• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 271
  • Last Modified:

problems with pix 501

Hi Guys

Ok, I have not got my servers sorted out, my exchange used to be on "192.168.0.1" now it is "192.168.0.4".  My pix was set to deliver mail to 192.168.0.1.

I since then emailed you guys to ask how to change the config so that it can deliver to 192.168.0.4.  I have done so but it does not seem to be working as well as outlook web access.

I am able to send mail outside the building but not able to receive.  When i send mail to my work address this is the error that i get back

 The Postfix program
 
<ksweet@hitechauto.co.za>: host mail.hitechauto.co.za[196.34.84.1] said: 550
    5.7.1 Unable to relay for ksweet@hitechauto.co.za (in reply to RCPT TO
    command)

Please tell me what i can do as i have not been able to receive mail for the past two days now and I have 70 clients down my back about this.  My http is working fine.


0
hitechauto
Asked:
hitechauto
  • 4
  • 2
1 Solution
 
lrmooreCommented:
Here's an excellent tool to use. Notice the failure on EMAIL..
http://www.dnsreport.com/tools/dnsreport.ch?domain=hitechauto.co.za+

Email address resolves just fine.
04/14/05 18:23:19 dns mail.hitechauto.co.za
Canonical name: mail.hitechauto.co.za
Addresses:
  196.34.84.1

Is this a mail relay host, or is this the public IP in your PIX config? I looked at your previous posts and it appears that it is:
>static (inside,outside) tcp 196.34.84.1 smtp 192.168.0.1 smtp netmask 255.255.255.255

The firewall is correct. The DNS/MX is correct.
It must be something that you changed on your Exchange configuration. Did you bring up a new server on a new IP address, or did you change the IP address of the one server?
0
 
hitechautoAuthor Commented:

HI THERE

SENDING MAIL IS FINE BUT I CANNOT RECEIVE, PLEASE CHECK THROUGH THIS CONFIG I THINK THAT IS WHAT IS CAUSING IT.

I WANT MAIL COMMING FROM 196.34.84.1 25 192.168.0.4 25

PLEASE THIS IS VERY URGENT

Saved
: Written by enable_15 at 14:22:20.103 UTC Thu Apr 14 2005
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ecmfTkDl9JCBuhWs encrypted
passwd nC1TgPA/j9j.bzQi encrypted
hostname Hi-Tech
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1273
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list OUT_IN permit tcp any host 196.34.84.1 eq smtp
access-list OUT_IN permit tcp any host 196.34.84.1 eq pop3
access-list OUT_IN permit icmp any any echo-reply
access-list OUT_IN permit icmp any any time-exceeded
access-list OUT_IN permit icmp any any timestamp-reply
access-list OUT_IN permit tcp any host 196.34.84.1 eq www
access-list OUT_IN permit tcp any host 196.34.84.1 eq ftp
access-list OUT_IN permit tcp any host 196.34.84.4 eq ftp
access-list OUT_IN permit tcp any any eq 81
access-list OUT_IN permit ip host 192.168.0.4 any
access-list IN_OUT permit ip host 192.168.0.1 any
access-list IN_OUT permit ip host 192.168.0.2 any
access-list IN_OUT permit udp any any eq isakmp
access-list IN_OUT permit esp any any
access-list IN_OUT permit tcp any any eq 81
access-list IN_OUT permit ip host 192.168.0.3 any
access-list IN_OUT permit ip host 192.168.0.4 any
access-list 80 permit ip host 196.34.84.13 host 192.168.0.100
access-list 101 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 101 permit ip 172.16.1.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 196.34.84.13 255.255.255.240
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 196.2.27.72
ip local pool test 172.16.1.1-172.16.1.2
pdm location 192.168.0.1 255.255.255.255 inside
pdm location 192.168.0.2 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 196.34.84.4-196.34.84.12 netmask 255.255.255.240
global (outside) 1 196.34.84.3 netmask 255.255.255.240
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 196.34.84.1 www 192.168.0.4 www netmask 255.255.255.
255 0 0
static (outside,inside) tcp 196.34.84.1 smtp 192.168.0.4 smtp netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 196.34.84.1 smtp 192.168.0.1 smtp netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 196.34.84.1 pop3 192.168.0.1 pop3 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 196.34.84.1 ftp 192.168.0.1 ftp netmask 255.255.255.
255 0 0
static (inside,outside) tcp 196.34.84.1 ftp-data 192.168.0.1 ftp-data netmask 25
5.255.255.255 0 0
access-group OUT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 196.34.84.14 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map cisco 4 set transform-set strong-des
crypto dynamic-map dynmap 10 set transform-set myset
crypto map [hitech] 20 ipsec-isakmp dynamic cisco
crypto map [hitech] client configuration address initiate
crypto map [hitech] client configuration address respond
crypto map [hitech] client authentication RADIUS
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 196.2.27.72 netmask 255.255.255.255
isakmp identity address
isakmp client configuration address-pool local test outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 50400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup [hitechvpn] idle-time 1800
vpngroup [hitech] default-domain [hitechauto]
vpngroup [hitech] split-tunnel 80
vpngroup [hitech] idle-time 1800
vpngroup [hitech] password ********
vpngroup [hitech] password ********
telnet 192.168.0.254 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:652e8e5a5802f768667c39a3fee1ad87
0
 
lrmooreCommented:
Yep.. you have two statics for hte same port/external IP:
>static (outside,inside) tcp 196.34.84.1 smtp 192.168.0.4 smtp netmask 255.255.255.255 0 0
>static (inside,outside) tcp 196.34.84.1 smtp 192.168.0.1 smtp netmask 255.255.255.255 0 0

Remove this one:
  no static (inside,outside) tcp 196.34.84.1 smtp 192.168.0.1 smtp netmask 255.255.255.255 0 0
Then clear all xlates
  clear xlate

I would assume that you also want your POP3 to go to the same server?
 no static (inside,outside) tcp 196.34.84.1 pop3 192.168.0.1 pop3 netmask 255.255.255.255 0 0
 static (inside,outside) tcp 196.34.84.1 pop3 192.168.0.4 pop3 netmask 255.255.255.255 0 0


0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
Vladan_MOBTELCommented:
Just to add a few things:
fixup protocol smtp 25 (not a bad thing)
no access-list OUT_IN permit ip host 192.168.0.4 any (this address is not on the outside)

If you do not have people who try reading e-mail from the Internet you do not need the POP3 part.

I think that your problem is not PIX, but the mail server. SInce yo uget the message from your mail server that it will not relay for your domain. That means that is does not think that it is the one responsible for it. My knowledge of Exchange is non-existant, so I can not help you there.

Just to be on the safe side, you can check the connections and the translations by usin:

sh conn and sh x commands...

Comsmetic issue: you did not apply IN-OUT access list anywhere...

Regards,
Vladan
0
 
lrmooreCommented:
Thanks for coming in, Vladan..

A couple of things, just so everyone is clear:
>fixup protocol smtp 25 (not a bad thing)
   no fixup protocol smtp 25  <== this is REQUIRED to be disabled if using MS Exchange, except Exch 2003

>I think that your problem is not PIX...
Yes, it is the PIX. The existing dual static port xlates are the problem. There must be one and only  one static xlate for smtp traffic

>Comsmetic issue: you did not apply IN-OUT access list anywhere...
That's a very good thing while troubleshooting. Don't apply the acl until you get everything else working. ACL is required on the external interface but can severely hinder operations if applied to the inside interface as is clearly the intent of IN_OUT acl. This is especially true because not everyone is allowed to use DNS in the existing acl construction.
0
 
Vladan_MOBTELCommented:
thanks lrmoore,

for the fixup, I did not know that, we use only *nix based servers.

Your correction about the static entries was spot on, after your change, there should not be a PIX problem, that is what I meant. You can not have two identical static xlate to the same address for any protocol, as far as I know, not just SNMP.

> This is especially true because not everyone is allowed to use DNS in the existing acl construction.
but all relevant traffic is allowed (for machine 0.4), isn't it?

Regards,
Vladan
0
 
lrmooreCommented:
>but all relevant traffic is allowed (for machine 0.4), isn't it?
Yes, but we don't know enough detail about the rest of the network. If, and only if, 0.4 is the local DNS server and clients do not use an external DNS servers.
Once we get the email flowing again, then we can work on the outbound restrictions that need to be applied.
0

Featured Post

Shaping tomorrow’s technology leaders, today

The leading technology companies all recognize the growing need for gender diversity. Through its Women in IT scholarship program, WGU is working to reverse this trend by empowering more women to earn IT degrees and become tomorrow’s tech-industry leaders.  

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now