Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

500 pts URGENT PLEASE HELP! IN OFFICE NOW (SATURDAY) - NEED TO LET SMTP THROUGH PIX!

Posted on 2006-07-01
7
Medium Priority
?
321 Views
Last Modified: 2013-11-16
Hi!!

I need to let smtp traffic through our pix - our exchange 2003 server can receive email but not send. I have checked over the config and think it has to be a firewall issue. We are trying to relay through our ISP's smarthost (smtp.easynet.co.uk), but no email is being sent. I cannot telnet to the address from inside our network on port 25, but I can OK from a PC outside the network, which leads me to suspect the firewall config. I have added the following commands and saved them to memory, but it still doesnt work:

static (inside,outside) 217.206.*.* 192.168.46.101 netmask 255.255.255.255 0 0
access-list inside permit tcp host 192.168.46.101 any eq smtp

i am running out of ideas, need a cisco guru to lend a hand!
0
Comment
Question by:5t34lth_G33k
7 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17023953
>access-list inside permit tcp host 192.168.46.101 any eq smtp

This should read;

access-list inside permit tcp any host 217.206.*.* any eq smtp

and I assume it is applied to the outside interface.

Also give more details, rather paste the complete config of PIX. Is it an exchange server ? If so do;

no fixup protocol smtp

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17023955
oops the access-list cut & edit went wrong, it should be as below;

access-list inside permit tcp any host 217.206.*.* eq smtp

Cheers,
Rajesh
0
 
LVL 10

Assisted Solution

by:naveedb
naveedb earned 600 total points
ID: 17023961
Can you post your config from Cisco PIX.

" I cannot telnet to the address from inside our network on port 25, but I can OK from a PC outside the network"

You mentioned you have to go through your ISPs smarthost, are you able to telnet to port 25 on smarthost and see if accepts connection from your Exchange server ?

Did you try to telnet bypassing the PIX?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17024569
Agreed. We need the config posting.
0
 
LVL 1

Accepted Solution

by:
Jaedub earned 1400 total points
ID: 17039634
Okay, sans and config lets cover some basic assumptions:

*  The access list is called inside so it's applied to the inside interface.
*  The format in which you have it ****is correct****, so don't change it.
     access-list inside permit tcp host 192.168.46.101 any eq smtp
*  You have the followng command in you config:
    access-group in interface inside inside
*  You are able to ping  www.yahoo.com from the exchange box and get name resultion / your DNS configuration is working properly.  If not, you need to configure the DNS server  settings on your box to point to a DNS server and/or you need to let that DNS server out via a similar "inside" access-list with UDP as the protocol.
*  You have you SMTP virtual server configured under Deliver > Advanved Delivery with the address "smtp.easynet.co.uk" and you have restarted the SMTP service.
*  Your smarthost is speaking ESMTP(I checked), so use the command "no fixup protocol smtp"

Let us know the status of the above.

-J

     
0
 
LVL 7

Author Comment

by:5t34lth_G33k
ID: 17071149
Sorry for not posting back earlier - the problem was that as well as a

'access-list inside permit tcp host 192.168.46.101 any eq smtp'

line in the config, there was also a

'access-list inside deny tcp any any eq smtp'

line that I had not seen before. After this line was removed, the firewall started to let through smtp traffic. What was very strange was that these lines had been in the firewall before I ever looked at it, but smtp has always worked. I had thought that maybe the deny line took effect first, with the permit line overriding it, letting just the server use smtp. I dont know why or how this could have changed, maybe the order of processing the lines of config changed?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17074690
The list cannot change itself, however, if previously you had an allow that included SMTP ahead of the deny then the the deny would have been ignored.
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month11 days, 14 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question