Solved

500 pts URGENT PLEASE HELP! IN OFFICE NOW (SATURDAY) - NEED TO LET SMTP THROUGH PIX!

Posted on 2006-07-01
7
312 Views
Last Modified: 2013-11-16
Hi!!

I need to let smtp traffic through our pix - our exchange 2003 server can receive email but not send. I have checked over the config and think it has to be a firewall issue. We are trying to relay through our ISP's smarthost (smtp.easynet.co.uk), but no email is being sent. I cannot telnet to the address from inside our network on port 25, but I can OK from a PC outside the network, which leads me to suspect the firewall config. I have added the following commands and saved them to memory, but it still doesnt work:

static (inside,outside) 217.206.*.* 192.168.46.101 netmask 255.255.255.255 0 0
access-list inside permit tcp host 192.168.46.101 any eq smtp

i am running out of ideas, need a cisco guru to lend a hand!
0
Comment
Question by:5t34lth_G33k
7 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17023953
>access-list inside permit tcp host 192.168.46.101 any eq smtp

This should read;

access-list inside permit tcp any host 217.206.*.* any eq smtp

and I assume it is applied to the outside interface.

Also give more details, rather paste the complete config of PIX. Is it an exchange server ? If so do;

no fixup protocol smtp

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17023955
oops the access-list cut & edit went wrong, it should be as below;

access-list inside permit tcp any host 217.206.*.* eq smtp

Cheers,
Rajesh
0
 
LVL 10

Assisted Solution

by:naveedb
naveedb earned 150 total points
ID: 17023961
Can you post your config from Cisco PIX.

" I cannot telnet to the address from inside our network on port 25, but I can OK from a PC outside the network"

You mentioned you have to go through your ISPs smarthost, are you able to telnet to port 25 on smarthost and see if accepts connection from your Exchange server ?

Did you try to telnet bypassing the PIX?
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17024569
Agreed. We need the config posting.
0
 
LVL 1

Accepted Solution

by:
Jaedub earned 350 total points
ID: 17039634
Okay, sans and config lets cover some basic assumptions:

*  The access list is called inside so it's applied to the inside interface.
*  The format in which you have it ****is correct****, so don't change it.
     access-list inside permit tcp host 192.168.46.101 any eq smtp
*  You have the followng command in you config:
    access-group in interface inside inside
*  You are able to ping  www.yahoo.com from the exchange box and get name resultion / your DNS configuration is working properly.  If not, you need to configure the DNS server  settings on your box to point to a DNS server and/or you need to let that DNS server out via a similar "inside" access-list with UDP as the protocol.
*  You have you SMTP virtual server configured under Deliver > Advanved Delivery with the address "smtp.easynet.co.uk" and you have restarted the SMTP service.
*  Your smarthost is speaking ESMTP(I checked), so use the command "no fixup protocol smtp"

Let us know the status of the above.

-J

     
0
 
LVL 7

Author Comment

by:5t34lth_G33k
ID: 17071149
Sorry for not posting back earlier - the problem was that as well as a

'access-list inside permit tcp host 192.168.46.101 any eq smtp'

line in the config, there was also a

'access-list inside deny tcp any any eq smtp'

line that I had not seen before. After this line was removed, the firewall started to let through smtp traffic. What was very strange was that these lines had been in the firewall before I ever looked at it, but smtp has always worked. I had thought that maybe the deny line took effect first, with the permit line overriding it, letting just the server use smtp. I dont know why or how this could have changed, maybe the order of processing the lines of config changed?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17074690
The list cannot change itself, however, if previously you had an allow that included SMTP ahead of the deny then the the deny would have been ignored.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Netgear WMS5316 Guest SSiD 1 73
WEBSITE Capture via Linux Router 2 87
Network Activities  please help 16 76
Sonicwall Security Service questions 2 49
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now