Solved

500 pts URGENT PLEASE HELP! IN OFFICE NOW (SATURDAY) - NEED TO LET SMTP THROUGH PIX!

Posted on 2006-07-01
7
311 Views
Last Modified: 2013-11-16
Hi!!

I need to let smtp traffic through our pix - our exchange 2003 server can receive email but not send. I have checked over the config and think it has to be a firewall issue. We are trying to relay through our ISP's smarthost (smtp.easynet.co.uk), but no email is being sent. I cannot telnet to the address from inside our network on port 25, but I can OK from a PC outside the network, which leads me to suspect the firewall config. I have added the following commands and saved them to memory, but it still doesnt work:

static (inside,outside) 217.206.*.* 192.168.46.101 netmask 255.255.255.255 0 0
access-list inside permit tcp host 192.168.46.101 any eq smtp

i am running out of ideas, need a cisco guru to lend a hand!
0
Comment
Question by:5t34lth_G33k
7 Comments
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
>access-list inside permit tcp host 192.168.46.101 any eq smtp

This should read;

access-list inside permit tcp any host 217.206.*.* any eq smtp

and I assume it is applied to the outside interface.

Also give more details, rather paste the complete config of PIX. Is it an exchange server ? If so do;

no fixup protocol smtp

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
oops the access-list cut & edit went wrong, it should be as below;

access-list inside permit tcp any host 217.206.*.* eq smtp

Cheers,
Rajesh
0
 
LVL 10

Assisted Solution

by:naveedb
naveedb earned 150 total points
Comment Utility
Can you post your config from Cisco PIX.

" I cannot telnet to the address from inside our network on port 25, but I can OK from a PC outside the network"

You mentioned you have to go through your ISPs smarthost, are you able to telnet to port 25 on smarthost and see if accepts connection from your Exchange server ?

Did you try to telnet bypassing the PIX?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Agreed. We need the config posting.
0
 
LVL 1

Accepted Solution

by:
Jaedub earned 350 total points
Comment Utility
Okay, sans and config lets cover some basic assumptions:

*  The access list is called inside so it's applied to the inside interface.
*  The format in which you have it ****is correct****, so don't change it.
     access-list inside permit tcp host 192.168.46.101 any eq smtp
*  You have the followng command in you config:
    access-group in interface inside inside
*  You are able to ping  www.yahoo.com from the exchange box and get name resultion / your DNS configuration is working properly.  If not, you need to configure the DNS server  settings on your box to point to a DNS server and/or you need to let that DNS server out via a similar "inside" access-list with UDP as the protocol.
*  You have you SMTP virtual server configured under Deliver > Advanved Delivery with the address "smtp.easynet.co.uk" and you have restarted the SMTP service.
*  Your smarthost is speaking ESMTP(I checked), so use the command "no fixup protocol smtp"

Let us know the status of the above.

-J

     
0
 
LVL 7

Author Comment

by:5t34lth_G33k
Comment Utility
Sorry for not posting back earlier - the problem was that as well as a

'access-list inside permit tcp host 192.168.46.101 any eq smtp'

line in the config, there was also a

'access-list inside deny tcp any any eq smtp'

line that I had not seen before. After this line was removed, the firewall started to let through smtp traffic. What was very strange was that these lines had been in the firewall before I ever looked at it, but smtp has always worked. I had thought that maybe the deny line took effect first, with the permit line overriding it, letting just the server use smtp. I dont know why or how this could have changed, maybe the order of processing the lines of config changed?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
The list cannot change itself, however, if previously you had an allow that included SMTP ahead of the deny then the the deny would have been ignored.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now