500 pts URGENT PLEASE HELP! IN OFFICE NOW (SATURDAY) - NEED TO LET SMTP THROUGH PIX!

Hi!!

I need to let smtp traffic through our pix - our exchange 2003 server can receive email but not send. I have checked over the config and think it has to be a firewall issue. We are trying to relay through our ISP's smarthost (smtp.easynet.co.uk), but no email is being sent. I cannot telnet to the address from inside our network on port 25, but I can OK from a PC outside the network, which leads me to suspect the firewall config. I have added the following commands and saved them to memory, but it still doesnt work:

static (inside,outside) 217.206.*.* 192.168.46.101 netmask 255.255.255.255 0 0
access-list inside permit tcp host 192.168.46.101 any eq smtp

i am running out of ideas, need a cisco guru to lend a hand!
LVL 7
5t34lth_G33kAsked:
Who is Participating?
 
JaedubConnect With a Mentor Commented:
Okay, sans and config lets cover some basic assumptions:

*  The access list is called inside so it's applied to the inside interface.
*  The format in which you have it ****is correct****, so don't change it.
     access-list inside permit tcp host 192.168.46.101 any eq smtp
*  You have the followng command in you config:
    access-group in interface inside inside
*  You are able to ping  www.yahoo.com from the exchange box and get name resultion / your DNS configuration is working properly.  If not, you need to configure the DNS server  settings on your box to point to a DNS server and/or you need to let that DNS server out via a similar "inside" access-list with UDP as the protocol.
*  You have you SMTP virtual server configured under Deliver > Advanved Delivery with the address "smtp.easynet.co.uk" and you have restarted the SMTP service.
*  Your smarthost is speaking ESMTP(I checked), so use the command "no fixup protocol smtp"

Let us know the status of the above.

-J

     
0
 
rsivanandanCommented:
>access-list inside permit tcp host 192.168.46.101 any eq smtp

This should read;

access-list inside permit tcp any host 217.206.*.* any eq smtp

and I assume it is applied to the outside interface.

Also give more details, rather paste the complete config of PIX. Is it an exchange server ? If so do;

no fixup protocol smtp

Cheers,
Rajesh
0
 
rsivanandanCommented:
oops the access-list cut & edit went wrong, it should be as below;

access-list inside permit tcp any host 217.206.*.* eq smtp

Cheers,
Rajesh
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

 
naveedbConnect With a Mentor Commented:
Can you post your config from Cisco PIX.

" I cannot telnet to the address from inside our network on port 25, but I can OK from a PC outside the network"

You mentioned you have to go through your ISPs smarthost, are you able to telnet to port 25 on smarthost and see if accepts connection from your Exchange server ?

Did you try to telnet bypassing the PIX?
0
 
Keith AlabasterEnterprise ArchitectCommented:
Agreed. We need the config posting.
0
 
5t34lth_G33kAuthor Commented:
Sorry for not posting back earlier - the problem was that as well as a

'access-list inside permit tcp host 192.168.46.101 any eq smtp'

line in the config, there was also a

'access-list inside deny tcp any any eq smtp'

line that I had not seen before. After this line was removed, the firewall started to let through smtp traffic. What was very strange was that these lines had been in the firewall before I ever looked at it, but smtp has always worked. I had thought that maybe the deny line took effect first, with the permit line overriding it, letting just the server use smtp. I dont know why or how this could have changed, maybe the order of processing the lines of config changed?
0
 
Keith AlabasterEnterprise ArchitectCommented:
The list cannot change itself, however, if previously you had an allow that included SMTP ahead of the deny then the the deny would have been ignored.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.