sithman17
asked on
Problems with 515E PIX and exchange email
I have an issue with a PIX 515E and Windows 2003 SBS. I need to configure my PIX for Mail Server access. Currently my Windows 2003 SBS server has 2 NIC's, inside IP address is 192.168.254.x /24 and my public IP is 63.205.221.104 /28 subnet. I have 5 available IP's on this subnet. My PIX's outside IP is 63.205.221.109. I am natting to IP address 63.205.221.106. MY MX record on the internet is 63.205.221.108. I have followed Cisco's document to the letter for configuring Mail Access, yet if I turn off the internet interface to to my SBS server, I no longer can send or receive email. Below is my Cisco configuration:
User Access Verification
Username: jsanchez
Password: ********
Type help or '?' for a list of available commands.
RocklinFW> en
Password: ********
RocklinFW# config t
RocklinFW(config)# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password Xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname RocklinFW
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 140 permit ip 192.168.254.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 150 permit ip 192.168.254.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 110 permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 120 permit ip 192.168.254.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 130 permit ip 192.168.254.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 100 permit ip 192.168.254.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit ip 192.168.254.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 permit ip 192.168.254.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 100 permit ip 192.168.254.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 100 permit ip 192.168.4.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list 100 permit ip 192.168.254.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list 160 permit ip 192.168.254.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list smtp permit tcp any host 63.205.221.108 eq smtp
pager lines 24
logging on
logging console debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 63.205.221.109 255.255.255.248
ip address inside 192.168.254.254 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
ip local pool remotepool 192.168.254.50-192.168.254
arp timeout 14400
global (outside) 1 63.205.221.106
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 63.205.221.108 192.168.254.13 netmask 255.255.255.255 0
0
access-group smtp in interface outside
route outside 0.0.0.0 0.0.0.0 63.205.221.109 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 192.168.254.111
snmp-server location Rocklin HQ
snmp-server contact Jorge Sanchez
snmp-server community G@t3W@y
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ROCKLIN esp-des esp-md5-hmac
crypto dynamic-map linksys 1 set transform-set ROCKLIN
crypto map HQVPN 10 ipsec-isakmp
crypto map HQVPN 10 match address 110
crypto map HQVPN 10 set peer 207.231.95.78
crypto map HQVPN 10 set transform-set ROCKLIN
crypto map HQVPN 20 ipsec-isakmp
crypto map HQVPN 20 match address 120
crypto map HQVPN 20 set peer 64.169.228.2
crypto map HQVPN 20 set transform-set ROCKLIN
crypto map HQVPN 30 ipsec-isakmp
crypto map HQVPN 30 match address 130
crypto map HQVPN 30 set peer 63.198.31.130
crypto map HQVPN 30 set transform-set ROCKLIN
crypto map HQVPN 40 ipsec-isakmp
crypto map HQVPN 40 match address 140
crypto map HQVPN 40 set peer 67.118.59.226
crypto map HQVPN 40 set transform-set ROCKLIN
crypto map HQVPN 50 ipsec-isakmp
crypto map HQVPN 50 match address 150
crypto map HQVPN 50 set peer 69.226.79.21
crypto map HQVPN 50 set transform-set ROCKLIN
crypto map HQVPN 100 ipsec-isakmp dynamic linksys
crypto map HQVPN interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address 67.118.59.226 netmask 255.255.255.255
isakmp key ******** address 69.226.79.221 netmask 255.255.255.255
isakmp key ******** address 207.231.95.78 netmask 255.255.255.255
isakmp key ******** address 64.169.228.2 netmask 255.255.255.255
isakmp key ******** address 63.198.31.130 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 28800
vpngroup RemoteUsers address-pool remotepool
vpngroup RemoteUsers dns-server 192.168.254.13
vpngroup RemoteUsers default-domain internal.foothill.com
vpngroup RemoteUsers idle-time 3600
vpngroup RemoteUsers password ********
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 5
username earmstrong password xxxxxxxxxxxxxxx encrypted privilege 15
username jsanchez password xxxxxxxxxxxxx encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
vpnclient server 63.205.221.109
vpnclient mode client-mode
vpnclient vpngroup RemoteUsers password ********
terminal width 80
Cryptochecksum:c18a67a985a
: end
RocklinFW(config)#
Any ideas?
User Access Verification
Username: jsanchez
Password: ********
Type help or '?' for a list of available commands.
RocklinFW> en
Password: ********
RocklinFW# config t
RocklinFW(config)# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password Xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname RocklinFW
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 140 permit ip 192.168.254.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 150 permit ip 192.168.254.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 110 permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 120 permit ip 192.168.254.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 130 permit ip 192.168.254.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 100 permit ip 192.168.254.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit ip 192.168.254.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 permit ip 192.168.254.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 100 permit ip 192.168.254.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 100 permit ip 192.168.4.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list 100 permit ip 192.168.254.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list 160 permit ip 192.168.254.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list smtp permit tcp any host 63.205.221.108 eq smtp
pager lines 24
logging on
logging console debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 63.205.221.109 255.255.255.248
ip address inside 192.168.254.254 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
ip local pool remotepool 192.168.254.50-192.168.254
arp timeout 14400
global (outside) 1 63.205.221.106
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 63.205.221.108 192.168.254.13 netmask 255.255.255.255 0
0
access-group smtp in interface outside
route outside 0.0.0.0 0.0.0.0 63.205.221.109 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 192.168.254.111
snmp-server location Rocklin HQ
snmp-server contact Jorge Sanchez
snmp-server community G@t3W@y
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ROCKLIN esp-des esp-md5-hmac
crypto dynamic-map linksys 1 set transform-set ROCKLIN
crypto map HQVPN 10 ipsec-isakmp
crypto map HQVPN 10 match address 110
crypto map HQVPN 10 set peer 207.231.95.78
crypto map HQVPN 10 set transform-set ROCKLIN
crypto map HQVPN 20 ipsec-isakmp
crypto map HQVPN 20 match address 120
crypto map HQVPN 20 set peer 64.169.228.2
crypto map HQVPN 20 set transform-set ROCKLIN
crypto map HQVPN 30 ipsec-isakmp
crypto map HQVPN 30 match address 130
crypto map HQVPN 30 set peer 63.198.31.130
crypto map HQVPN 30 set transform-set ROCKLIN
crypto map HQVPN 40 ipsec-isakmp
crypto map HQVPN 40 match address 140
crypto map HQVPN 40 set peer 67.118.59.226
crypto map HQVPN 40 set transform-set ROCKLIN
crypto map HQVPN 50 ipsec-isakmp
crypto map HQVPN 50 match address 150
crypto map HQVPN 50 set peer 69.226.79.21
crypto map HQVPN 50 set transform-set ROCKLIN
crypto map HQVPN 100 ipsec-isakmp dynamic linksys
crypto map HQVPN interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address 67.118.59.226 netmask 255.255.255.255
isakmp key ******** address 69.226.79.221 netmask 255.255.255.255
isakmp key ******** address 207.231.95.78 netmask 255.255.255.255
isakmp key ******** address 64.169.228.2 netmask 255.255.255.255
isakmp key ******** address 63.198.31.130 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 28800
vpngroup RemoteUsers address-pool remotepool
vpngroup RemoteUsers dns-server 192.168.254.13
vpngroup RemoteUsers default-domain internal.foothill.com
vpngroup RemoteUsers idle-time 3600
vpngroup RemoteUsers password ********
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 5
username earmstrong password xxxxxxxxxxxxxxx encrypted privilege 15
username jsanchez password xxxxxxxxxxxxx encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
vpnclient server 63.205.221.109
vpnclient mode client-mode
vpnclient vpngroup RemoteUsers password ********
terminal width 80
Cryptochecksum:c18a67a985a
: end
RocklinFW(config)#
Any ideas?
Check the default gateway on your SBS box. When you shut off the public interface, be sure to change your default gateway accordingly.
>yet if I turn off the internet interface to to my SBS server, I no longer can send or receive email. Below is my Cisco configuration:
That's the key information, and Zoidling nailed it. Unless your default gateway points to the PIX's inside ip address, it won't work at all.
That's the key information, and Zoidling nailed it. Unless your default gateway points to the PIX's inside ip address, it won't work at all.
ASKER
The internal NIC does point to the PIX inside address. As a matter of fact, both NICs have gateways assigned to them. The internal NIC points to the PIX and the external NIC points to the T-1 router.
Can you post result of "route print" from the server?
ASKER
IPv4 Route Table
==========================
Interface List
0x1 ..........................
0x10003 ...00 02 b3 d7 52 30 ...... Intel(R) PRO/1000 XT Server Adapter #2
0x20004 ...00 0b db ad 3f 02 ...... Broadcom NetXtreme Gigabit Ethernet
==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 63.205.221.105 63.205.221.107 1
0.0.0.0 0.0.0.0 192.168.254.254 192.168.254.13 1
63.205.221.104 255.255.255.248 63.205.221.107 63.205.221.107 1
63.205.221.107 255.255.255.255 127.0.0.1 127.0.0.1 1
63.205.221.108 255.255.255.255 127.0.0.1 127.0.0.1 1
63.255.255.255 255.255.255.255 63.205.221.107 63.205.221.107 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.254.0 255.255.255.0 192.168.254.13 192.168.254.13 1
192.168.254.13 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.254.14 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.254.255 255.255.255.255 192.168.254.13 192.168.254.13 1
224.0.0.0 240.0.0.0 63.205.221.107 63.205.221.107 1
224.0.0.0 240.0.0.0 192.168.254.13 192.168.254.13 1
255.255.255.255 255.255.255.255 63.205.221.107 63.205.221.107 1
255.255.255.255 255.255.255.255 192.168.254.13 192.168.254.13 1
Default Gateway: 192.168.254.254
==========================
Persistent Routes:
None
C:\Documents and Settings\Administrator>
You have to remove this route..
> 0.0.0.0 0.0.0.0 63.205.221.105 63.205.221.107 1
route delete 0.0.0.0 0.0.0.0 63.205.221.105
> 0.0.0.0 0.0.0.0 63.205.221.105 63.205.221.107 1
route delete 0.0.0.0 0.0.0.0 63.205.221.105
ASKER
received a route: bad argument 63.205.221.105 error
D'oh! My fault....
route delete 0.0.0.0 mask 0.0.0.0 63.205.221.105
Need that word "mask" in there..
route delete 0.0.0.0 mask 0.0.0.0 63.205.221.105
Need that word "mask" in there..
ASKER
Interestingly eough, when I deleted the route and applied the configuration again to the PIX, I lost all internet connection to the outside. Hat to remove the access-group and static commands and clear xlate in order to re-establish internet connectivity through the PIX.
Probably a result of ARP cache on the router that is in front of the PIX... I'm assuming your topology looks something like:
Internet
|
Router
|
Switch
| |
PIX Server Public NIC
| Server private NIC
|--LAN--|
The router's arp cache would have to time out or be manually cleared. Probably timed out while you were doing your thing to remove acls, clear xlates, etc...
Internet
|
Router
|
Switch
| |
PIX Server Public NIC
| Server private NIC
|--LAN--|
The router's arp cache would have to time out or be manually cleared. Probably timed out while you were doing your thing to remove acls, clear xlates, etc...
ASKER
Yeah, thats it. So theres no way around it?
Unfortuantely since it's SBS 2003 and my DC with Exchange, I am exposing it to the internet, something I dont want.
Unfortuantely since it's SBS 2003 and my DC with Exchange, I am exposing it to the internet, something I dont want.
Sure there's a way around it..
Disable the Public NIC, unplug it from the switch even..
Remove the gateway from the Public NIC
Be sure default gateway points to PIX inside
Keep your access-list and statics:
access-list smtp permit tcp any host 63.205.221.108 eq smtp
static (inside,outside) 63.205.221.108 192.168.254.13 netmask 255.255.255.255
access-group smtp in interface outside
Done
Disable the Public NIC, unplug it from the switch even..
Remove the gateway from the Public NIC
Be sure default gateway points to PIX inside
Keep your access-list and statics:
access-list smtp permit tcp any host 63.205.221.108 eq smtp
static (inside,outside) 63.205.221.108 192.168.254.13 netmask 255.255.255.255
access-group smtp in interface outside
Done
ASKER
Thats what I've done. I've even restarted the PIX after everything is configured. Still don't get any email.
And you've kept this in the config?
no fixup protocol smtp 25
Is your MX record correct? Check your domain with http://www.dnsreport.com
no fixup protocol smtp 25
Is your MX record correct? Check your domain with http://www.dnsreport.com
ASKER
Yup. I've had the no fixup turned off since I first tried to get this config working.
Results from DNSReports is:
Getting MX record for foothill.com... Got it!
Host Preference IP(s) [Country] mail.foothill.com. 10 63.205.221.108 [US] --------------------------
Step 1: Try connecting to the following mailserver:
mail.foothill.com. - 63.205.221.108
Step 2: If still unsuccessful, queue the E-mail for later delivery.
--------------------------
Trying to connect to all mailservers:
mail.foothill.com. - 63.205.221.108 [Successful connect: Got a good response [250 2.1.5 jsanchez@foothill.com ]]
Results from DNSReports is:
Getting MX record for foothill.com... Got it!
Host Preference IP(s) [Country] mail.foothill.com. 10 63.205.221.108 [US] --------------------------
Step 1: Try connecting to the following mailserver:
mail.foothill.com. - 63.205.221.108
Step 2: If still unsuccessful, queue the E-mail for later delivery.
--------------------------
Trying to connect to all mailservers:
mail.foothill.com. - 63.205.221.108 [Successful connect: Got a good response [250 2.1.5 jsanchez@foothill.com ]]
That all works out. There's no reason you should not be receiving mail...
Can you post result of
sho access-list smtp
sho access-list smtp
ASKER
User Access Verification
Username: jsanchez
Password: ********
You have logged in to the Foothill Associates Rocklin Firewall. All activity on this firewall is monitored and violators will be prosecuted to the fullest exten t of the law.
Type help or '?' for a list of available commands.
RocklinFW> en
Password: ********
RocklinFW# config t
RocklinFW(config)# sh access-list smtp
access-list smtp; 1 elements
access-list smtp line 1 permit tcp any host 63.205.221.108 eq smtp (hitcnt=0)
RocklinFW(config)#
ASKER
Thats after the config was applied.
ASKER
And again, all new internet connections are saying that they can't find the webpages. However existing internet connections are still able to get out to the net.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I can't get out on the server's browser either. Doing a tracert to yahoo.com tells me that it can't resolve the address. Yet I have the DNS of the internal NIC pointing to itself, and I just checked the DNS server settings of the domain, and the forwarders are pointing to my ISP's DNS server.
Let me see if the prior admin left the enable password to the router.
Let me see if the prior admin left the enable password to the router.
ASKER
It looks like clearing the ARP cache on the T-1 router did it. Can you send me a test email?
>jsanchez - at- foothill.com ?
ASKER
Made it. Thank you for the hard work. Canb't believe it was something so simple.
Been dealing with this for three weeks. It's been a long month.
Been dealing with this for three weeks. It's been a long month.
Woooo hooooo!!! Miller time???
- Cheers!
- Cheers!