Solved

500 pts URGENT PLEASE HELP! IN OFFICE NOW (SATURDAY) - NEED TO LET SMTP THROUGH PIX!

Posted on 2006-07-01
7
317 Views
Last Modified: 2013-11-16
Hi!!

I need to let smtp traffic through our pix - our exchange 2003 server can receive email but not send. I have checked over the config and think it has to be a firewall issue. We are trying to relay through our ISP's smarthost (smtp.easynet.co.uk), but no email is being sent. I cannot telnet to the address from inside our network on port 25, but I can OK from a PC outside the network, which leads me to suspect the firewall config. I have added the following commands and saved them to memory, but it still doesnt work:

static (inside,outside) 217.206.*.* 192.168.46.101 netmask 255.255.255.255 0 0
access-list inside permit tcp host 192.168.46.101 any eq smtp

i am running out of ideas, need a cisco guru to lend a hand!
0
Comment
Question by:5t34lth_G33k
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17023953
>access-list inside permit tcp host 192.168.46.101 any eq smtp

This should read;

access-list inside permit tcp any host 217.206.*.* any eq smtp

and I assume it is applied to the outside interface.

Also give more details, rather paste the complete config of PIX. Is it an exchange server ? If so do;

no fixup protocol smtp

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17023955
oops the access-list cut & edit went wrong, it should be as below;

access-list inside permit tcp any host 217.206.*.* eq smtp

Cheers,
Rajesh
0
 
LVL 10

Assisted Solution

by:naveedb
naveedb earned 150 total points
ID: 17023961
Can you post your config from Cisco PIX.

" I cannot telnet to the address from inside our network on port 25, but I can OK from a PC outside the network"

You mentioned you have to go through your ISPs smarthost, are you able to telnet to port 25 on smarthost and see if accepts connection from your Exchange server ?

Did you try to telnet bypassing the PIX?
0
Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17024569
Agreed. We need the config posting.
0
 
LVL 1

Accepted Solution

by:
Jaedub earned 350 total points
ID: 17039634
Okay, sans and config lets cover some basic assumptions:

*  The access list is called inside so it's applied to the inside interface.
*  The format in which you have it ****is correct****, so don't change it.
     access-list inside permit tcp host 192.168.46.101 any eq smtp
*  You have the followng command in you config:
    access-group in interface inside inside
*  You are able to ping  www.yahoo.com from the exchange box and get name resultion / your DNS configuration is working properly.  If not, you need to configure the DNS server  settings on your box to point to a DNS server and/or you need to let that DNS server out via a similar "inside" access-list with UDP as the protocol.
*  You have you SMTP virtual server configured under Deliver > Advanved Delivery with the address "smtp.easynet.co.uk" and you have restarted the SMTP service.
*  Your smarthost is speaking ESMTP(I checked), so use the command "no fixup protocol smtp"

Let us know the status of the above.

-J

     
0
 
LVL 7

Author Comment

by:5t34lth_G33k
ID: 17071149
Sorry for not posting back earlier - the problem was that as well as a

'access-list inside permit tcp host 192.168.46.101 any eq smtp'

line in the config, there was also a

'access-list inside deny tcp any any eq smtp'

line that I had not seen before. After this line was removed, the firewall started to let through smtp traffic. What was very strange was that these lines had been in the firewall before I ever looked at it, but smtp has always worked. I had thought that maybe the deny line took effect first, with the permit line overriding it, letting just the server use smtp. I dont know why or how this could have changed, maybe the order of processing the lines of config changed?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17074690
The list cannot change itself, however, if previously you had an allow that included SMTP ahead of the deny then the the deny would have been ignored.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question