• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 378
  • Last Modified:

Inbound mail is failing at the PIX after moving our email server to a different IP address

PLEASE HELP.

We moved our email server to another location in our company, and it got a new IP address.  Our internet connection remains in the same location.

When the move occurred, I altered the existing PIX rules to account for the IP address change and modified the static NAT entry so that it would send to the new IP address but now our outside relay can no longer connect to the inside email server and we are not getting our external email.

Internal email works great as does outbound email.

I verified that the PIX in question can ping the email server at the new address.

I don't know what to try next.  Please help!
0
chronolith
Asked:
chronolith
  • 17
  • 12
  • 9
  • +1
1 Solution
 
rage419Commented:
Have you also updated your DNS MX records for your domain? This is what really drives the process that allows the other servers to find yours on the internet. Often the record is held by whoever you registered the domain through and you can change it via the web or a support call.
0
 
calvinetterCommented:
The first obvious question is: Did you change your MX records on your domain registrar's DNS settings to reflect the IP change? If not, then when some ISP needs to send email to "mail.yourdomain.com" this hostname would still resolve to the *old* IP, thus inbound mail would fail.  Just be aware, it usually takes 24-72 hrs for a DNS entry change to fully propagate throughout the Internet DNS servers.  If you must make a DNS change for something this important, always do it on a Fri afternoon, so that hopefully by Mon morning the updates will have been made.

cheers
0
 
chronolithAuthor Commented:
The MX record has not changed.

Our MX points to our ISP who receives the mail and forwards it on to our firewall and through to the server.  The outside interface of the firewall has not changed.  The NAT association has changed, but only the inside translation.  The outside public IP for our mail server remains the same.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
chronolithAuthor Commented:
Only the internal address of the server has changed.  I have modified the NAT to reflect this change, but the inbound connections are failing (timing out).
0
 
calvinetterCommented:
Oops, rage419 beat me to it!  

Also regarding DNS changes & email, make sure the reverse-lookup entries have been made as well, or many/most ISPs will block email sent by you, since they often want to verify that email tagged as being sent by your mail server is coming from the correct registered IP.

cheers
0
 
calvinetterCommented:
chronolith - after you made the NAT change did you run 'clear xlate' ?
0
 
chronolithAuthor Commented:
I have just run clear xlate.  No immediate changes.
0
 
calvinetterCommented:
If you reboot the PIX (after saving the config w/ 'write mem') & it doesn't help, please post your entire "sanitized" config (passwords removed, public IPs masked like so: x.x.x.82) so we can see the config & what version you're running.

cheers
0
 
rage419Commented:
Sounds like you need to notify the forwarding ISP of the change then if they are doing a store/forward for you.

They may still be flinging mail to oblivion, your pix logs could tell you the difference between no traffic and denying inbound mail...
0
 
rage419Commented:
(OK, mail does not go not to oblivion - but the connection to the server will) Oops!
0
 
chronolithAuthor Commented:
My ISP is the one telling me he can't connect.  The address he is forwarding to matches the NAT address on my firewall - and in fact has not changed and should not have changed.  Only difference is where my email server is internally.

I can see that his relay is trying to connect as it is showing up as traffic on my managed switch.

I am reloading the pix now and I will pull the config.
0
 
chronolithAuthor Commented:
OK.  The IP address of the server used to be 172.18.1.54 and was changed to 172.19.1.54.  The NAT sending through to the email system is the public IP ending in x.x.x.155.

Config as follows:

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
enable password gzRXeCaz38SnkjSj encrypted
passwd ilHRYDnUoTbg5.I8 encrypted
hostname PIX515
domain-name ciscopix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol rtsp 554
no fixup protocol smtp 25
names
access-list acl_in deny ip any host 65.121.237.200
access-list acl_in deny ip any host 198.65.220.232
access-list acl_in deny ip any host 63.68.55.189
access-list acl_in deny ip any host 63.251.224.177
access-list acl_in deny ip any host 207.188.7.74
access-list acl_in deny ip any host 207.188.7.118
access-list acl_in deny ip any host 207.188.7.125
access-list acl_in deny ip any host 63.175.146.12
access-list acl_in deny ip any host 63.175.146.18
access-list acl_in deny ip any host 128.121.26.137
access-list acl_in permit ip host 172.19.2.132 any
access-list acl_in permit tcp host 172.19.1.51 any
access-list acl_in permit tcp host 172.19.1.50 any
access-list acl_in permit tcp host 201.201.201.8 any
access-list acl_in permit tcp host 172.18.1.52 any
access-list acl_in permit tcp host 172.18.1.53 any
access-list acl_in permit tcp host 172.19.1.54 any
access-list acl_in permit tcp host 172.18.1.55 any
access-list acl_in permit tcp host 172.18.1.56 any
access-list acl_in permit tcp host 172.18.1.60 any
access-list acl_in permit tcp host 172.18.1.58 any
access-list acl_in permit tcp host 172.18.1.27 any
access-list acl_in permit tcp host 172.18.1.59 any
access-list acl_in permit tcp host 172.18.1.201 any
access-list acl_in permit tcp host 172.18.1.202 any
access-list acl_in permit tcp host 172.18.1.203 any
access-list acl_in permit tcp host 172.18.1.204 any
access-list acl_in permit tcp host 172.18.1.205 any
access-list acl_in permit tcp host 172.22.1.151 any
access-list acl_in permit tcp host 172.19.1.51 any eq ftp
access-list acl_in permit tcp host 172.19.1.51 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.50 any eq ftp
access-list acl_in permit tcp host 172.19.1.50 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.201 any eq ftp
access-list acl_in permit tcp host 172.19.1.201 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.202 any eq ftp
access-list acl_in permit tcp host 172.19.1.202 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.203 any eq ftp
access-list acl_in permit tcp host 172.19.1.203 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.204 any eq ftp
access-list acl_in permit tcp host 172.19.1.204 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.205 any eq ftp
access-list acl_in permit tcp host 172.19.1.205 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.206 any eq ftp
access-list acl_in permit tcp host 172.19.1.206 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.207 any eq ftp
access-list acl_in permit tcp host 172.19.1.207 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.208 any eq ftp
access-list acl_in permit tcp host 172.19.1.208 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.209 any eq ftp
access-list acl_in permit tcp host 172.19.1.209 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.210 any eq ftp
access-list acl_in permit tcp host 172.19.1.210 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.211 any eq ftp
access-list acl_in permit tcp host 172.19.1.211 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.212 any eq ftp
access-list acl_in permit tcp host 172.19.1.212 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.213 any eq ftp
access-list acl_in permit tcp host 172.19.1.213 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.214 any eq ftp
access-list acl_in permit tcp host 172.19.1.214 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.215 any eq ftp
access-list acl_in permit tcp host 172.19.1.215 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.216 any eq ftp
access-list acl_in permit tcp host 172.19.1.216 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.217 any eq ftp
access-list acl_in permit tcp host 172.19.1.217 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.218 any eq ftp
access-list acl_in permit tcp host 172.19.1.218 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.219 any eq ftp
access-list acl_in permit tcp host 172.19.1.219 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.220 any eq ftp
access-list acl_in permit tcp host 172.19.1.220 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.221 any eq ftp
access-list acl_in permit tcp host 172.19.1.221 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.222 any eq ftp
access-list acl_in permit tcp host 172.19.1.222 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.223 any eq ftp
access-list acl_in permit tcp host 172.19.1.223 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.224 any eq ftp
access-list acl_in permit tcp host 172.19.1.224 any eq ftp-data
access-list acl_in permit tcp host 172.19.1.225 any eq ftp
access-list acl_in permit tcp host 172.19.1.225 any eq ftp-data
access-list acl_in permit tcp host 172.20.1.203 any eq ftp
access-list acl_in permit tcp host 172.20.1.203 any eq ftp-data
access-list acl_in permit tcp any host x.x.x.134 eq ftp
access-list acl_in permit tcp any host x.x.x.134 eq ftp-data
access-list acl_in permit tcp host 172.18.1.105 any eq ftp
access-list acl_in permit tcp host 172.18.1.105 any eq ftp-data
access-list acl_in permit tcp host 172.18.1.62 any eq ftp
access-list acl_in permit tcp host 172.18.1.62 any eq ftp-data
access-list acl_in deny tcp any any eq ftp
access-list acl_in deny tcp any any eq ftp-data
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq smtp
access-list acl_in permit tcp any any eq https
access-list acl_in permit tcp any any eq 8080
access-list acl_in permit udp any any eq 8080
access-list acl_in permit udp any eq 8080 any
access-list acl_in permit tcp any eq www any
access-list acl_in permit tcp any any eq citrix-ica
access-list acl_in permit udp any any eq 1604
access-list acl_in deny tcp any any eq 1300
access-list acl_in deny udp any any eq 1300
access-list acl_in deny tcp any any eq 554
access-list acl_in deny udp any any eq 554
access-list acl_in permit tcp any any eq domain
access-list acl_in permit udp any any eq domain
access-list acl_in permit icmp any any echo
access-list acl_in permit icmp any any echo-reply
access-list acl_in permit icmp any any time-exceeded
access-list acl_in permit icmp any any unreachable
access-list acl_in permit tcp host 192.168.3.8 any
access-list acl_in permit ip host 192.168.3.151 any
access-list acl_in permit tcp host 172.19.1.220 any eq pop3
access-list acl_in permit udp any any eq ntp
access-list acl_in permit ip host 172.18.2.151 any
access-list acl_in permit ip any 192.168.10.0 255.255.255.0
access-list acl_in permit ip host 172.19.1.210 any
access-list acl_in permit ip host 172.19.1.211 any
access-list 101 permit ip 172.18.0.0 255.255.0.0 192.168.31.0 255.255.255.0
access-list 101 permit ip 172.19.0.0 255.255.0.0 192.168.31.0 255.255.255.0
access-list 101 permit ip 172.20.0.0 255.255.0.0 192.168.31.0 255.255.255.0
access-list 101 permit ip 172.21.0.0 255.255.0.0 192.168.31.0 255.255.255.0
access-list 101 permit ip 172.22.0.0 255.255.0.0 192.168.31.0 255.255.255.0
access-list 101 permit ip 172.18.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list 101 permit ip 172.19.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list 101 permit ip 172.20.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list 101 permit ip 172.22.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list acl_test permit ip any any
access-list acl_out deny ip 10.0.0.0 255.0.0.0 any
access-list acl_out deny ip host 255.255.255.255 any
access-list acl_out deny ip host 127.0.0.0 any
access-list acl_out deny ip 172.16.0.0 255.240.0.0 any
access-list acl_out deny ip 0.0.0.0 255.0.0.0 any
access-list acl_out deny ip 169.254.0.0 255.255.0.0 any
access-list acl_out deny ip 192.0.2.0 255.255.255.0 any
access-list acl_out deny ip 224.0.0.0 240.0.0.0 any
access-list acl_out deny ip 240.0.0.0 240.0.0.0 any
access-list acl_out deny tcp any any eq ftp
access-list acl_out deny tcp any any eq ftp-data
access-list acl_out permit icmp any any echo
access-list acl_out permit icmp any any echo-reply
access-list acl_out permit icmp any any time-exceeded
access-list acl_out permit icmp any any unreachable
access-list acl_out permit tcp host x.x.x.99 host x.x.x.155 eq smtp
access-list acl_out permit tcp host x.x.x.98 host x.x.x.155 eq smtp
access-list acl_out permit tcp host x.x.x.2 host x.x.x.155 eq smtp
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host x.x.x.158 eq www
access-list acl_out permit tcp any host x.x.x.158 eq https
access-list dmz_in permit icmp any any echo
access-list dmz_in permit icmp any any echo-reply
access-list dmz_in permit icmp any any time-exceeded
access-list dmz_in permit icmp any any unreachable
access-list dmz_in permit tcp any any eq www
access-list dmz_in permit tcp any any eq https
access-list dmz_in permit ip host 192.168.10.50 172.18.0.0 255.255.0.0
access-list dmz_in permit ip host 192.168.10.50 172.19.0.0 255.255.0.0
access-list dmz_in permit ip host 192.168.10.50 172.20.0.0 255.255.0.0
access-list dmz_in permit ip host 192.168.10.50 172.22.0.0 255.255.0.0
access-list dmz_in permit udp any any eq dnsix
access-list dmz_in permit tcp host 192.168.10.51 host 172.18.1.60
access-list dmz_in permit udp host 192.168.10.51 host 172.18.1.60
access-list dmz_in permit tcp host 192.168.10.51 host 172.18.1.56
access-list dmz_in permit udp host 192.168.10.51 host 172.18.1.56
access-list dmz_in permit tcp host 192.168.10.51 host 172.19.1.50
access-list dmz_in permit udp host 192.168.10.51 host 172.19.1.50
access-list dmz_in permit tcp host 192.168.10.51 host 172.19.1.56
access-list dmz_in permit udp host 192.168.10.51 host 172.19.1.56
pager lines 25
logging on
logging timestamp
logging standby
logging trap critical
logging facility 16
logging host inside 172.18.1.205
interface ethernet0 10baset
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside x.x.x.156 255.255.255.248
ip address inside 192.168.12.1 255.255.255.0
ip address DMZ 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.31.1-192.168.31.254
pdm location 192.168.3.14 255.255.255.255 inside
pdm location x.x.x.33 255.255.255.255 inside
pdm location x.x.x.153 255.255.255.255 inside
pdm location 172.18.1.27 255.255.255.255 inside
pdm location 172.18.1.52 255.255.255.255 inside
pdm location 172.18.1.53 255.255.255.255 inside
pdm location 172.18.1.54 255.255.255.255 inside
pdm location 172.18.1.55 255.255.255.255 inside
pdm location 172.18.1.56 255.255.255.255 inside
pdm location 172.18.1.57 255.255.255.255 inside
pdm location 172.18.1.58 255.255.255.255 inside
pdm location 172.18.1.59 255.255.255.255 inside
pdm location 172.18.1.60 255.255.255.255 inside
pdm location 172.18.1.62 255.255.255.255 inside
pdm location 172.18.1.105 255.255.255.255 inside
pdm location 172.18.1.201 255.255.255.255 inside
pdm location 172.18.1.202 255.255.255.255 inside
pdm location 172.18.1.203 255.255.255.255 inside
pdm location 172.18.1.204 255.255.255.255 inside
pdm location 172.18.1.205 255.255.255.255 inside
pdm location 172.18.2.151 255.255.255.255 inside
pdm location 172.18.0.0 255.255.0.0 inside
pdm location 172.19.1.50 255.255.255.255 inside
pdm location 172.19.1.51 255.255.255.255 inside
pdm location 172.19.1.201 255.255.255.255 inside
pdm location 172.19.1.202 255.255.255.255 inside
pdm location 172.19.1.203 255.255.255.255 inside
pdm location 172.19.1.204 255.255.255.255 inside
pdm location 172.19.1.205 255.255.255.255 inside
pdm location 172.19.1.206 255.255.255.255 inside
pdm location 172.19.1.207 255.255.255.255 inside
pdm location 172.19.1.208 255.255.255.255 inside
pdm location 172.19.1.209 255.255.255.255 inside
pdm location 172.19.1.210 255.255.255.255 inside
pdm location 172.19.1.211 255.255.255.255 inside
pdm location 172.19.1.212 255.255.255.255 inside
pdm location 172.19.1.213 255.255.255.255 inside
pdm location 172.19.1.214 255.255.255.255 inside
pdm location 172.19.1.215 255.255.255.255 inside
pdm location 172.19.1.216 255.255.255.255 inside
pdm location 172.19.1.217 255.255.255.255 inside
pdm location 172.19.1.218 255.255.255.255 inside
pdm location 172.19.1.219 255.255.255.255 inside
pdm location 172.19.1.220 255.255.255.255 inside
pdm location 172.19.1.221 255.255.255.255 inside
pdm location 172.19.1.222 255.255.255.255 inside
pdm location 172.19.1.223 255.255.255.255 inside
pdm location 172.19.1.224 255.255.255.255 inside
pdm location 172.19.1.225 255.255.255.255 inside
pdm location 172.19.2.132 255.255.255.255 inside
pdm location 172.19.0.0 255.255.0.0 inside
pdm location 172.20.1.203 255.255.255.255 inside
pdm location 172.20.0.0 255.255.0.0 inside
pdm location 172.21.0.0 255.255.0.0 inside
pdm location 172.22.1.151 255.255.255.255 inside
pdm location 172.22.0.0 255.255.0.0 inside
pdm location 192.168.3.8 255.255.255.255 inside
pdm location 192.168.3.151 255.255.255.255 inside
pdm location 192.168.3.0 255.255.255.0 inside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 192.168.31.1 255.255.255.255 inside
pdm location 192.168.31.0 255.255.255.0 inside
pdm location 201.201.201.8 255.255.255.255 inside
pdm location x.x.x.0 255.255.255.0 inside
pdm location x.x.x.33 255.255.255.255 DMZ
pdm location x.x.x.153 255.255.255.255 DMZ
pdm location 192.168.3.0 255.255.255.0 DMZ
pdm location 192.168.10.50 255.255.255.255 DMZ
pdm location 192.168.10.51 255.255.255.255 DMZ
pdm location 0.0.0.0 255.0.0.0 outside
pdm location 10.0.0.0 255.0.0.0 outside
pdm location 63.148.116.249 255.255.255.255 outside
pdm location 63.148.116.253 255.255.255.255 outside
pdm location 63.150.17.2 255.255.255.255 outside
pdm location 63.150.17.98 255.255.255.255 outside
pdm location 63.150.17.99 255.255.255.255 outside
pdm location 127.0.0.0 255.255.255.255 outside
pdm location 169.254.0.0 255.255.0.0 outside
pdm location 172.16.0.0 255.240.0.0 outside
pdm location 192.0.2.0 255.255.255.0 outside
pdm location 224.0.0.0 240.0.0.0 outside
pdm location 255.255.255.255 255.255.255.255 outside
pdm location 240.0.0.0 240.0.0.0 outside
pdm location 172.19.1.56 255.255.255.255 inside
pdm location 172.19.1.54 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.157
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
static (DMZ,outside) x.x.x.158 192.168.10.51 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.155 172.19.1.54 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group dmz_in in interface DMZ
rip inside passive version 2
route outside 0.0.0.0 0.0.0.0 63.150.17.153 1
timeout xlate 3:00:00
timeout conn 2:00:00 half-closed 0:10:00 udp 0:10:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server RADIUS1 protocol radius
aaa-server RADIUS1 (inside) host 172.19.1.50 msciabmwz30 timeout 10
ntp authenticate
ntp server 172.19.1.56 source inside prefer
http server enable
http 172.18.0.0 255.255.0.0 inside
http 172.19.0.0 255.255.0.0 inside
snmp-server host inside 172.18.1.205
snmp-server host inside 172.18.1.56
snmp-server host inside 172.18.1.57
no snmp-server location
no snmp-server contact
snmp-server community DCACSNMP
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication RADIUS
crypto map mymap interface outside
telnet x.x.x.0 255.255.255.0 inside
telnet 192.168.12.0 255.255.255.0 inside
telnet x.x.x.33 255.255.255.255 inside
telnet 192.168.31.0 255.255.255.0 inside
telnet x.x.x.153 255.255.255.255 inside
telnet 192.168.3.0 255.255.255.0 inside
telnet 172.18.0.0 255.255.0.0 inside
telnet x.x.x.33 255.255.255.255 DMZ
telnet x.x.x.153 255.255.255.255 DMZ
telnet 192.168.3.0 255.255.255.0 DMZ
telnet timeout 5
ssh x.x.x.253 255.255.255.255 outside
ssh x.x.x.249 255.255.255.255 outside
ssh 192.168.31.1 255.255.255.255 inside
ssh 172.18.0.0 255.255.0.0 inside
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local vpnpool
vpdn group 1 client configuration dns 172.19.1.56 172.19.1.50
vpdn group 1 client configuration wins 172.19.1.56 172.19.1.50
vpdn group 1 client authentication aaa RADIUS1
vpdn group 1 pptp echo 60
vpdn enable outside
vpdn enable inside
terminal width 80
Cryptochecksum:29df66bfc3ecbfedd7ffaa9b0faa7f76
: end
0
 
rage419Commented:
Someone please correct me if wrong, but assuming the source addresses of your ISP, etc. are correct this looks OK to me. What are you seeing in the logs?
0
 
calvinetterCommented:
ACL is fine.  Static NAT entry is fine.  What about routes? Are you *sure* the PIX has a route to the 172.19.1.x or 172.19.x.x network? I see the PIX is listening for RIP v2.  What does "show route" give you?

cheers
0
 
chronolithAuthor Commented:
show route gives:

PIX515# sho route
        outside 0.0.0.0 0.0.0.0 x.x.x.153 1 OTHER static
        outside x.x.x.152 255.255.255.248 x.x.x.156 1 CONNECT static
        inside 172.18.0.0 255.255.0.0 192.168.12.2 1 RIP
        inside 172.19.0.0 255.255.0.0 192.168.12.2 3 RIP
        inside 172.20.0.0 255.255.0.0 192.168.12.2 3 RIP
        inside 172.22.0.0 255.255.0.0 192.168.12.2 4 RIP
        DMZ 192.168.10.0 255.255.255.0 192.168.10.1 1 CONNECT static
        inside 192.168.12.0 255.255.255.0 192.168.12.1 1 CONNECT static
        inside 192.168.100.0 255.255.255.0 192.168.12.2 2 RIP
        inside 192.168.101.0 255.255.255.0 192.168.12.2 2 RIP
        inside 192.168.102.0 255.255.255.0 192.168.12.2 3 RIP
        inside 192.168.103.0 255.255.255.0 192.168.12.2 3 RIP
        inside 201.201.201.0 255.255.255.0 192.168.12.2 3 RIP
0
 
rage419Commented:
Good eye calvinetter, that does look to be missing...
0
 
rage419Commented:
or maybe not - missed the last post
0
 
calvinetterCommented:
Hmm, routes look ok.  You're not doing any filtering (ACLs, etc) on the 192.168.12.2 device are you?

BTW, that's a very old version of PIX, as I'm sure you're aware.  Quite buggy too, as there's a *lot* of fixes just in the next minor version - 6.2(3).  Do you have current SmartNet on this PIX? Can you upgrade to 6.3(5)?
0
 
chronolithAuthor Commented:
There is a router between the pix and the rest of the networks as I am sure you noticed.  I will check the config.  What should I look for?  How do I open it up?
0
 
calvinetterCommented:
Another obvious question: when you made changes to your ACL 'acl_out', did you re-apply the ACL to the interface? (very important):
 access-group acl_out in interface outside

cheers
0
 
chronolithAuthor Commented:
I have not made any changes to the ACLs.  If this is my problem I will gladly kick myself, but please walk me through it.
0
 
calvinetterCommented:
>If this is my problem I will gladly kick myself, but please walk me through it.
  LOL! I think this is one of those weeks for everyone.  I pulled an all-nighter on Mon night. :P

>I will check the config.  What should I look for?
  If this is a Cisco router, please post the entire "sanitized" config.

cheers
0
 
chronolithAuthor Commented:
Here is the router config in the middle:

Building configuration...

Current configuration : 1154 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname DCAC_1605
!
enable secret 5 $1$2ccy$10OMj0WCHIVJfcbOr64x20
!
ip subnet-zero
no ip domain lookup
!
!
!
!
interface Ethernet0
 ip address 192.168.12.2 255.255.255.0
!
interface Ethernet1
 ip address 172.18.1.3 255.255.0.0
!
router rip
 version 2
 network 172.18.0.0
 network 192.168.3.0
 network 192.168.12.0
 neighbor 172.18.1.2
 neighbor 192.168.3.1
 neighbor 172.18.1.1
 neighbor 192.168.12.1
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.12.1
ip route 10.129.120.210 255.255.255.255 192.168.3.9
ip route 192.168.3.0 255.255.255.0 172.18.1.1
no ip http server
!
access-list 10 permit 192.168.12.0 0.0.0.255
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 deny   172.0.0.0 0.31.255.255
access-list 10 deny   10.0.0.0 0.255.255.255
access-list 10 deny   192.168.0.0 0.0.255.255
access-list 99 permit 192.168.3.6
access-list 99 permit 172.18.1.57
access-list 99 permit 172.18.1.56
snmp-server community xxxxxxxx RO 99
snmp-server enable traps tty
!
line con 0
line vty 0 4
 password 7 060B1C22454F0B14120D415B
 login
!
!
end
0
 
calvinetterCommented:
I don't see any static routes for 172.19.x.x, nor is there a "network 172.19.0.0" under "router rip". eg:
  router rip
  network 172.19.0.0  <-- missing

Check the output of "show ip route" on this router to confirm what routes it knows about.

cheers
0
 
chronolithAuthor Commented:
sho ip route gives:

C    192.168.12.0/24 is directly connected, Ethernet0
R    201.201.201.0/24 [120/2] via 172.18.1.1, 00:00:10, Ethernet1
R    172.19.0.0/16 [120/2] via 172.18.1.1, 00:00:10, Ethernet1
C    172.18.0.0/16 is directly connected, Ethernet1
R    172.20.0.0/16 [120/2] via 172.18.1.1, 00:00:10, Ethernet1
R    172.22.0.0/16 [120/3] via 172.18.1.1, 00:00:10, Ethernet1
     10.0.0.0/32 is subnetted, 1 subnets
S       10.129.120.210 [1/0] via 192.168.3.9
R    192.168.102.0/24 [120/2] via 172.18.1.1, 00:00:10, Ethernet1
R    192.168.103.0/24 [120/2] via 172.18.1.1, 00:00:10, Ethernet1
R    192.168.100.0/24 [120/1] via 172.18.1.1, 00:00:10, Ethernet1
S    192.168.3.0/24 [1/0] via 172.18.1.1
R    192.168.101.0/24 [120/1] via 172.18.1.1, 00:00:10, Ethernet1
S*   0.0.0.0/0 [1/0] via 192.168.12.1
0
 
chronolithAuthor Commented:
Is there anything in the routes to indicate that it would be able to route to 172.18.1.54 and not 172.19.1.54.

As a reminder, I was able to successfully ping the email server in it's new location from the firewall.
0
 
calvinetterCommented:
Routes are fine.  The next hop is 172.18.1.1 for the 172.19.x.x network.

>As a reminder, I was able to successfully ping the email server
  Sorry, missed that at first glance!  Like I said, one of those weeks... lol

Ok, so what about the router at 172.18.1.1? Is *it* blocking anything?  Is it directly connected to the 172.19.x.x network?

cheers
0
 
chronolithAuthor Commented:
OK.  Here is the routes for 172.18.1.1.  The next hop for it is 172.19.0.0

R    192.168.12.0/24 [120/1] via 172.18.1.3, 00:00:18, Ethernet0/0
R    201.201.201.0/24 [120/1] via 192.168.101.2, 00:00:02, Serial0/1
R    172.19.0.0/16 [120/1] via 192.168.100.2, 00:00:26, Serial0/0
C    172.18.0.0/16 is directly connected, Ethernet0/0
S    172.21.0.0/16 [1/0] via 192.168.100.2
R    172.20.0.0/16 [120/1] via 192.168.101.2, 00:00:02, Serial0/1
R    172.22.0.0/16 [120/2] via 192.168.101.2, 00:00:02, Serial0/1
     10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S       10.10.10.0/24 [1/0] via 192.168.100.2
S       10.129.120.210/32 [1/0] via 172.18.1.2
S       10.129.120.212/32 [1/0] via 192.168.101.2
R    192.168.102.0/24 [120/1] via 192.168.101.2, 00:00:02, Serial0/1
R    192.168.103.0/24 [120/1] via 192.168.100.2, 00:00:26, Serial0/0
C    192.168.100.0/24 is directly connected, Serial0/0
C    192.168.101.0/24 is directly connected, Serial0/1
S*   0.0.0.0/0 [1/0] via 172.18.1.3
0
 
chronolithAuthor Commented:
ACL for 172.18.1.1

wilson#sho access-list
Standard IP access list 99
    10 permit 172.18.1.205 (3702 matches)
    20 permit 172.18.1.57
    30 permit 172.18.1.56 (35534 matches)
Extended IP access list 101
    10 permit ip any any (1420055 matches)
    20 permit icmp any any
Extended IP access list 102
    10 permit udp host 172.18.1.26 any (9 matches)
0
 
calvinetterCommented:
We'd need to see where these ACLs are applied in the above router... But let's save some time here - an easy way to verify "inbound" access to TCP port 25 to your mail server is: telnet to port 25 & see if you get an error...
  eg: From a host on the 192.168.12.x subnet, try this:
  telnet 172.19.1.54 25

cheers
0
 
chronolithAuthor Commented:
OK.  I went to a local server on the LAN with the email (exchange 2003) server and:

telnet 172.19.1.54 25

The result was a blanked out screen and as soon as I hot a key it takes me back to the prompt.  There was no error message of any kind.

I did the same from a server in the PIX DMZ:

telnet 172.19.1.54 25

The result was the exact same as the server on the same lan segment.

Is the blank screen a bad indicator?  If so it is from all locations.
0
 
rage419Commented:
what happens when you try that on the server itself? and do you have filters enabled on your SMTP server?
0
 
calvinetterCommented:
BTW, I don't know much about Exchange... But I believe a blank screen indicates a failure... try typing in: "ehlo" (without quotes) once you're connected; further references:
http://support.microsoft.com/kb/q153119/
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3TransnRouting/003e4901-884f-4bc7-b3c3-557add4e5c3a.mspx?mfr=true
http://www.computerperformance.co.uk/exchange2003/exchange2003_SMTP_Auth_Login.htm

If it's failing, then you'll need to track down at what point port 25 is being hosed.  Very sorry, but at this point I'll have to temporarily turn this over to someone else, as I *must* take care of some personal things before my business trip tomorrow & it's late evening here.  *rage419, can you continue on?

If this is urgent to get going tonight, I might suggest posting a low-points "pointer" question in one or more of the following topic areas:
  http://www.experts-exchange.com/Hardware/Routers/
  http://www.experts-exchange.com/Security/Firewalls/

cheers
0
 
rage419Commented:
I'll do what I can, know a bit of exchange too! Pointer Q is still a good idea for full exposure though.
0
 
chronolithAuthor Commented:
Same deal on the server itself (using 172.19.1.54).

I can't even seem to open a port 25 telnet session on the box itself.  Is my server the problem?
0
 
chronolithAuthor Commented:
OK.  Did manage to solve the problem with the telnet port 25 thing.  The default SMTP server was set incorrectly (wrong IP).

I was able to get a telnet connection from a machine in the DMZ, but the telnet is still failing from outside the firewall (timeout).

BAck to the wall.  Any ideas?
0
 
rage419Commented:
Can you switch your SMTP virtual server to listen on port 23 on then 'telnet' to it from the PIX to ensure no other little issues are preventing the FW talking internally to the mail host.

After the test, just flip the port back to 25 to go back to normal.
0
 
chronolithAuthor Commented:
Problem was solved.

It was nothing to do with the firewall.

When I moved the server to a different site, I switched its gateway to the local internet connection.  The mail traffic was still coming through the old site and routing through to the new location, but the SMTP server was not responding to it because it was using a different gateway and internet connection with the routes set up to pipe internet traffic out a different path.

Now I just have to figure out how to tell my exchange server how to use both connections for load balancing and failover.  I would like to set up multiple MX records for each connection.  I have read that RRAS is the way to do this, but both of the nics in the server (there are 5) currently act as a team on an internal address.  Any other interfaces would also be internal in my existing config.

Can I not just set up a seperate NIC with a seperate IP to speak to the other connection on a different default gateway?
0
 
GranModCommented:
PAQed with points refunded (500)

GranMod
Community Support Moderator
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 17
  • 12
  • 9
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now