Avinash75
asked on
PIX 501 and SMTP issues
Hi
Hi have a PIX 501 running spilt tunelling to create a VPN and also alow the users iside of firewall to access interent
There are two issues which i 'm looking at currently
1. SMTP - faced issues where users where reciveing mails multiple times removed teh fixup for smtp and hopefully that woudl solve my issue
now the users are using MS outlook to access a SMTP server hosted outside of the firewall ,users can reciev mail but not send mails as SMTP timesout with error 0x800CCC79
been to follwing URL http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320027&gssnb=1 which points this error outto the maiguard
however even after removing fixup from pix and reloading to esnure the xlate is cleared i still cannot make ot work .
I doubt it is PIX as the same user can access the mail on MS Outlook on dialup to interenet.(applied lates Windows SP and Office 2000 SP)
Also surprsiingly the SMTP mails can be accessed uing lotus notes client
2. a intanet web server jhas business objects loaded on it and on accessing and runnning somke reports a number of redirects are run .
however what happens is after running a few reports a previously opened report is again opened thsi looks liek some sort of caching which is causing this will removing the fixup for http 80 solve in this issue
Hi have a PIX 501 running spilt tunelling to create a VPN and also alow the users iside of firewall to access interent
There are two issues which i 'm looking at currently
1. SMTP - faced issues where users where reciveing mails multiple times removed teh fixup for smtp and hopefully that woudl solve my issue
now the users are using MS outlook to access a SMTP server hosted outside of the firewall ,users can reciev mail but not send mails as SMTP timesout with error 0x800CCC79
been to follwing URL http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320027&gssnb=1 which points this error outto the maiguard
however even after removing fixup from pix and reloading to esnure the xlate is cleared i still cannot make ot work .
I doubt it is PIX as the same user can access the mail on MS Outlook on dialup to interenet.(applied lates Windows SP and Office 2000 SP)
Also surprsiingly the SMTP mails can be accessed uing lotus notes client
2. a intanet web server jhas business objects loaded on it and on accessing and runnning somke reports a number of redirects are run .
however what happens is after running a few reports a previously opened report is again opened thsi looks liek some sort of caching which is causing this will removing the fixup for http 80 solve in this issue
ASKER
Hi
Has oseone afced thsi issue and is there some way we can resolve the SMTP issue and also the HTTP issue listed in my query above
Has oseone afced thsi issue and is there some way we can resolve the SMTP issue and also the HTTP issue listed in my query above
It is difficult to follow what you have actually tried so far. Have you removed the fixup by entering 'no fixup protocol smtp 25' ?
This should cure your mail sending problems. You don't say where your users are connecting from and where the mail server is located and what type of mail server it is.
The PIX does not cache pages. Are you using a proxy server internally?
If you paste a copy of the PIX configuration I will have a look at it.
This should cure your mail sending problems. You don't say where your users are connecting from and where the mail server is located and what type of mail server it is.
The PIX does not cache pages. Are you using a proxy server internally?
If you paste a copy of the PIX configuration I will have a look at it.
ASKER
Hi
as i had mentioned in my intial post yes i did do the no fixup protocol smtp 25 however if you see my intial post i had tested if the mailguard was the issue for this using the microsoft KB document (FYI here i sthe link --> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320027&gssnb=1 ) doesnt look like the mailguard is the issue.
still i did use the no fixup command just to be sure.
the clients are on the inside of the PIX and the mail server is hosted by the ISP and is outside of PIX .
i have tried telneting the SMTP servre both from internet without the PIX in the picture and with PIX in the picture the telnet directly without PIX is much faster then the one with PIX in between.
Although the telnet to POP server with PIX in between is ok.
i have tried using the same pc's for SMTP mail access without PIX in the picture and it works perfectly ok without any issues
as i sais i tried using lotus notes client and it works to however using MS OUtlook causes this issue.
at present its working but very slow for outgoing mails.
Now for HTTP :
No Proxies in the interneal network ,though as is the policy in middle east any ionternet traffic going out of middle east goes through proxy ,
however the issue is that when i tried to access the page i mentioned above which basically runs a number of redirects it randomly opens sometimes a previously accessed page .
the same situation is not occuring when i access the url without PIX in the picture. so doesnt look liek proxy issue
and a lot of things pointing out to something in the PIX causing this issue
here is the config as is requested by you
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.13.32.0 lan
name 10.13.32.10 fw-e1
name 10.13.32.65 logserver
name 213.42.81.26 fw-e0
name 213.42.81.25 defaultgw
name 10.13.32.140 Siteprtx1
name 10.13.32.142 Siteprtx2
name 10.13.32.171 Siteprtx3
name 192.168.252.0 natjupiter-Site-lan
name 192.168.252.28 natjupiter-Siteprtx1
name 192.168.252.29 natjupiter-Siteprtx2
name 192.168.252.30 natjupiter-Siteprtx3
name 192.168.32.0 jupiternet
name 192.168.35.24 exdsn1
name 192.168.34.134 mtonts37
name 192.168.34.135 mtonts38
name 192.168.34.39 mtonts91
name 192.168.35.96 mtots01
name 192.168.32.29 nfuse-eu
name 192.168.34.129 nfuse-na
name 192.168.252.27 natjupiter-logserver
name 192.168.1.10 Siteprtx4
name 192.168.1.11 Siteprtx5
name 192.168.0.10 Siteprtx6
name 192.168.0.11 Siteprtx7
name 192.168.252.25 natjupiter-Siteprtx4
name 192.168.252.26 natjupiter-Siteprtx5
name 192.168.252.23 natjupiter-Siteprtx6
name 192.168.252.24 natjupiter-Siteprtx7
name 10.13.32.120 inside-gw
name 193.38.167.20 jupiter-vpngw
name 192.168.0.0 Transmed
name 192.168.35.90 EBUYSERVER
name 192.168.1.0 AbuDhabi
name 192.168.34.42 mto-sapaep
name 192.168.35.146 mto-mou106
name 192.168.35.147 mto-mou049sg
name 192.168.35.121 mto-mou043
object-group network jupiter-NFUSE
description jupiter Nfuse portals
network-object host nfuse-eu
network-object host nfuse-na
object-group network jupiter-TS-Servers-1
description jupiter Citrix Terminal servers
network-object host mtonts37
network-object host mtonts38
network-object host mtonts91
network-object host mtots01
object-group network Site-Printers
description Site Printers
network-object host natjupiter-Siteprtx1
network-object host natjupiter-Siteprtx2
network-object host natjupiter-Siteprtx3
network-object host natjupiter-Siteprtx4
network-object host natjupiter-Siteprtx5
network-object host natjupiter-Siteprtx6
network-object host natjupiter-Siteprtx7
object-group service LPD-Print9100 tcp
port-object eq lpd
port-object eq 9100
object-group service Internet-Access tcp
port-object eq www
port-object eq 8080
object-group network MTO-SAPR3
description MTO SAPR3 AEP AEB BEP BEB
network-object host mto-sapaep
network-object host mto-mou106
network-object host mto-mou049sg
network-object host mto-mou043
object-group service SAPR3-TCP3200-3299 tcp
port-object eq 3200
port-object eq 3299
access-list outbound permit tcp lan 255.255.254.0 any eq https
access-list outbound permit tcp lan 255.255.254.0 any eq ftp
access-list outbound permit tcp lan 255.255.254.0 any eq domain
access-list outbound permit udp lan 255.255.254.0 any eq domain
access-list outbound permit tcp lan 255.255.254.0 any eq pop3
access-list outbound permit tcp lan 255.255.254.0 any eq smtp
access-list outbound deny tcp host logserver any eq 8080
access-list outbound permit tcp lan 255.255.254.0 any eq 2478
access-list outbound permit udp lan 255.255.254.0 any eq isakmp
access-list outbound permit tcp host 10.13.32.29 any eq 34200
access-list outbound deny tcp host 10.13.32.145 any eq 8080
access-list outbound permit tcp lan 255.255.254.0 any eq lotusnotes
access-list outbound permit tcp host 10.13.32.27 any range 34200 34400
access-list outbound permit tcp lan 255.255.254.0 object-group jupiter-TS-Servers-1 eq citrix-ica
access-list outbound permit udp lan 255.255.254.0 object-group jupiter-TS-Servers-1 eq 1604
access-list outbound permit tcp lan 255.255.254.0 object-group jupiter-NFUSE eq www
access-list outbound permit tcp lan 255.255.254.0 host exdsn1 eq lotusnotes
access-list outbound permit esp host 10.13.32.29 host 193.38.169.63
access-list outbound permit tcp lan 255.255.254.0 any object-group Internet-Access
access-list outbound permit ah host 10.13.32.29 host 193.38.169.63
access-list outbound permit tcp Transmed 255.255.255.0 object-group jupiter-NFUSE eq www
access-list outbound permit tcp AbuDhabi 255.255.255.0 object-group jupiter-NFUSE eq www
access-list outbound permit tcp Transmed 255.255.255.0 object-group jupiter-TS-Servers-1 eq citrix-ica
access-list outbound permit udp Transmed 255.255.255.0 object-group jupiter-TS-Servers-1 eq 1604
access-list outbound permit tcp AbuDhabi 255.255.255.0 object-group jupiter-TS-Servers-1 eq citrix-ica
access-list outbound permit udp AbuDhabi 255.255.255.0 object-group jupiter-TS-Servers-1 eq 1604
access-list outbound permit tcp lan 255.255.254.0 object-group MTO-SAPR3 object-group SAPR3-TCP3200-3299
access-list outbound permit tcp Transmed 255.255.255.0 object-group MTO-SAPR3 object-group SAPR3-TCP3200-3299
access-list outbound permit tcp AbuDhabi 255.255.255.0 object-group MTO-SAPR3 object-group SAPR3-TCP3200-3299
access-list outbound permit tcp lan 255.255.254.0 host EBUYSERVER eq 8100
access-list outbound permit tcp Transmed 255.255.255.0 host EBUYSERVER eq 8100
access-list outbound permit tcp AbuDhabi 255.255.255.0 host EBUYSERVER eq 8100
access-list inbound permit udp any host 213.42.81.27 eq pcanywhere-status
access-list inbound permit tcp any host 213.42.81.27 eq pcanywhere-data
access-list inbound permit tcp any host 213.42.81.28 eq 3389
access-list inbound permit tcp any host 213.42.81.27 range 34200 34400
access-list inbound permit tcp jupiternet 255.255.248.0 object-group Site-Printers object-group LPD-Print9100
access-list inbound permit tcp jupiternet 255.255.248.0 host natjupiter-logserver eq 3389
access-list inbound permit esp host 193.38.169.63 host 213.42.81.29
access-list NAT-to-jupiter-SitePRTX1 permit ip host Siteprtx1 jupiternet 255.255.248.0
access-list NAT-to-jupiter-SitePRTX2 permit ip host Siteprtx2 jupiternet 255.255.248.0
access-list NAT-to-jupiter-SitePRTX3 permit ip host Siteprtx3 jupiternet 255.255.248.0
access-list NAT-to-jupiter permit ip lan 255.255.254.0 jupiternet 255.255.248.0
access-list NAT-to-jupiter permit ip Transmed 255.255.255.0 jupiternet 255.255.248.0
access-list NAT-to-jupiter permit ip AbuDhabi 255.255.255.0 jupiternet 255.255.248.0
access-list Site-to-jupiter-VPN permit ip natjupiter-Site-lan 255.255.255.224 jupiternet 255.255.248.0
access-list Site-to-jupiter-VPN permit ip host fw-e0 host jupiter-vpngw
access-list NAT-to-jupiter-LOGSERVER permit ip host logserver jupiternet 255.255.248.0
access-list NAT-to-jupiter-SitePRTX4 permit ip host Siteprtx4 jupiternet 255.255.248.0
access-list NAT-to-jupiter-SitePRTX5 permit ip host Siteprtx5 jupiternet 255.255.248.0
access-list NAT-to-jupiter-SitePRTX6 permit ip host Siteprtx6 jupiternet 255.255.248.0
access-list NAT-to-jupiter-SitePRTX7 permit ip host Siteprtx7 jupiternet 255.255.248.0
access-list Internet-access permit ip lan 255.255.254.0 any
access-list net28 permit ip host logserver any
access-list net27 permit ip host 10.13.32.27 any
pager lines 24
logging on
logging monitor debugging
logging trap debugging
logging history debugging
logging host inside logserver
no logging message 710005
mtu outside 1500
mtu inside 1500
ip address outside fw-e0 255.255.255.248
ip address inside fw-e1 255.255.254.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 2 192.168.252.1-192.168.252.
global (outside) 1 interface
nat (inside) 2 access-list NAT-to-jupiter 0 0
nat (inside) 1 access-list Internet-access 0 0
static (inside,outside) natjupiter-Siteprtx1 access-list NAT-to-jupiter-SitePRTX1 0 0
static (inside,outside) natjupiter-Siteprtx2 access-list NAT-to-jupiter-SitePRTX2 0 0
static (inside,outside) natjupiter-Siteprtx3 access-list NAT-to-jupiter-SitePRTX3 0 0
static (inside,outside) natjupiter-Siteprtx4 access-list NAT-to-jupiter-SitePRTX4 0 0
static (inside,outside) natjupiter-Siteprtx5 access-list NAT-to-jupiter-SitePRTX5 0 0
static (inside,outside) natjupiter-Siteprtx6 access-list NAT-to-jupiter-SitePRTX6 0 0
static (inside,outside) natjupiter-Siteprtx7 access-list NAT-to-jupiter-SitePRTX7 0 0
static (outside,inside) jupiternet jupiternet netmask 255.255.248.0 0 0
static (inside,outside) natjupiter-logserver access-list NAT-to-jupiter-LOGSERVER 0 0
static (inside,outside) 213.42.81.28 access-list net28 0 0
static (inside,outside) 213.42.81.27 access-list net27 0 0
static (inside,outside) 213.42.81.29 10.13.32.29 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 defaultgw 1
route inside Transmed 255.255.255.0 inside-gw 1
route inside Transmed 255.255.255.0 inside-gw 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set jupiter esp-3des esp-sha-hmac
crypto map BusinessPartners 50 ipsec-isakmp
crypto map BusinessPartners 50 match address Site-to-jupiter-VPN
crypto map BusinessPartners 50 set peer jupiter-vpngw
crypto map BusinessPartners 50 set transform-set jupiter
crypto map BusinessPartners interface outside
isakmp enable outside
isakmp key ******** address jupiter-vpngw netmask 255.255.255.255
isakmp identity address
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 14400
as i had mentioned in my intial post yes i did do the no fixup protocol smtp 25 however if you see my intial post i had tested if the mailguard was the issue for this using the microsoft KB document (FYI here i sthe link --> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320027&gssnb=1 ) doesnt look like the mailguard is the issue.
still i did use the no fixup command just to be sure.
the clients are on the inside of the PIX and the mail server is hosted by the ISP and is outside of PIX .
i have tried telneting the SMTP servre both from internet without the PIX in the picture and with PIX in the picture the telnet directly without PIX is much faster then the one with PIX in between.
Although the telnet to POP server with PIX in between is ok.
i have tried using the same pc's for SMTP mail access without PIX in the picture and it works perfectly ok without any issues
as i sais i tried using lotus notes client and it works to however using MS OUtlook causes this issue.
at present its working but very slow for outgoing mails.
Now for HTTP :
No Proxies in the interneal network ,though as is the policy in middle east any ionternet traffic going out of middle east goes through proxy ,
however the issue is that when i tried to access the page i mentioned above which basically runs a number of redirects it randomly opens sometimes a previously accessed page .
the same situation is not occuring when i access the url without PIX in the picture. so doesnt look liek proxy issue
and a lot of things pointing out to something in the PIX causing this issue
here is the config as is requested by you
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.13.32.0 lan
name 10.13.32.10 fw-e1
name 10.13.32.65 logserver
name 213.42.81.26 fw-e0
name 213.42.81.25 defaultgw
name 10.13.32.140 Siteprtx1
name 10.13.32.142 Siteprtx2
name 10.13.32.171 Siteprtx3
name 192.168.252.0 natjupiter-Site-lan
name 192.168.252.28 natjupiter-Siteprtx1
name 192.168.252.29 natjupiter-Siteprtx2
name 192.168.252.30 natjupiter-Siteprtx3
name 192.168.32.0 jupiternet
name 192.168.35.24 exdsn1
name 192.168.34.134 mtonts37
name 192.168.34.135 mtonts38
name 192.168.34.39 mtonts91
name 192.168.35.96 mtots01
name 192.168.32.29 nfuse-eu
name 192.168.34.129 nfuse-na
name 192.168.252.27 natjupiter-logserver
name 192.168.1.10 Siteprtx4
name 192.168.1.11 Siteprtx5
name 192.168.0.10 Siteprtx6
name 192.168.0.11 Siteprtx7
name 192.168.252.25 natjupiter-Siteprtx4
name 192.168.252.26 natjupiter-Siteprtx5
name 192.168.252.23 natjupiter-Siteprtx6
name 192.168.252.24 natjupiter-Siteprtx7
name 10.13.32.120 inside-gw
name 193.38.167.20 jupiter-vpngw
name 192.168.0.0 Transmed
name 192.168.35.90 EBUYSERVER
name 192.168.1.0 AbuDhabi
name 192.168.34.42 mto-sapaep
name 192.168.35.146 mto-mou106
name 192.168.35.147 mto-mou049sg
name 192.168.35.121 mto-mou043
object-group network jupiter-NFUSE
description jupiter Nfuse portals
network-object host nfuse-eu
network-object host nfuse-na
object-group network jupiter-TS-Servers-1
description jupiter Citrix Terminal servers
network-object host mtonts37
network-object host mtonts38
network-object host mtonts91
network-object host mtots01
object-group network Site-Printers
description Site Printers
network-object host natjupiter-Siteprtx1
network-object host natjupiter-Siteprtx2
network-object host natjupiter-Siteprtx3
network-object host natjupiter-Siteprtx4
network-object host natjupiter-Siteprtx5
network-object host natjupiter-Siteprtx6
network-object host natjupiter-Siteprtx7
object-group service LPD-Print9100 tcp
port-object eq lpd
port-object eq 9100
object-group service Internet-Access tcp
port-object eq www
port-object eq 8080
object-group network MTO-SAPR3
description MTO SAPR3 AEP AEB BEP BEB
network-object host mto-sapaep
network-object host mto-mou106
network-object host mto-mou049sg
network-object host mto-mou043
object-group service SAPR3-TCP3200-3299 tcp
port-object eq 3200
port-object eq 3299
access-list outbound permit tcp lan 255.255.254.0 any eq https
access-list outbound permit tcp lan 255.255.254.0 any eq ftp
access-list outbound permit tcp lan 255.255.254.0 any eq domain
access-list outbound permit udp lan 255.255.254.0 any eq domain
access-list outbound permit tcp lan 255.255.254.0 any eq pop3
access-list outbound permit tcp lan 255.255.254.0 any eq smtp
access-list outbound deny tcp host logserver any eq 8080
access-list outbound permit tcp lan 255.255.254.0 any eq 2478
access-list outbound permit udp lan 255.255.254.0 any eq isakmp
access-list outbound permit tcp host 10.13.32.29 any eq 34200
access-list outbound deny tcp host 10.13.32.145 any eq 8080
access-list outbound permit tcp lan 255.255.254.0 any eq lotusnotes
access-list outbound permit tcp host 10.13.32.27 any range 34200 34400
access-list outbound permit tcp lan 255.255.254.0 object-group jupiter-TS-Servers-1 eq citrix-ica
access-list outbound permit udp lan 255.255.254.0 object-group jupiter-TS-Servers-1 eq 1604
access-list outbound permit tcp lan 255.255.254.0 object-group jupiter-NFUSE eq www
access-list outbound permit tcp lan 255.255.254.0 host exdsn1 eq lotusnotes
access-list outbound permit esp host 10.13.32.29 host 193.38.169.63
access-list outbound permit tcp lan 255.255.254.0 any object-group Internet-Access
access-list outbound permit ah host 10.13.32.29 host 193.38.169.63
access-list outbound permit tcp Transmed 255.255.255.0 object-group jupiter-NFUSE eq www
access-list outbound permit tcp AbuDhabi 255.255.255.0 object-group jupiter-NFUSE eq www
access-list outbound permit tcp Transmed 255.255.255.0 object-group jupiter-TS-Servers-1 eq citrix-ica
access-list outbound permit udp Transmed 255.255.255.0 object-group jupiter-TS-Servers-1 eq 1604
access-list outbound permit tcp AbuDhabi 255.255.255.0 object-group jupiter-TS-Servers-1 eq citrix-ica
access-list outbound permit udp AbuDhabi 255.255.255.0 object-group jupiter-TS-Servers-1 eq 1604
access-list outbound permit tcp lan 255.255.254.0 object-group MTO-SAPR3 object-group SAPR3-TCP3200-3299
access-list outbound permit tcp Transmed 255.255.255.0 object-group MTO-SAPR3 object-group SAPR3-TCP3200-3299
access-list outbound permit tcp AbuDhabi 255.255.255.0 object-group MTO-SAPR3 object-group SAPR3-TCP3200-3299
access-list outbound permit tcp lan 255.255.254.0 host EBUYSERVER eq 8100
access-list outbound permit tcp Transmed 255.255.255.0 host EBUYSERVER eq 8100
access-list outbound permit tcp AbuDhabi 255.255.255.0 host EBUYSERVER eq 8100
access-list inbound permit udp any host 213.42.81.27 eq pcanywhere-status
access-list inbound permit tcp any host 213.42.81.27 eq pcanywhere-data
access-list inbound permit tcp any host 213.42.81.28 eq 3389
access-list inbound permit tcp any host 213.42.81.27 range 34200 34400
access-list inbound permit tcp jupiternet 255.255.248.0 object-group Site-Printers object-group LPD-Print9100
access-list inbound permit tcp jupiternet 255.255.248.0 host natjupiter-logserver eq 3389
access-list inbound permit esp host 193.38.169.63 host 213.42.81.29
access-list NAT-to-jupiter-SitePRTX1 permit ip host Siteprtx1 jupiternet 255.255.248.0
access-list NAT-to-jupiter-SitePRTX2 permit ip host Siteprtx2 jupiternet 255.255.248.0
access-list NAT-to-jupiter-SitePRTX3 permit ip host Siteprtx3 jupiternet 255.255.248.0
access-list NAT-to-jupiter permit ip lan 255.255.254.0 jupiternet 255.255.248.0
access-list NAT-to-jupiter permit ip Transmed 255.255.255.0 jupiternet 255.255.248.0
access-list NAT-to-jupiter permit ip AbuDhabi 255.255.255.0 jupiternet 255.255.248.0
access-list Site-to-jupiter-VPN permit ip natjupiter-Site-lan 255.255.255.224 jupiternet 255.255.248.0
access-list Site-to-jupiter-VPN permit ip host fw-e0 host jupiter-vpngw
access-list NAT-to-jupiter-LOGSERVER permit ip host logserver jupiternet 255.255.248.0
access-list NAT-to-jupiter-SitePRTX4 permit ip host Siteprtx4 jupiternet 255.255.248.0
access-list NAT-to-jupiter-SitePRTX5 permit ip host Siteprtx5 jupiternet 255.255.248.0
access-list NAT-to-jupiter-SitePRTX6 permit ip host Siteprtx6 jupiternet 255.255.248.0
access-list NAT-to-jupiter-SitePRTX7 permit ip host Siteprtx7 jupiternet 255.255.248.0
access-list Internet-access permit ip lan 255.255.254.0 any
access-list net28 permit ip host logserver any
access-list net27 permit ip host 10.13.32.27 any
pager lines 24
logging on
logging monitor debugging
logging trap debugging
logging history debugging
logging host inside logserver
no logging message 710005
mtu outside 1500
mtu inside 1500
ip address outside fw-e0 255.255.255.248
ip address inside fw-e1 255.255.254.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 2 192.168.252.1-192.168.252.
global (outside) 1 interface
nat (inside) 2 access-list NAT-to-jupiter 0 0
nat (inside) 1 access-list Internet-access 0 0
static (inside,outside) natjupiter-Siteprtx1 access-list NAT-to-jupiter-SitePRTX1 0 0
static (inside,outside) natjupiter-Siteprtx2 access-list NAT-to-jupiter-SitePRTX2 0 0
static (inside,outside) natjupiter-Siteprtx3 access-list NAT-to-jupiter-SitePRTX3 0 0
static (inside,outside) natjupiter-Siteprtx4 access-list NAT-to-jupiter-SitePRTX4 0 0
static (inside,outside) natjupiter-Siteprtx5 access-list NAT-to-jupiter-SitePRTX5 0 0
static (inside,outside) natjupiter-Siteprtx6 access-list NAT-to-jupiter-SitePRTX6 0 0
static (inside,outside) natjupiter-Siteprtx7 access-list NAT-to-jupiter-SitePRTX7 0 0
static (outside,inside) jupiternet jupiternet netmask 255.255.248.0 0 0
static (inside,outside) natjupiter-logserver access-list NAT-to-jupiter-LOGSERVER 0 0
static (inside,outside) 213.42.81.28 access-list net28 0 0
static (inside,outside) 213.42.81.27 access-list net27 0 0
static (inside,outside) 213.42.81.29 10.13.32.29 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 defaultgw 1
route inside Transmed 255.255.255.0 inside-gw 1
route inside Transmed 255.255.255.0 inside-gw 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set jupiter esp-3des esp-sha-hmac
crypto map BusinessPartners 50 ipsec-isakmp
crypto map BusinessPartners 50 match address Site-to-jupiter-VPN
crypto map BusinessPartners 50 set peer jupiter-vpngw
crypto map BusinessPartners 50 set transform-set jupiter
crypto map BusinessPartners interface outside
isakmp enable outside
isakmp key ******** address jupiter-vpngw netmask 255.255.255.255
isakmp identity address
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 14400
How long does it take to telnet to the SMTP server with the PIX inbetween?
It could be an IDENT issue. With the PIX inbetween if the server sends out an IDENT query the packet will be dropped so it will take longer to connect as you have to wait intil the server times out and just allows the connection anyway.
If this is the cause then it is your ISP's fault as the server should not be using IDENT as it was only ever used on early Unix operating systems and not used anymore and most firewalls will block it as your PIX is doing.
I have no idea about the web issue. The PIX does not change the request in any way so it must be causing a fault with the web cache in some way.
It could be an IDENT issue. With the PIX inbetween if the server sends out an IDENT query the packet will be dropped so it will take longer to connect as you have to wait intil the server times out and just allows the connection anyway.
If this is the cause then it is your ISP's fault as the server should not be using IDENT as it was only ever used on early Unix operating systems and not used anymore and most firewalls will block it as your PIX is doing.
I have no idea about the web issue. The PIX does not change the request in any way so it must be causing a fault with the web cache in some way.
ASKER
I was thinking on the same line that ident could be the issue however isn’t there a way I can allow ident to come back in through firewall so that I can get rid of that time delay, it normally takes around a minute or two before the telnet comes up with the response screen.
i am more intrested in the SMTP anyway so even if not much help in web i can give away my points
i am more intrested in the SMTP anyway so even if not much help in web i can give away my points
You could try redirecting the IDENT to an internal machine so it sends back a reset packet and see if that helps. If it does then complain to your ISP and get them to fix their mail server.
ASKER
i have tried the service resetoutside and service resetinbound command on pix but still the delay is there
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your effort
i contacted the ISP and they told me that they cannot change anything for me hence fiannly decided to use an SMTP server locally which seems to be perfectly ok and running fine
By the way i aslo found that postfix has some issues where in if server configuration is not right it goes on to trying to resolve the name of the initaing client through a long process
here is the link to the postfix faq
http://www.postfix.org/faq.html#delay
however since you have put some effort also made me think on alternatives i would accept the answer and give away the points thanks a lot mate
i contacted the ISP and they told me that they cannot change anything for me hence fiannly decided to use an SMTP server locally which seems to be perfectly ok and running fine
By the way i aslo found that postfix has some issues where in if server configuration is not right it goes on to trying to resolve the name of the initaing client through a long process
here is the link to the postfix faq
http://www.postfix.org/faq.html#delay
however since you have put some effort also made me think on alternatives i would accept the answer and give away the points thanks a lot mate
What are your questions?