Pix 501 Email receive issue

Posted on 2005-04-12
Last Modified: 2010-04-09
Dear All,

Am having problem setting up a Pix 501 on a small home office network. WAN port is currently holding the MX address for my domain (100.X.X.175) and the LAN port ( sits on the same switch as the Exchange server (

There is no problem setting up the basic system and am using PAT to send all Inside information to the outside using the outside interface, so email out has no problem.

The issue is receiving email to the exchange server. Have entered the following commands that I believed would be enough (rest of the set-up prior to these commands could have been achieved by PDM or on command line and have tried both just in case).
static (inside,outside) tcp 100.X.X.175 25 25 netmask

access-list permit_mail_in permit tcp any host 100.X.X.175 eq 25
access-group permit_mail_in in interface outside

no fixup protocol smtp 25     (have tried with or without)

I am somewhat stumped now any clues on what I may have missed??

Question by:JonE_Bravo
    LVL 3

    Expert Comment

    Hi Jon,

    Just a little changes on the static will fix it actually

    static (inside,outside) tcp 100.x.x.175 smtp smtp netmask 0 0

    You did not specified what TCP traffic is PAT into your Exchange server.
    The secure way of doing it is to specified the particular traffic to the static command, such as SMTP, WWW, HTTPS, etc

    the access-list and access-group are fine.

    Again on the fixup, preferably to put the fixup ON, otherwise outside people will know what sort of Email system you are using.

    Good Luck,

    LVL 5

    Accepted Solution


    Yes he did Alex, he used the port number (25).

    Jon, did you try rebooting the PIX?

    It could also be that your ISP is blocking direct access to port 25. My ISP does this, to solve the ISP wants that you put in an secondary MX record that points to their mail server. Once the mail is received by their mail server they do some spam checking and sends the mail to the primary mx which is your server.

    You might want to look into that.

    GoodLuck !

    LVL 2

    Expert Comment

    Get someone to telnet to port 25 from outside. Can they connect to the exchange?

    If the isp blocked port 25 you shouldnt be able to send mail from your system. But you state that you can so isp shouldnt be the issue if one
    way direction works.

    Author Comment

    Thanks Marvin - it was an error from the ISP end which we could not see.

    It turned out to be bad timing for putting in a different firewall and it just made me think I had gone mad.

    Everything is good now - points to you for the correct source. And thanks to others for having a look.



    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Suggested Solutions

    There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now