?
Solved

PIX & SMTP Forwarding problem

Posted on 2004-11-29
12
Medium Priority
?
993 Views
Last Modified: 2010-05-18
Ok - For a somewhat PIX newbie.  What am I missing in this config?  I'm trying to set this up for all incoming SMTP traffic on our ext. interface to be passed to an internal Exchange box.  Everything seems to be working fine except the smtp forwarding.

Thanks for you help!

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password /ZqTMRCPLAHK8hzh encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname DUMMY-FP-PIX
domain-name DUMMY.ORG
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.1.33 EXCHANGE
access-list outside-in permit tcp any host EXCHANGE eq smtp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 12.0.0.6 255.255.255.252
ip address inside 10.0.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location EXCHANGE 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
nat (inside) 1 10.0.2.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255 0 0
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 216.163.70.5 1
route inside 10.0.2.0 255.255.255.0 10.0.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00
sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:f9944b1e94b3834c06e0976f78f3ebbc
: end
[OK]
0
Comment
Question by:deathandgravity
  • 7
  • 5
12 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12699813
For Exchange, you have to disable the mailguard (fixup)
   no fixup protocol smtp 25
  ^^
Next, you need to modify the access-list:
  access-list outside-in permit tcp any host EXCHANGE eq smtp
Should be:
  no access-list outside-in permit tcp any host EXCHANGE eq smtp
  access-list outside-in permit tcp any interface outside eq smtp
and re-apply the acl any time you make changes to it:
  access-group outside-in in interface outside
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 12701641
I would also remove  
static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255 0 0


and put in
static (inside,outside) 172.16.44.0 172.16.44.0 netmask 255.255.254.0 (modify it to suit your needs)

see config below mine works fine

PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto
interface ethernet2 vlan1 physical
interface ethernet2 vlan2 logical
interface ethernet2 vlan3 logical
interface ethernet2 vlan4 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif vlan2 edi security40
nameif vlan3 cvpn security60
nameif vlan4 dmz_vlan security55

hostname xxxPIX
domain-name wrt
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 172.16.xx.xx wffexch


access-list outside_access_in permit tcp any host xxx.xxx.30.x eq www
access-list outside_access_in permit tcp any host xxx.xxx.30.x eq smtp
access-list outside_access_in permit tcp any host xxx.xxx.30.x eq https
access-list outside_access_in permit tcp any host xxx.xxx.30.x eq imap4
access-list outside_access_in permit tcp any host xxx.xxx.30.x eq pop3
access-list dmz_vlan_access_out permit tcp host wffexch any eq www
access-list dmz_vlan_access_out permit tcp host wffexch any eq https
access-list dmz_vlan_access_out permit tcp host wffexch any eq domain
access-list dmz_vlan_access_out permit udp host wffexch any eq domain
pager lines 24
logging on
logging timestamp
logging standby
logging trap warnings
logging host inside 172.16.xx.xx
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.30.xxx 255.255.255.0
ip address inside 172.16.xx.xx 255.255.254.0
ip address dmz_vlan 172.16.xx.xx 255.255.254.0
ip audit info action alarm
ip audit attack action alarm

pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz_vlan) 10 0.0.0.0 0.0.0.0 0 0


static (dmz_vlan,outside) xxx.xxx.30.x wffms02 netmask 255.255.255.255 0

access-group outside_access_in in interface outside

access-group dmz_vlan_access_out in interface dmz_vlan

"set the routes "


route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 12701650
I think it is you static from smtp to smtp if you change it to from any to smtp I think it will work

static (inside,outside) tcp interface any EXCHANGE smtp netmask 255.255.255.255 0 0

yep think that will do it
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 79

Expert Comment

by:lrmoore
ID: 12706028
deathandgravity, please to not do what Blackduke77 suggests, especially not the last post..
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 12706954
please comment as to why, as a CCIE set mine up !!!
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 12706987
the only thing different from what you have said is the fix up which is a good thing to have as it tells the px how SMTP should asct and drops the connection if it goes beyound the scope of the fix up instead of saying noooo don't do it, it would be helpful to explain why, i wait your responce
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12707042
In your last post:
>static (inside,outside) tcp interface any EXCHANGE smtp netmask 255.255.255.255 0 0
                                                    ^^^ BAD!!!
You CANNOT port-forward "any" port to an inside specific port like smtp.
This is saying that EVERY packet coming into the PIX on EVERY Port will get forwarded to Port 25 of the Exchange server. If the PIX would even allow you to do that, it would KILL the Exchange server, as well as kill all other internet traffic in/out of the PIX

In your first post, you suggested:
> I would also remove  
>   static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255 0 0
This command is EXACTLY CORRECT AS IS. DO NOT CHANGE IT!

>and put in
>  static (inside,outside) 172.16.44.0 172.16.44.0 netmask 255.255.254.0 (modify it to suit your needs)
This makes absolutely no sense. You are bypassing all NAT for the inside network of 172.16.44.x. Why on earth would deathandgravity want to do this just to setup SMTP port-forwarding?



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12707074
Additionally, when using Microsoft Exchange, you must disable the fixup smtp. There is no option to leave it on. Exchange uses ESMTP commands that the fixup will not permit. Therefore, inbound email will be rejected because the fixup will not allow the ESMTP commands through. Perhaps in some future version of PIX OS, the fixup will understand and allow the ESMTP commands. This is also true for Lotus Notes users.
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 12707131
you are correct it would forward the packet it, however it is controlled by the access list  as per my working config, his problem is SMTP does not work, to fix my problem with smtp receiving I had to except from amy to SMTP as i suggested, and lock it down with the ACL the static is only a mapping not a ACL

if a packet comes in on this ip send to this IP and the ACL filters furthe,r however it is good practise to also use the static as a ACL but this is not alway possible,

So I recomend that he at least try my suggestion (he can alway remove it)

Love Black
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 12707167
This is what i do not understand Irmoore i use exchange 2003 in fact I have three of them and as per my above config I use the fix up and it does work I promise
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12707275
You are correct in that access is controlled by the ACL, but it is the ACL and not the static that must allow "any" to port 25, as in:
Correct:
   access-list outside-in permit tcp any host EXCHANGE eq smtp
  static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255 0 0

NOT Correct:
     access-list outside-in permit tcp any smtp host EXCHANGE eq smtp
                                                          ^^
    static (inside,outside) tcp interface any EXCHANGE smtp netmask 255.255.255.255 0 0
                                                      ^^

Question on the Exchange: Do you have anti-relay features of Exchange enabled? I believe that this is where the fixup will break the inbound. It may also be a change to Exchange 2003 that is different from previous versions of Exchange. I'm not an Exchange guru by any means, and have not had the opportunity to work with 2003 and PIX together.
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 12707508
I think I will leave it there, the fix i suggested worked in my enviroment as for anti relay the server is locked down with no additional software,
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month12 days, 17 hours left to enroll

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question