• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 321
  • Last Modified:

Cisco Router & PIX 515 allow Email through firewall to Exchange server

needs some help configuring router/pix to allow email to be forwarded onto our local Exchange server

what needs to be configured on the router and Firewall to allow the companys emails from external mx record 195.x.x.139 to get to the local exchange server 10.248.8.1?

Current router config:
interface FastEthernet0
 description connected to EthernetLAN
 ip address 195.x.x.137 255.255.255.x
 ip access-group 115 in
 ip nat inside
 speed auto
!
interface Serial0
 ip address 194.170.x.x 255.255.255.x
 ip access-group 115 in
 ip nat outside
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
access-list 115 deny   udp any any eq tftp
access-list 115 deny   tcp any any eq 135
access-list 115 deny   udp any any eq 135
access-list 115 deny   udp any any eq netbios-ns
access-list 115 deny   udp any any eq netbios-dgm
access-list 115 deny   udp any any eq netbios-ss
access-list 115 deny   tcp any any eq 139
access-list 115 deny   tcp any any eq 445
access-list 115 deny   tcp any any eq 593
access-list 115 deny   tcp any any eq 4444
access-list 115 permit ip any any
dialer-list 1 protocol ip permit

Current PIX Firewall:

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
access-list aclin permit icmp any any
access-list aclin permit icmp host 195.x.x.139 any
access-list aclin permit tcp host 195.x.x.139 eq smtp any
access-list aclin permit tcp host 195.x.x.139 eq www any
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 195.x.x.138 255.255.255.x
ip address inside 10.248.200.3 255.255.0.0
ip address intf2 127.0.0.1 255.255.255.255
arp timeout 14400
global (outside) 1 195.x.x.140
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group aclin in interface outside
route outside 0.0.0.0 0.0.0.0 195.x.x.137 1
route inside 10.235.0.0 255.255.0.0 10.248.200.2 1
route inside 10.237.0.0 255.255.0.0 10.248.200.2 1
route inside 10.240.0.0 255.255.0.0 10.248.200.4 1
route inside 10.242.0.0 255.255.0.0 10.248.200.5 1
route inside 10.243.0.0 255.255.0.0 10.248.200.4 1
route inside 10.244.0.0 255.255.0.0 10.248.200.4 1
route inside 10.245.0.0 255.255.0.0 10.248.200.4 1
route inside 10.246.0.0 255.255.0.0 10.248.200.5 1
route inside 10.247.0.0 255.255.0.0 10.248.200.8 1
route inside 10.255.0.0 255.255.0.0 10.248.200.2 1
route inside 192.168.9.0 255.255.255.0 10.248.200.2 1
route inside 192.168.11.0 255.255.255.0 10.248.200.2 1
0
jagdhillon
Asked:
jagdhillon
  • 3
1 Solution
 
naveedbCommented:
You can add static NAT translation on PIX to point to internal mail server. If it does not work, then  where is the MX located with respect to ROUTER and PIX, is it a DMZ that you care trying to have? What is the default gateway on your external MX? Can you past complete configurations or router and PIX?
0
 
calvinetterCommented:
If you're router isn't blocking any inbound TCP connections to the 195.x.x.139 address, without seeing the rest of your PIX or router configs, here's what you'll want to do on the PIX:

no fixup protocol smtp 25  <- important for an Exchange server
clear xlate
static (inside,outside) 195.x.x.139 10.248.8.1
no access-list aclin permit tcp host 195.x.x.139 eq smtp any  <- line is "backwards"
no access-list aclin permit tcp host 195.x.x.139 eq www any  <- line is "backwards"
access-list aclin permit tcp any host 195.x.x.139 eq smtp
access-list aclin permit tcp any host 195.x.x.139 eq www
access-group aclin in interface outside

If still having problems, please post your entire "santized" configs for both router & PIX (passwords removed, public IPs masked as you've done above).

cheers
0
 
calvinetterCommented:
Note: the above assumes you're not NAT'ing 195.x.x.139 to a different IP to the outside on your router.

cheers
0
 
jagdhillonAuthor Commented:
router config:

************************************************
interface FastEthernet0
 description connected to EthernetLAN
 ip address 195.xxx.xxx.137 255.255.255.248
 ip access-group 115 in
 ip nat inside
 speed auto
!
interface Serial0
 ip address 194.xxx.xxx.238 255.255.255.252
 ip access-group 115 in
 ip nat outside
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
access-list 115 deny   udp any any eq tftp
access-list 115 deny   tcp any any eq 135
access-list 115 deny   udp any any eq 135
access-list 115 deny   udp any any eq netbios-ns
access-list 115 deny   udp any any eq netbios-dgm
access-list 115 deny   udp any any eq netbios-ss
access-list 115 deny   tcp any any eq 139
access-list 115 deny   tcp any any eq 445
access-list 115 deny   tcp any any eq 593
access-list 115 deny   tcp any any eq 4444
access-list 115 permit ip any any
dialer-list 1 protocol ip permit
*************************************************

Pix Config:

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
hostname firewall
domain-name xxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 110 permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 110 permit ip 192.168.2.0 255.255.255.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 192.168.2.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 110 permit ip 192.168.2.0 255.255.255.0 192.168.12.0 255.255.252.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 192.168.7.0 255.255.255.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 192.168.12.0 255.255.252.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.249.0.0 255.255.0.0
access-list 110 permit ip 10.244.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.244.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.245.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.245.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.240.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.240.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.243.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.243.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.242.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.255.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.242.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 192.168.11.0 255.255.255.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 192.168.11.0 255.250.255.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.255.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.240.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 110 permit ip 10.237.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.237.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.238.0.0 255.255.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.230.0.0 255.255.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.236.0.0 255.255.0.0
access-list 110 permit ip 10.235.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.235.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.233.0.0 255.255.0.0
access-list 110 permit ip 10.246.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.246.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.247.0.0 255.255.0.0
access-list 110 permit ip 10.247.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list 130 permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 130 permit ip 10.248.0.0 255.255.0.0 192.168.7.0 255.255.255.0
access-list 130 permit ip 10.248.0.0 255.255.0.0 10.238.0.0 255.255.0.0
access-list 120 permit ip 192.168.2.0 255.255.255.0 1.0.0.0 255.0.0.0
access-list 120 permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 120 permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 120 permit ip 192.168.2.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 120 permit ip 192.168.2.0 255.255.255.0 192.168.12.0 255.255.252.0
access-list 140 permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 192.168.2.0 255.255.255.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.248.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.248.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.244.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.244.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.245.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.245.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.246.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.246.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.240.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.240.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.243.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.255.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.242.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.255.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.242.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 192.168.11.0 255.255.255.2 1.0.0.0 255.0.0.0
access-list 140 permit ip 192.168.11.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.237.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.237.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.243.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.235.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.235.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.247.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list 150 permit ip 192.168.2.0 255.255.255.0 192.168.12.0 255.255.252.0
access-list 150 permit ip 192.168.2.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 150 permit ip 10.248.0.0 255.255.0.0 192.168.12.0 255.255.252.0
access-list 160 permit ip 10.248.0.0 255.255.0.0 10.249.0.0 255.255.0.0
access-list 160 permit ip 10.248.0.0 255.255.0.0 10.236.0.0 255.255.0.0
access-list 180 permit ip 10.240.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 180 permit udp 10.240.0.0 255.255.0.0 192.168.0.0 255.255.255.0 eq isakmp
access-list 180 permit udp 10.240.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 180 permit udp 10.244.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 180 permit ip 10.244.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 190 permit ip 10.248.0.0 255.255.0.0 10.230.0.0 255.255.0.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging history debugging
logging facility 21
logging host inside 10.248.92.75
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 195.xxx.xxx.138 255.255.255.248
ip address inside 10.248.200.3 255.255.0.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 195.xxx.xxx.140
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 195.xxx.xxx.137 1
route inside 10.235.0.0 255.255.0.0 10.248.200.2 1
route inside 10.237.0.0 255.255.0.0 10.248.200.2 1
route inside 10.240.0.0 255.255.0.0 10.248.200.4 1
route inside 10.242.0.0 255.255.0.0 10.248.200.5 1
route inside 10.243.0.0 255.255.0.0 10.248.200.4 1
route inside 10.244.0.0 255.255.0.0 10.248.200.4 1
route inside 10.245.0.0 255.255.0.0 10.248.200.4 1
route inside 10.246.0.0 255.255.0.0 10.248.200.5 1
route inside 10.247.0.0 255.255.0.0 10.248.200.8 1
route inside 10.255.0.0 255.255.0.0 10.248.200.2 1
route inside 192.168.9.0 255.255.255.0 10.248.200.2 1
route inside 192.168.11.0 255.255.255.0 10.248.200.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.248.92.75 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
0
 
calvinetterCommented:
Please post your entire "santized" configs for your router (passwords removed, public IPs masked as you've done above)... I see "ip nat inside/outside" on your interfaces...  Do you also have any "ip nat inside source..." entries in your config??  If so I wouldn't expect you to be doing NAT at all, since you have public, routable IPs on both side of your router.

  Your PIX config has several ACLs, but none of them appear to be assigned to any interfaces, & none of them are allowing SMTP traffic inbound anyway. Your original post showed "aclin" which has since been removed instead of corrected.  Currently you don't have any ACLs on your PIX to allow SMTP traffic from outside to your Exchange server, nor do you have a "static (inside,outside) ..." statement as I indicated in my original post.  Please re-read my original post for an example of how to configure the PIX.

I'll need to see the remainder of the ("sanitized") router config in order to verify it's not blocking traffic.

cheers
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now