Not receiving mail on exchange with port 25 open. Exchange 2003 / Pix 506e

Posted on 2007-10-13
Last Modified: 2013-11-16
We have our MX records set to deliver mail here as priority 5, then to the old host as priority 15. Once I get 25 open properly it should come in no problem. I turned off fixup protocol smtp, set a static rule to go to the exchange server (, and allowed tcp traffic on port 25 through the ACL. I must be doing something wrong.

Here is my current configuration.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password e8dnxwQsFhiGPRPq encrypted
passwd e8dnxwQsFhiGPRPq encrypted
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host eq pptp
access-list acl_out permit gre any host
access-list acl_out permit tcp any interface outside eq www
access-list acl_out permit udp any interface outside eq www
access-list acl_out permit tcp any interface outside eq https
access-list acl_out permit tcp any interface outside eq 993
access-list acl_out permit tcp any interface outside eq 123
access-list acl_out permit tcp any interface outside eq smtp
access-list 101 permit ip
access-list 102 permit ip
pager lines 24
logging on    
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
logging host inside
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0 0
static (inside,outside) tcp interface www www netmask 0 0
static (inside,outside) tcp interface https https netmask 0 0
static (inside,outside) tcp interface 993 993 netmask 0 0
static (inside,outside) udp interface 993 993 netmask 0 0
static (inside,outside) udp interface 443 443 netmask 0 0
static (inside,outside) udp interface www www netmask 0 0
static (inside,outside) tcp interface pptp pptp netmask 0 0
static (inside,outside) tcp interface smtp smtp netmask 0 0
access-group acl_out in interface outside
route outside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community 0192837465
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 1 ipsec-isakmp
crypto map mymap 1 match address 102
crypto map mymap 1 set peer
crypto map mymap 1 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp keepalive 10
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet inside
telnet timeout 5
ssh xxx.yyy.84.134 outside
ssh timeout 5
console timeout 0
terminal width 80
: end  

External IP addresses masked for security
Keith Alabaster
EE Page Editor
Question by:penningtonj
    LVL 36

    Assisted Solution

    The PIX config looks fine. Try running the 'clear xlate' command.

    Author Comment

    That still didn't do it.

    Here are the MX records ...      MX      IN      86400 [Preference = 5]      MX      IN      86400 [Preference = 15]

    Mail still comes through on the second server. I can telnet into port twenty five from within the network, but I can't from the outside. I'm not sure if I'm supposed to be able to from the outside, but thought I was add that piece of information.

    Author Comment

    Alright, the problem is that our ISP is blocking incoming on port 25.

    We have access to another mail server outside the network. How can I have the admin of that server configure it to accept mail on 25, send it out an alternate port, and have my server accept it on that alternate port?
    LVL 36

    Accepted Solution

    Sorry for the late reply. EE was playing up for a while.

    How to configure exhcnage to listen on a different port -

    How to configure the other mail server on the internet will vary depending on what mail server software it is running.

    Featured Post

    Gigs: Get Your Project Delivered by an Expert

    Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

    Join & Write a Comment

    Suggested Solutions

    There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
    When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now