?
Solved

Cisco Pix problem or Microsoft Exchange?  Can email anybody except the one domain that sits behind the same firewall as I

Posted on 2007-07-20
15
Medium Priority
?
326 Views
Last Modified: 2010-04-09
I have 2 domains with separate IP subnets (192.168.1.X and 192.168.5.X)  Both have their own Exchange 2003 mail servers.

I have a Cisco PIX T515 with an interface for each network.  Gateway for 1.X = 1.1 gateway for 5.X = 5.1

-My Exchange server 2003 users on the 1.X  have no problems emailing anybody in the world including recipients on the 5.X network.

-My Exchange Server 2003  users on the 5.X can email anybody in the world EXCEPT users in my 1.X domain.

Is this an Exchange DNS problem or a PIX routing issue?

My 5.X users need to be able to email the 1.X users.

Please advise.
0
Comment
Question by:pflecha
  • 8
  • 7
15 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 19534908
first, is the exchange server configured to relay the domain specifically to the 1.x server.  if not, i'd try that first as then it takes DNS out of the picture.

second, from the 5.x server, do this
telnet 192.168.1.x 25
does it receive a mail banner, if so then the pix is fine.  if not, then we need to look at the static entries and the acls to ensure that it allows that traffic.
0
 

Author Comment

by:pflecha
ID: 19535011
I am unable to telnet to t1.x fromt he 5.x  i also tried telneting the actuall domain

telnet (5.X Exchange server) 25  and nothing
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 19535084
then we need to check the pix config.  after you post the static,global/nat, and acls pieces of the config should be able to check to ensure those servers can communicate
my guess is its an acl issue, however it could be a xlate issue potentially
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:pflecha
ID: 19535182
access-list 90 permit ip 192.168.0.0 255.255.252.0 192.168.24.0 255.255.252.0
access-list 90 permit ip 192.168.24.0 255.255.252.0 192.168.0.0 255.255.252.0
access-list 90 permit ip 192.168.28.0 255.255.252.0 192.168.0.0 255.255.252.0
access-list 90 permit ip 192.168.0.0 255.255.252.0 192.168.28.0 255.255.252.0
access-list 80 permit ip 192.168.0.0 255.255.252.0 192.168.254.0 255.255.255.0
access-list dmz_nat0 permit ip 192.168.255.0 255.255.255.0 192.168.0.0 255.255.2
52.0
access-list inside_nat0 permit ip 192.168.0.0 255.255.252.0 192.168.254.0 255.25
5.255.0
access-list inside_nat0 permit ip 192.168.0.0 255.255.252.0 192.168.24.0 255.255
.252.0
access-list inside_nat0 permit ip 192.168.24.0 255.255.252.0 192.168.0.0 255.255
.252.0
access-list inside_nat0 permit ip 192.168.28.0 255.255.252.0 192.168.0.0 255.255
.252.0
access-list inside_nat0 permit ip 192.168.0.0 255.255.252.0 192.168.28.0 255.255
.252.0
access-list inside_netzero permit ip 192.168.0.0 255.255.252.0 192.168.28.0 255.
255.252.0
pager lines 30
logging on
logging monitor debugging
logging buffered warnings
logging trap notifications
logging history notifications
logging queue 4096
logging host inside 192.168.1.111
interface ethernet0 10baset
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu ldplaw 1500
ip address outside 208.62.
ip address inside 192.168.1.1 255.255.252.0
ip address dmz 192.168.255.1 255.255.255.0
ip address ldplaw 192.168.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm

no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
failover ip address ldplaw 0.0.0.0
no pdm history enable
arp timeout 300
global (outside) 1 208.62.29
global (outside) 1 208.62.
global (dmz) 1 interface
global (ldplaw) 1 interface
nat (inside) 0 access-list inside_nat0
nat (inside) 1 192.168.0.0 255.255.252.0 0 0
nat (dmz) 1 192.168.255.0 255.255.255.0 0 0
nat (ldplaw) 1 192.168.5.0 255.255.255.0 0 0

alias (inside) 208.62.X X 192.168.255.162 255.255.255.255
alias (inside) 208.62.X X 192.168.255.142 255.255.255.255
alias (inside) 208.62.X X 192.168.255.10 255.255.255.255
alias (ldplaw) 208.62.X X 192.168.5.2 255.255.255.255
static (dmz,outside) 208.62.X X 192.168.255.146 netmask 255.255.255.255 0 0
static (dmz,outside) 208.62.X X 192.168.255.142 netmask 255.255.255.255 0 0
static (dmz,outside) 208.62.X X 192.168.255.25 netmask 255.255.255.255 0 0
static (dmz,outside) 208.62.X X 192.168.255.162 netmask 255.255.255.255 0 0
static (dmz,outside) 208.62 X X 192.168.255.141 netmask 255.255.255.255 0 0
static (dmz,outside) 208.62.X X 192.168.255.165 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0
static (dmz,outside) 208.62.X X 192.168.255.191 netmask 255.255.255.255 0 0
static (dmz,outside) 208.62.X X 192.168.255.10 netmask 255.255.255.255 0 0
static (ldplaw,outside) 208.62.X X 192.168.5.2 netmask 255.255.255.255 0 0
conduit permit tcp host 208.62.X X eq www any
conduit permit tcp host 208.62.X X eq www any
conduit permit tcp host 208.62.X X eq ftp any
conduit permit tcp host 208.62.X X eq ftp-data any
conduit permit tcp host 208.62.X X eq www any
conduit permit tcp host 208.62.X X eq ftp any
conduit permit tcp host 208.62.X X eq ftp-data any
conduit permit tcp host 208.62.X X eq smtp any
conduit permit tcp host 208.62.X X eq ssh 65.65.0.0 255.255.0.0
conduit permit icmp any any echo-reply
conduit permit tcp host 208.62.X X eq www any
conduit permit tcp host 208.62.X X eq ftp any
conduit permit tcp host 208.62.X X eq ftp-data any
conduit permit tcp host 208.62.X X eq 97 any
conduit permit tcp host 208.62.X X eq 4096 any
conduit permit udp host 208.62.X X range 7777 7778 any
conduit permit tcp host 208.62.X X range 7777 7778 any
conduit permit tcp host 208.62.X X eq www any
conduit permit tcp host 208.62.X X eq www any
conduit permit tcp host 208.62.X X eq https any
conduit permit tcp host 208.62. X X eq https any
conduit permit tcp host 208.62.X X eq https any
conduit permit tcp host 208.62.X X eq smtp any
conduit permit tcp host 208.62.X X eq www any
conduit permit tcp host 208.62.X X eq 97 any
conduit permit tcp host 208.62.X X eq https any
conduit permit tcp host 208.62.X X eq 3389 any
conduit permit icmp host 192.168.5.2 any echo
route outside 0.0.0.0 0.0.0.0 208.62.29.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 19535353
here is what I would do
no static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0
static (inside,dmz) 192.168.1.0 192.168.0.0 netmask 255.255.252.0 0 0
static (dmz,inside) 192.168.255.0 192.168.255.0 netmask 255.255.255.0
access-list dmz-in permit tcp host 192.168.255.X host 192.168.0.Y eq smtp
access-list dmz-in interface dmz
clear xlate

The first two lines just makes its so the static entry matches the mask that is given to the inside network. The third makes it so the dmz to inside connections ensure to keep their ips.  The next two lines add an acl to that the mail server on the 255 network can communicate to the 0 mail server.  the final line clears the translation table since the statics were altered.
after doing that try another telnet test.
if that doesn't work, then we need to look at the logs as I believe that should've worked.
0
 

Author Comment

by:pflecha
ID: 19547105
Well, thre DMZ is a 4rd and seperate interface on this PIX.

Interface 1:  (Inside) 192.168.1.X My LAN
Interface 2:  (DMZ) 192.168.255.X My DMZ
Interface 3:  (Inside) 192.168.5.X My LDPLAW (this is the new interface for a seperate company that reside behind my PIX but seperate from my LAN.

I need 5.X to be bale to telent the 1.x

The DMZ is fine.


0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 19547181
oops, sorry, i was thinking DMZ and inside there

honestly , this is what I would do then
no global (ldplaw) 1 interface
static (inside,ldplaw) 192.168.1.0 192.168.1.0 255.255.252.0
static (ldplaw,inside) 192.168.5.0 192.168.5.0 255.255.255.0
this will make it so the translation done between the two interfaces effectively just let traffic route.  This is because the orig IP will be mapped back to itself.  Now you just add the correct ACLs and you should be good.  Don't forget about doing the 'clear xlate' after you modify the static/global entries.

The only other way to do this is provide a global statement for the inside interface so all the ldplaw clients can be PAT'ed to that and be translated that way
0
 

Author Comment

by:pflecha
ID: 19547405
When i try to add the static  entries I get


number of maximum connections should lie between 0 and 65535
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 19547422
sorry, so used to doing one-to-one static entries I keep forgetting about the netmask keyword
static (inside,ldplaw) 192.168.1.0 192.168.1.0 netmask 255.255.252.0
static (ldplaw,inside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

that will work, sorry about that
0
 

Author Comment

by:pflecha
ID: 19547649
Thank you so much for your help.

I got this error
FL-JAJ-PIX(config)# static (inside,ldplaw) 192.168.1.0 192.168.1.0 netmask 255$
global address overlaps with mask
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 19547698
this will happen if you have either the source interface or destination interface using a range or IP that overlaps with a global/nat entry.  It should have still added the entry.  The thing to remember here is that static entries are the NAT way to do things and thus take precedence over the global/nat, or PAT, way of doing things.  

So if there is a direct conflict between the two, the static entry wins out.  However this warning should only show in cases like these where the subnet and mask match that of one in a global/nat entry.

hope that made sense
0
 

Author Comment

by:pflecha
ID: 19551449
Well I could not get the PIX to cooperate, so I took the exchange sever and added it to the same local network as the other.  I am still having the same issue.  I don't think it can be thre PIX becuase both servers are on 192.168.1.X

Server1 can email Server 2 and any other external recipient
Server2 can email externals recipients but cannot email Server1

I am dreading making the call to MS but If I cannot ghet this resolved I may just have to.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 19551512
so just to be clear, when you do this from server 2 you are still getting a time out
telnet 192.168.1.x 25

if so, turn off all firewalls including checking packet filtering on server2 for now.  then use wireshark to do a traffic capture on both servers.  do another telnet and see what packets are showing up
for server 1 do a capture filter of:  ip host <<server2 ip>>
and for server 2: ip host <<server1 ip>>

if the packets are going back and forth, then it may shed some light on the server being configured in a way that is rejecting the application level connection and not rejecting the packet level connection
0
 

Author Comment

by:pflecha
ID: 19556113
OK, the solution to this issue was in Exchange

I created an SMTP Connector and was then able to route mail between both domains behind the PIX.

Thank you for your help.
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 2000 total points
ID: 19556312
ok, i thought you already did that actually

from my first post:
>>first, is the exchange server configured to relay the domain specifically to the 1.x server.
>> if not, i'd try that first as then it takes DNS out of the picture.

however there must have been something else as you said that you couldn't telnet into the server via port 25
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
How to effectively resolve the number one email related issue received by helpdesks.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question