GWbjones
asked on
Mail relaying with a PIX 501....
The people we use to relay our emails have changed there server and now we cant send mails out, we can receive and ping the new server but any emails get bounced back with (550 or do not have SMTP Authentication turned on in your email client.)
Initially they said it was our firewall but they now agree it probably isnt but to try and help them sort the issue an any of you tell me what these PIX log entries mean?
%PIX-6-302013: Built inbound TCP connection 394100 for outside:214.56.234.65/4081
%PIX-6-302014: Teardown TCP connection 394100 for outside:214.56.234.65/4081
%PIX-6-106015: Deny TCP (no connection) from 214.56.234.65/40813 to 56.238.100.201/25 flags RST on interface outside
%PIX-6-106015: Deny TCP (no connection) from 214.56.234.65/40813 to 56.238.100.201/25 flags RST on interface outside
%PIX-6-106015: Deny TCP (no connection) from 192.196.61.1/25 to 214.56.234.65/40813 flags FIN PSH ACK on interface inside
The pix has a translation rule the points all smtp traffic at our mail server but makes no referance to the mail relaying servers.
Initially they said it was our firewall but they now agree it probably isnt but to try and help them sort the issue an any of you tell me what these PIX log entries mean?
%PIX-6-302013: Built inbound TCP connection 394100 for outside:214.56.234.65/4081
%PIX-6-302014: Teardown TCP connection 394100 for outside:214.56.234.65/4081
%PIX-6-106015: Deny TCP (no connection) from 214.56.234.65/40813 to 56.238.100.201/25 flags RST on interface outside
%PIX-6-106015: Deny TCP (no connection) from 214.56.234.65/40813 to 56.238.100.201/25 flags RST on interface outside
%PIX-6-106015: Deny TCP (no connection) from 192.196.61.1/25 to 214.56.234.65/40813 flags FIN PSH ACK on interface inside
The pix has a translation rule the points all smtp traffic at our mail server but makes no referance to the mail relaying servers.
ASKER
I dont have fixup enabled - should I?
Here is pretty much my whole config, I have removed all the security stuff and some of the stuff that really isnt needed...
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname GWpix
domain-name GRAINGER
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 214.56.234.65 MPSserver
object-group network Allowed
network-object 192.196.61.1 255.255.255.255
access-list acl_out permit tcp any host 56.238.100.201 eq smtp
access-list acl_out permit ip host MPSserver any
access-list acl_out permit tcp any any eq www
access-list acl_out permit udp any any eq 8765
access-list acl_out permit udp any any eq 8766
access-list acl_out permit udp any any eq 8767
access-list acl_out permit udp any any eq 3784
access-list acl_out deny udp any any eq 1863
access-list acl_out deny udp any eq 1863 any
access-list acl_out deny tcp any any eq 1863
access-list acl_out deny tcp any eq 1863 any
access-list acl_out deny ip 207.68.0.0 255.255.0.0 any
access-list acl_out deny ip 207.46.0.0 255.255.0.0 any
access-list acl_out deny ip 65.54.0.0 255.255.0.0 any
access-list acl_out deny ip any 65.54.0.0 255.255.0.0
access-list acl_out deny ip any 207.46.0.0 255.255.0.0
access-list acl_out deny ip any 207.68.0.0 255.255.0.0
access-list inside_outbound_nat0_acl permit ip any 192.196.61.0 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any GW48 255.255.255.248
access-list inside_access_in permit ip host 192.196.61.29 any
access-list inside_access_in permit ip any host 192.196.61.1
access-list inside_access_in permit ip host 192.196.61.1 any
access-list inside_access_in deny ip any 207.68.0.0 255.255.0.0
access-list inside_access_in deny ip any 207.46.0.0 255.255.0.0
access-list inside_access_in deny ip any 65.54.0.0 255.255.0.0
access-list inside_access_in permit ip object-group Allowed any
access-list to deny tcp any any eq 1863
access-list outside_cryptomap_dyn_200 permit ip any 192.196.61.0 255.255.255.192
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 56.238.100.201 255.255.255.248
ip address inside 192.196.61.15 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.196.61.1 255.255.255.255 inside
pdm location 56.238.100.206 255.255.255.255 outside
pdm location 192.196.61.29 255.255.255.255 inside
pdm location 192.196.61.18 255.255.255.255 inside
pdm location 65.54.0.0 255.255.0.0 outside
pdm location 207.46.0.0 255.255.0.0 outside
pdm location 207.68.0.0 255.255.0.0 outside
pdm location 192.196.61.0 255.255.255.192 outside
pdm location MPSserver 255.255.255.255 outside
pdm location 192.196.61.1 255.255.255.255 outside
pdm group Allowed inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.196.61.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.196.61.18 www netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 56.238.100.206 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.196.61.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 140 match address outside_cryptomap_dyn_140
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 160 match address outside_cryptomap_dyn_160
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 180 match address outside_cryptomap_dyn_180
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 200 match address outside_cryptomap_dyn_200
crypto dynamic-map outside_dyn_map 200 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
dhcpd address GW16-GW254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:208760ab6aa
: end
[OK]
Here is pretty much my whole config, I have removed all the security stuff and some of the stuff that really isnt needed...
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname GWpix
domain-name GRAINGER
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 214.56.234.65 MPSserver
object-group network Allowed
network-object 192.196.61.1 255.255.255.255
access-list acl_out permit tcp any host 56.238.100.201 eq smtp
access-list acl_out permit ip host MPSserver any
access-list acl_out permit tcp any any eq www
access-list acl_out permit udp any any eq 8765
access-list acl_out permit udp any any eq 8766
access-list acl_out permit udp any any eq 8767
access-list acl_out permit udp any any eq 3784
access-list acl_out deny udp any any eq 1863
access-list acl_out deny udp any eq 1863 any
access-list acl_out deny tcp any any eq 1863
access-list acl_out deny tcp any eq 1863 any
access-list acl_out deny ip 207.68.0.0 255.255.0.0 any
access-list acl_out deny ip 207.46.0.0 255.255.0.0 any
access-list acl_out deny ip 65.54.0.0 255.255.0.0 any
access-list acl_out deny ip any 65.54.0.0 255.255.0.0
access-list acl_out deny ip any 207.46.0.0 255.255.0.0
access-list acl_out deny ip any 207.68.0.0 255.255.0.0
access-list inside_outbound_nat0_acl permit ip any 192.196.61.0 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any GW48 255.255.255.248
access-list inside_access_in permit ip host 192.196.61.29 any
access-list inside_access_in permit ip any host 192.196.61.1
access-list inside_access_in permit ip host 192.196.61.1 any
access-list inside_access_in deny ip any 207.68.0.0 255.255.0.0
access-list inside_access_in deny ip any 207.46.0.0 255.255.0.0
access-list inside_access_in deny ip any 65.54.0.0 255.255.0.0
access-list inside_access_in permit ip object-group Allowed any
access-list to deny tcp any any eq 1863
access-list outside_cryptomap_dyn_200 permit ip any 192.196.61.0 255.255.255.192
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 56.238.100.201 255.255.255.248
ip address inside 192.196.61.15 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.196.61.1 255.255.255.255 inside
pdm location 56.238.100.206 255.255.255.255 outside
pdm location 192.196.61.29 255.255.255.255 inside
pdm location 192.196.61.18 255.255.255.255 inside
pdm location 65.54.0.0 255.255.0.0 outside
pdm location 207.46.0.0 255.255.0.0 outside
pdm location 207.68.0.0 255.255.0.0 outside
pdm location 192.196.61.0 255.255.255.192 outside
pdm location MPSserver 255.255.255.255 outside
pdm location 192.196.61.1 255.255.255.255 outside
pdm group Allowed inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.196.61.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.196.61.18 www netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 56.238.100.206 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.196.61.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 140 match address outside_cryptomap_dyn_140
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 160 match address outside_cryptomap_dyn_160
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 180 match address outside_cryptomap_dyn_180
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 200 match address outside_cryptomap_dyn_200
crypto dynamic-map outside_dyn_map 200 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
dhcpd address GW16-GW254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:208760ab6aa
: end
[OK]
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The problem appears to be that there new server requires authentication. However you told me exactly what i wanted to know so thanks and there are the points.
Mail host 214.56.234.65 makes connection to inside server 192.196.61.1 on port 25, which is natted to 56.238.100.201, port 25
>Teardown TCP connection 394100 for outside:214.56.234.65/4081
Mail exchange is complete, conversation is finished, nat xlate is no longer needed (tear it down)
>Deny TCP (no connection) from 214.56.234.65/40813 to 56.238.100.201/25 flags RST on interface outside
>Deny TCP (no connection) from 214.56.234.65/40813 to 56.238.100.201/25 flags RST on interface outside
>Deny TCP (no connection) from 192.196.61.1/25 to 214.56.234.65/40813 flags FIN PSH ACK on interface inside
Since the connection was already torn down after the first conversation, it appears that the sending server did not receive the TCP reset and is still trying to send data.
Do you have "fixup protocol smtp 25" enabled on the PIX?
I would have to see your complete config (please mask any passwords or other identifying information for your security)