deny tcp host 10.13.32.145 any eq 8080
access-list outbound permit tcp lan 255.255.254.0 any eq lotusnotes
access-list outbound permit tcp host 10.13.32.27 any range 34200 34400
access-list outbound permit tcp lan 255.255.254.0 object-group jupiter-TS-Servers-1 eq citrix-ica
access-list outbound permit udp lan 255.255.254.0 object-group jupiter-TS-Servers-1 eq 1604
access-list outbound permit tcp lan 255.255.254.0 object-group jupiter-NFUSE eq www
access-list outbound permit tcp lan 255.255.254.0 host exdsn1 eq lotusnotes
access-list outbound permit esp host 10.13.32.29 host 193.38.169.63
access-list outbound permit tcp lan 255.255.254.0 any object-group Internet-Access
access-list outbound permit ah host 10.13.32.29 host 193.38.169.63
access-list outbound permit tcp Transmed 255.255.255.0 object-group jupiter-NFUSE eq www
access-list outbound permit tcp AbuDhabi 255.255.255.0 object-group jupiter-NFUSE eq www
access-list outbound permit tcp Transmed 255.255.255.0 object-group jupiter-TS-Servers-1 eq citrix-ica
access-list outbound permit udp Transmed 255.255.255.0 object-group jupiter-TS-Servers-1 eq 1604
access-list outbound permit tcp AbuDhabi 255.255.255.0 object-group jupiter-TS-Servers-1 eq citrix-ica
access-list outbound permit udp AbuDhabi 255.255.255.0 object-group jupiter-TS-Servers-1 eq 1604
access-list outbound permit tcp lan 255.255.254.0 object-group MTO-SAPR3 object-group SAPR3-TCP3200-3299
access-list outbound permit tcp Transmed 255.255.255.0 object-group MTO-SAPR3 object-group SAPR3-TCP3200-3299
access-list outbound permit tcp AbuDhabi 255.255.255.0 object-group MTO-SAPR3 object-group SAPR3-TCP3200-3299
access-list outbound permit tcp lan 255.255.254.0 host EBUYSERVER eq 8100
access-list outbound permit tcp Transmed 255.255.255.0 host EBUYSERVER eq 8100
access-list outbound permit tcp AbuDhabi 255.255.255.0 host EBUYSERVER eq 8100
access-list inbound permit udp any host 213.42.81.27 eq pcanywhere-status
access-list inbound permit tcp any host 213.42.81.27 eq pcanywhere-data
access-list inbound permit tcp any host 213.42.81.28 eq 3389
access-list inbound permit tcp any host 213.42.81.27 range 34200 34400
access-list inbound permit tcp jupiternet 255.255.248.0 object-group Site-Printers object-group LPD-Print9100
access-list inbound permit tcp jupiternet 255.255.248.0 host natjupiter-logserver eq 3389
access-list inbound permit esp host 193.38.169.63 host 213.42.81.29
access-list NAT-to-jupiter-SitePRTX1 permit ip host Siteprtx1 jupiternet 255.255.248.0
access-list NAT-to-jupiter-SitePRTX2 permit ip host Siteprtx2 jupiternet 255.255.248.0
access-list NAT-to-jupiter-SitePRTX3 permit ip host Siteprtx3 jupiternet 255.255.248.0
access-list NAT-to-jupiter permit ip lan 255.255.254.0 jupiternet 255.255.248.0
access-list NAT-to-jupiter permit ip Transmed 255.255.255.0 jupiternet 255.255.248.0
access-list NAT-to-jupiter permit ip AbuDhabi 255.255.255.0 jupiternet 255.255.248.0
access-list Site-to-jupiter-VPN permit ip natjupiter-Site-lan 255.255.255.224 jupiternet 255.255.248.0
access-list Site-to-jupiter-VPN permit ip host fw-e0 host jupiter-vpngw
access-list NAT-to-jupiter-LOGSERVER permit ip host logserver jupiternet 255.255.248.0
access-list NAT-to-jupiter-SitePRTX4 permit ip host Siteprtx4 jupiternet 255.255.248.0
access-list NAT-to-jupiter-SitePRTX5 permit ip host Siteprtx5 jupiternet 255.255.248.0
access-list NAT-to-jupiter-SitePRTX6 permit ip host Siteprtx6 jupiternet 255.255.248.0
access-list NAT-to-jupiter-SitePRTX7 permit ip host Siteprtx7 jupiternet 255.255.248.0
access-list Internet-access permit ip lan 255.255.254.0 any
access-list net28 permit ip host logserver any
access-list net27 permit ip host 10.13.32.27 any
pager lines 24
logging on
logging monitor debugging
logging trap debugging
logging history debugging
logging host inside logserver
no logging message 710005
mtu outside 1500
mtu inside 1500
ip address outside fw-e0 255.255.255.248
ip address inside fw-e1 255.255.254.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 2 192.168.252.1-192.168.252.22
global (outside) 1 interface
nat (inside) 2 access-list NAT-to-jupiter 0 0
nat (inside) 1 access-list Internet-access 0 0
static (inside,outside) natjupiter-Siteprtx1 access-list NAT-to-jupiter-SitePRTX1 0 0
static (inside,outside) natjupiter-Siteprtx2 access-list NAT-to-jupiter-SitePRTX2 0 0
static (inside,outside) natjupiter-Siteprtx3 access-list NAT-to-jupiter-SitePRTX3 0 0
static (inside,outside) natjupiter-Siteprtx4 access-list NAT-to-jupiter-SitePRTX4 0 0
static (inside,outside) natjupiter-Siteprtx5 access-list NAT-to-jupiter-SitePRTX5 0 0
static (inside,outside) natjupiter-Siteprtx6 access-list NAT-to-jupiter-SitePRTX6 0 0
static (inside,outside) natjupiter-Siteprtx7 access-list NAT-to-jupiter-SitePRTX7 0 0
static (outside,inside) jupiternet jupiternet netmask 255.255.248.0 0 0
static (inside,outside) natjupiter-logserver access-list NAT-to-jupiter-LOGSERVER 0 0
static (inside,outside) 213.42.81.28 access-list net28 0 0
static (inside,outside) 213.42.81.27 access-list net27 0 0
static (inside,outside) 213.42.81.29 10.13.32.29 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 defaultgw 1
route inside Transmed 255.255.255.0 inside-gw 1
route inside Transmed 255.255.255.0 inside-gw 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set jupiter esp-3des esp-sha-hmac
crypto map BusinessPartners 50 ipsec-isakmp
crypto map BusinessPartners 50 match address Site-to-jupiter-VPN
crypto map BusinessPartners 50 set peer jupiter-vpngw
crypto map BusinessPartners 50 set transform-set jupiter
crypto map BusinessPartners interface outside
isakmp enable outside
isakmp key ******** address jupiter-vpngw netmask 255.255.255.255
isakmp identity address
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 14400


0
 
LVL 36

Expert Comment

by:grblades
ID: 12694417
How long does it take to telnet to the SMTP server with the PIX inbetween?
It could be an IDENT issue. With the PIX inbetween if the server sends out an IDENT query the packet will be dropped so it will take longer to connect as you have to wait intil the server times out and just allows the connection anyway.
If this is the cause then it is your ISP's fault as the server should not be using IDENT as it was only ever used on early Unix operating systems and not used anymore and most firewalls will block it as your PIX is doing.

I have no idea about the web issue. The PIX does not change the request in any way so it must be causing a fault with the web cache in some way.
0
 

Author Comment

by:Avinash75
ID: 12715235
I was thinking on the same line that ident could be the issue however isn’t there a way I can allow ident to come back in through firewall so that I can get rid of that time delay, it normally takes around a minute or two before the telnet comes up with the response screen.

i am more intrested in the SMTP anyway so even if not much help in web i can give away my points
0
 
LVL 36

Expert Comment

by:grblades
ID: 12718763
You could try redirecting the IDENT to an internal machine so it sends back a reset packet and see if that helps. If it does then complain to your ISP and get them to fix their mail server.
0
 

Author Comment

by:Avinash75
ID: 12747150
i have tried the service resetoutside and service resetinbound command on pix but still the delay is there
0
 
LVL 36

Accepted Solution

by:
grblades earned 250 total points
ID: 12747518
Try the telnet connection again but this time after trying the telnet log into the pix and type 'show log' and it should display a log of it building the connection and any packets it has denied. This might give you a clue to what is causing the problem.

You could also try connecting the Internet connection, PIX and a PC with a network analyser software program running into a HUB and getting the PC to capture all the traffic. You can do this when using the PIX and without and then compare the traffic.
Etherreal (www.etherreal.com) is a good free network analyser.
0
 

Author Comment

by:Avinash75
ID: 12763212
Thanks for your effort

i contacted the ISP and they told me that they cannot change anything for me hence fiannly decided to use  an SMTP server locally which seems to be perfectly ok and running fine


By the way i aslo found that postfix has some issues where in if server configuration is not right it goes on to trying to resolve the name of the initaing client through a long process

here is the link to the postfix faq

http://www.postfix.org/faq.html#delay

however since you have put some effort also made me think on alternatives i would accept the answer and give away the points thanks a lot mate

0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question