• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 486
  • Last Modified:

PIX 515e discard smtp frame from outside

We are configuring PIX 515e with SBS 2003 server inside.  We cannot receive incoming mail, but outgoing mail from the exchange 2003 are OK.  Here is our test config.  Can somebody please look and help us?
Thanks

Here's the error message from cisco asdm 5.2 log :
TCP request discarded from xx.x.x.91/60772 to outside:x5.xx2.xx.xx6/25


asdm image flash:/asdm521.bin
no asdm history enable
: Saved
:
PIX Version 7.2(1)
!
hostname no_pix
domain-name here.net
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address xx.xx2.x4.xx6 255.255.255.240
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 192.168.2.3 255.255.255.0
!
passwd gggggggg encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name abc.net
access-list outside_access_in extended permit tcp any host xx.xx2.x4.xx7 eq www
access-list outside_access_in extended permit tcp any host xx.xx2.x4.xx6 eq smtp
access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.224
access-list outside_cryptomap extended permit ip any 192.168.4.0 255.255.255.224
access-list outside_cryptomap_1 extended permit ip any 192.168.4.0 255.255.255.224
access-list vpn1_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.224
access-list outside_cryptomap_2 extended permit ip any 192.168.4.0 255.255.255.224
access-list dmz_cryptomap extended permit ip any 192.168.4.0 255.255.255.224
access-list dmz1_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list dmz_cryptomap_1 extended permit ip any 192.168.4.0 255.255.255.224
pager lines 24
logging enable
logging list Tesst level debugging
logging list email level debugging
logging list email message 609001-609002
logging list ok message 609001-609002
logging list server message 710005
logging monitor debugging
logging trap errors
logging asdm server
logging mail debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool vpn_pool 192.168.4.2-192.168.4.20
icmp permit any inside
asdm image flash:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 200 interface
global (outside) 300 xx.xx2.x4.xx0 netmask 255.0.0.0
global (dmz) 200 10.15.22.1-10.15.22.50 netmask 255.0.0.0
global (dmz) 300 10.12.17.11-10.12.17.51 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 300 192.168.1.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 200 192.168.2.0 255.255.255.0
static (dmz,outside) xx.xx2.x4.xx8 192.168.2.10 netmask 255.255.255.255
static (inside,outside) xx.x2.x4.xx5 192.168.1.2 netmask 255.255.255.255
static (dmz,outside) xx.xx2.x4.xx7 192.168.2.4 netmask 255.255.255.255 dns
static (inside,outside) xx.xx2.x4.xx6 192.168.1.11 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x5.xx2.74.xx5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no eou allow clientless
group-policy vpn1 internal
group-policy vpn1 attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn1_splitTunnelAcl
group-policy dmz1 internal
group-policy dmz1 attributes
 wins-server value 192.168.1.x1
 dns-server value 192.168.1.x1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value dmz1_splitTunnelAcl
 default-domain value nowhere.local

privilege 15


class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect esmtp test
 description basic
 parameters
  no mask-banner
 match MIME filename length gt 255
  log
 match sender-address length gt 320
  log
 match cmd RCPT count gt 100
  log
 match body line length gt 998
  log
 match cmd line length gt 512
  log
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect esmtp test
!
service-policy global_policy global
tftp-server inside 192.168.1.2 file
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command vpn-sessiondb
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
0
dvb108
Asked:
dvb108
  • 2
  • 2
1 Solution
 
Alan Huseyin KayahanCommented:
        Hi dvb108
                 There is not static nat or PAT for you inside exchange server
                 static (inside,outside) tcp interface smtp yourexchangeserveriphere smtp netmask 255.255.255.255
                clear xlate (will drop all connections but is necessary for static take effect)

Regards
0
 
dvb108Author Commented:
MrHusy:
We do have it.  
static (inside,outside) xx.xx2.x4.xx6 192.168.1.11 netmask 255.255.255.255 dns
We found it anyway, ther must be something setting in the exchange server that take the xx.xx2.x4.xx6 ;
we changed the outside IP and everything go right.  But thank you for your response.  
0
 
Alan Huseyin KayahanCommented:
        Hi dvb108
                 You do not have it :) You can not define statics like below static (inside,outside) xx.xx2.x4.xx6 192.168.1.11 netmask 255.255.255.255 dns for your interface IP. Thats why I mentioned the solution above, PAT will make xx6 work as both the outside interface and forward smtp traffic to internal exchange server. Of course changing the outside interface IP is a solution. Anyway thanks for the points :)

Regards
0
 
dvb108Author Commented:
MrHusy:
My apology.  I agree with you now.  We did only static NAT, and we should have done static PAT as you said.   I should take your advice carefully rather than reading the CLI reference.  You deserved the points.  Thanks.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now