PIX & SMTP Forwarding problem

Ok - For a somewhat PIX newbie.  What am I missing in this config?  I'm trying to set this up for all incoming SMTP traffic on our ext. interface to be passed to an internal Exchange box.  Everything seems to be working fine except the smtp forwarding.

Thanks for you help!

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password /ZqTMRCPLAHK8hzh encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname DUMMY-FP-PIX
domain-name DUMMY.ORG
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.1.33 EXCHANGE
access-list outside-in permit tcp any host EXCHANGE eq smtp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 12.0.0.6 255.255.255.252
ip address inside 10.0.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location EXCHANGE 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
nat (inside) 1 10.0.2.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255 0 0
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 216.163.70.5 1
route inside 10.0.2.0 255.255.255.0 10.0.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00
sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:f9944b1e94b3834c06e0976f78f3ebbc
: end
[OK]
LVL 1
deathandgravityAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
For Exchange, you have to disable the mailguard (fixup)
   no fixup protocol smtp 25
  ^^
Next, you need to modify the access-list:
  access-list outside-in permit tcp any host EXCHANGE eq smtp
Should be:
  no access-list outside-in permit tcp any host EXCHANGE eq smtp
  access-list outside-in permit tcp any interface outside eq smtp
and re-apply the acl any time you make changes to it:
  access-group outside-in in interface outside
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Blackduke77Commented:
I would also remove  
static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255 0 0


and put in
static (inside,outside) 172.16.44.0 172.16.44.0 netmask 255.255.254.0 (modify it to suit your needs)

see config below mine works fine

PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto
interface ethernet2 vlan1 physical
interface ethernet2 vlan2 logical
interface ethernet2 vlan3 logical
interface ethernet2 vlan4 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif vlan2 edi security40
nameif vlan3 cvpn security60
nameif vlan4 dmz_vlan security55

hostname xxxPIX
domain-name wrt
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 172.16.xx.xx wffexch


access-list outside_access_in permit tcp any host xxx.xxx.30.x eq www
access-list outside_access_in permit tcp any host xxx.xxx.30.x eq smtp
access-list outside_access_in permit tcp any host xxx.xxx.30.x eq https
access-list outside_access_in permit tcp any host xxx.xxx.30.x eq imap4
access-list outside_access_in permit tcp any host xxx.xxx.30.x eq pop3
access-list dmz_vlan_access_out permit tcp host wffexch any eq www
access-list dmz_vlan_access_out permit tcp host wffexch any eq https
access-list dmz_vlan_access_out permit tcp host wffexch any eq domain
access-list dmz_vlan_access_out permit udp host wffexch any eq domain
pager lines 24
logging on
logging timestamp
logging standby
logging trap warnings
logging host inside 172.16.xx.xx
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.30.xxx 255.255.255.0
ip address inside 172.16.xx.xx 255.255.254.0
ip address dmz_vlan 172.16.xx.xx 255.255.254.0
ip audit info action alarm
ip audit attack action alarm

pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz_vlan) 10 0.0.0.0 0.0.0.0 0 0


static (dmz_vlan,outside) xxx.xxx.30.x wffms02 netmask 255.255.255.255 0

access-group outside_access_in in interface outside

access-group dmz_vlan_access_out in interface dmz_vlan

"set the routes "


route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
0
Blackduke77Commented:
I think it is you static from smtp to smtp if you change it to from any to smtp I think it will work

static (inside,outside) tcp interface any EXCHANGE smtp netmask 255.255.255.255 0 0

yep think that will do it
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

lrmooreCommented:
deathandgravity, please to not do what Blackduke77 suggests, especially not the last post..
0
Blackduke77Commented:
please comment as to why, as a CCIE set mine up !!!
0
Blackduke77Commented:
the only thing different from what you have said is the fix up which is a good thing to have as it tells the px how SMTP should asct and drops the connection if it goes beyound the scope of the fix up instead of saying noooo don't do it, it would be helpful to explain why, i wait your responce
0
lrmooreCommented:
In your last post:
>static (inside,outside) tcp interface any EXCHANGE smtp netmask 255.255.255.255 0 0
                                                    ^^^ BAD!!!
You CANNOT port-forward "any" port to an inside specific port like smtp.
This is saying that EVERY packet coming into the PIX on EVERY Port will get forwarded to Port 25 of the Exchange server. If the PIX would even allow you to do that, it would KILL the Exchange server, as well as kill all other internet traffic in/out of the PIX

In your first post, you suggested:
> I would also remove  
>   static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255 0 0
This command is EXACTLY CORRECT AS IS. DO NOT CHANGE IT!

>and put in
>  static (inside,outside) 172.16.44.0 172.16.44.0 netmask 255.255.254.0 (modify it to suit your needs)
This makes absolutely no sense. You are bypassing all NAT for the inside network of 172.16.44.x. Why on earth would deathandgravity want to do this just to setup SMTP port-forwarding?



0
lrmooreCommented:
Additionally, when using Microsoft Exchange, you must disable the fixup smtp. There is no option to leave it on. Exchange uses ESMTP commands that the fixup will not permit. Therefore, inbound email will be rejected because the fixup will not allow the ESMTP commands through. Perhaps in some future version of PIX OS, the fixup will understand and allow the ESMTP commands. This is also true for Lotus Notes users.
0
Blackduke77Commented:
you are correct it would forward the packet it, however it is controlled by the access list  as per my working config, his problem is SMTP does not work, to fix my problem with smtp receiving I had to except from amy to SMTP as i suggested, and lock it down with the ACL the static is only a mapping not a ACL

if a packet comes in on this ip send to this IP and the ACL filters furthe,r however it is good practise to also use the static as a ACL but this is not alway possible,

So I recomend that he at least try my suggestion (he can alway remove it)

Love Black
0
Blackduke77Commented:
This is what i do not understand Irmoore i use exchange 2003 in fact I have three of them and as per my above config I use the fix up and it does work I promise
0
lrmooreCommented:
You are correct in that access is controlled by the ACL, but it is the ACL and not the static that must allow "any" to port 25, as in:
Correct:
   access-list outside-in permit tcp any host EXCHANGE eq smtp
  static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255 0 0

NOT Correct:
     access-list outside-in permit tcp any smtp host EXCHANGE eq smtp
                                                          ^^
    static (inside,outside) tcp interface any EXCHANGE smtp netmask 255.255.255.255 0 0
                                                      ^^

Question on the Exchange: Do you have anti-relay features of Exchange enabled? I believe that this is where the fixup will break the inbound. It may also be a change to Exchange 2003 that is different from previous versions of Exchange. I'm not an Exchange guru by any means, and have not had the opportunity to work with 2003 and PIX together.
0
Blackduke77Commented:
I think I will leave it there, the fix i suggested worked in my enviroment as for anti relay the server is locked down with no additional software,
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.