?
Solved

Mail relaying with a PIX 501....

Posted on 2005-04-12
4
Medium Priority
?
760 Views
Last Modified: 2008-02-07
The people we use to relay our emails have changed there server and now we cant send mails out, we can receive and ping the new server but any emails get bounced back with (550 or do not have SMTP Authentication turned on in your email client.)
Initially they said it was our firewall but they now agree it probably isnt but to try and help them sort the issue an any of you tell me what these PIX log entries mean?

%PIX-6-302013: Built inbound TCP connection 394100 for outside:214.56.234.65/40813 (214.56.234.65/40813) to inside:192.196.61.1/25 (56.238.100.201/25)

%PIX-6-302014: Teardown TCP connection 394100 for outside:214.56.234.65/40813 to inside:192.196.61.1/25 duration 0:00:01 bytes 4501 TCP Reset-O

%PIX-6-106015: Deny TCP (no connection) from 214.56.234.65/40813 to 56.238.100.201/25 flags RST  on interface outside

%PIX-6-106015: Deny TCP (no connection) from 214.56.234.65/40813 to 56.238.100.201/25 flags RST  on interface outside

%PIX-6-106015: Deny TCP (no connection) from 192.196.61.1/25 to 214.56.234.65/40813 flags FIN PSH ACK  on interface inside

The pix has a translation rule the points all smtp traffic at our mail server but makes no referance to the mail relaying servers.
0
Comment
Question by:GWbjones
  • 2
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13764236
>Built inbound TCP connection 394100 for outside:214.56.234.65/40813 (214.56.234.65/40813) to inside:192.196.61.1/25 (56.238.100.201/25)
Mail host 214.56.234.65 makes connection to inside server 192.196.61.1 on port 25, which is natted to 56.238.100.201, port 25

>Teardown TCP connection 394100 for outside:214.56.234.65/40813 to inside:192.196.61.1/25 duration 0:00:01 bytes 4501 TCP Reset-O
Mail exchange is complete, conversation is finished, nat xlate is no longer needed (tear it down)

>Deny TCP (no connection) from 214.56.234.65/40813 to 56.238.100.201/25 flags RST  on interface outside
>Deny TCP (no connection) from 214.56.234.65/40813 to 56.238.100.201/25 flags RST  on interface outside
>Deny TCP (no connection) from 192.196.61.1/25 to 214.56.234.65/40813 flags FIN PSH ACK  on interface inside
Since the connection was already torn down after the first conversation, it appears that the sending server did not receive the TCP reset and is still trying to send data.

Do you have "fixup protocol smtp 25" enabled on the PIX?

I would have to see your complete config (please mask any passwords or other identifying information for your security)
0
 

Author Comment

by:GWbjones
ID: 13769927
I dont have fixup enabled - should I?

Here is pretty much my whole config, I have removed all the security stuff and some of the stuff that really isnt needed...

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password  encrypted
passwd  encrypted
hostname GWpix
domain-name GRAINGER
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

name 214.56.234.65 MPSserver

object-group network Allowed
  network-object 192.196.61.1 255.255.255.255

access-list acl_out permit tcp any host 56.238.100.201 eq smtp
access-list acl_out permit ip host MPSserver any
access-list acl_out permit tcp any any eq www
access-list acl_out permit udp any any eq 8765
access-list acl_out permit udp any any eq 8766
access-list acl_out permit udp any any eq 8767
access-list acl_out permit udp any any eq 3784
access-list acl_out deny udp any any eq 1863
access-list acl_out deny udp any eq 1863 any
access-list acl_out deny tcp any any eq 1863
access-list acl_out deny tcp any eq 1863 any
access-list acl_out deny ip 207.68.0.0 255.255.0.0 any
access-list acl_out deny ip 207.46.0.0 255.255.0.0 any
access-list acl_out deny ip 65.54.0.0 255.255.0.0 any
access-list acl_out deny ip any 65.54.0.0 255.255.0.0
access-list acl_out deny ip any 207.46.0.0 255.255.0.0
access-list acl_out deny ip any 207.68.0.0 255.255.0.0
access-list inside_outbound_nat0_acl permit ip any 192.196.61.0 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any GW48 255.255.255.248
access-list inside_access_in permit ip host 192.196.61.29 any
access-list inside_access_in permit ip any host 192.196.61.1
access-list inside_access_in permit ip host 192.196.61.1 any
access-list inside_access_in deny ip any 207.68.0.0 255.255.0.0
access-list inside_access_in deny ip any 207.46.0.0 255.255.0.0
access-list inside_access_in deny ip any 65.54.0.0 255.255.0.0
access-list inside_access_in permit ip object-group Allowed any
access-list to deny tcp any any eq 1863
access-list outside_cryptomap_dyn_200 permit ip any 192.196.61.0 255.255.255.192
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 56.238.100.201 255.255.255.248
ip address inside 192.196.61.15 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.196.61.1 255.255.255.255 inside
pdm location 56.238.100.206 255.255.255.255 outside
pdm location 192.196.61.29 255.255.255.255 inside
pdm location 192.196.61.18 255.255.255.255 inside
pdm location 65.54.0.0 255.255.0.0 outside
pdm location 207.46.0.0 255.255.0.0 outside
pdm location 207.68.0.0 255.255.0.0 outside
pdm location 192.196.61.0 255.255.255.192 outside
pdm location MPSserver 255.255.255.255 outside
pdm location 192.196.61.1 255.255.255.255 outside
pdm group Allowed inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.196.61.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.196.61.18 www netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 56.238.100.206 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.196.61.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 140 match address outside_cryptomap_dyn_140
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 160 match address outside_cryptomap_dyn_160
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 180 match address outside_cryptomap_dyn_180
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 200 match address outside_cryptomap_dyn_200
crypto dynamic-map outside_dyn_map 200 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
dhcpd address GW16-GW254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:208760ab6aaae01b58ac05f1bbb71121
: end
[OK]
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 700 total points
ID: 13771303
Unless your mail server is MS Exchange, you should enable the fixup.
Start troubleshooting by removing the inside-to-outside acl from the inside interface

These lines are all you need for email to come inbound.
I checked the acl and this is first in the list so that nothing else will deny before it hits this acl line.
>access-list acl_out permit tcp any host 56.238.100.201 eq smtp
>static (inside,outside) tcp interface smtp 192.196.61.1 smtp netmask 255.255.255.255 0 0
>access-group acl_out in interface outside

Is this the only system that is sending mail outbound? If yes, then this entry will allow that. I still suggest that you remove this inside_access_in acl from the interface while troubleshooting..
>access-list inside_access_in permit ip host 192.196.61.1 any

0
 

Author Comment

by:GWbjones
ID: 13771524
The problem appears to be that there new server requires authentication. However you told me exactly what i wanted to know so thanks and there are the points.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question