paulbridges02
asked on
PIX does not allow new SMTP traffic
We are setting up a new Exchange 2007 server but instead of migrating it was asked to recreate the domain (small with about 15 users). So we have a new domain created with the Ex07 box but when we put up the Ex07 box, we are not able to receive mail (smtp). We can send and receive internally from it and can send externally with it. I think I have narrowed the problem down to the internet facing PIX as I can sniff and see the smtp traffic before the pix, but it dissapears after the PIX. At the bottom you will see the config for the PIX. Mail used to come in to the "New" box. We are keeping the "New" server so I have tried moving the SMTP and POP3 group-objects to the "Web" box on the config, but this still did not resolve my issue. THe IP that Web is pointing to in the config to is mapped to an internal IP for the new exchange box on another firewall down the line.
Any help would be appretiated. I have my CCNA so I understand what most of the commands are doing, but have not ever worked with a PIX before so I need any assistance I can get.
: Saved
: Written by enable_15 at 17:08:50.184 UTC Sun Oct 14 2007
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nX.AR/aSyOyMIBlI encrypted
passwd nX.AR/aSyOyMIBlI encrypted
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 70.43.155.211 sonicwall-external
name 70.43.155.212 citrix-external
name 70.43.155.213 new-external
name 70.43.155.214 web-external
name 70.43.155.215 silverback-external
name 172.31.1.2 sonicwall-dmz
name 172.31.1.24 silverback-dmz
name 172.31.1.230 new-dmz
name 172.31.1.231 citrix-dmz
name 172.31.1.232 web-dmz
object-group service smtp tcp
port-object eq smtp
object-group service rdp tcp
port-object eq 3389
object-group service citrix-web tcp
port-object eq 8080
port-object eq www
object-group service citrix-ica tcp
port-object eq citrix-ica
object-group service http tcp
port-object eq www
object-group service https tcp
port-object eq https
object-group service network-streaming tcp
port-object eq 5500
object-group service sw-viewpoint tcp
port-object eq 8000
object-group service isakmp udp
port-object eq isakmp
object-group service silverback-checkpoint tcp
port-object eq 264
object-group service silverback-vpn udp
port-object eq 2746
object-group service pop3 tcp
port-object eq pop3
object-group service cnets-new tcp
group-object smtp
group-object rdp
group-object http
group-object https
group-object pop3
object-group service cnets-web tcp
group-object rdp
group-object http
group-object https
group-object network-streaming
group-object sw-viewpoint
object-group service cnets-citrix-tcp tcp
group-object rdp
group-object citrix-web
group-object citrix-ica
object-group service silverback-udp udp
group-object isakmp
group-object silverback-vpn
object-group network silverback-vpn-servers
network-object host 209.202.134.20
network-object host 209.202.134.21
network-object host 209.202.134.22
object-group network silverback-checkpoint-fire
network-object host 65.161.230.6
network-object host 65.161.231.6
object-group network silverback-remote-connecti
group-object silverback-vpn-servers
group-object silverback-checkpoint-fire
object-group protocol citrix-udp-tcp
protocol-object udp
protocol-object tcp
object-group protocol udp-tcp
protocol-object udp
protocol-object tcp
object-group service citrix-udp udp
port-object eq 1604
object-group service silverback-rs tcp
port-object eq 23000
object-group service silverback-tcp tcp
group-object https
group-object rdp
group-object silverback-rs
object-group network test
access-list nonat permit ip 172.31.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 172.31.1.0 255.255.255.0 10.0.0.0 255.255.254.0
access-list inbound_access permit tcp any host new-external object-group cnets-new
access-list inbound_access permit tcp any host web-external object-group cnets-web
access-list inbound_access permit tcp any host citrix-external object-group cnets-citrix-tcp
access-list inbound_access permit udp any host citrix-external object-group citrix-udp
access-list inbound_access permit udp object-group silverback-remote-connecti
access-list inbound_access permit tcp object-group silverback-remote-connecti
access-list inbound_access permit icmp any any
access-list inbound_access permit tcp any host silverback-external object-group silverback-tcp
access-list inbound_access permit tcp any host sonicwall-external eq https
access-list 7thwave-vpn permit ip 172.31.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list hammond-vpn permit ip 172.31.1.0 255.255.255.0 10.0.0.0 255.255.254.0
pager lines 24
logging queue 0
mtu outside 1500
mtu inside 1500
ip address outside 70.43.155.210 255.255.255.240
ip address inside 172.31.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) new-external new-dmz netmask 255.255.255.255 0 0
static (inside,outside) citrix-external citrix-dmz netmask 255.255.255.255 0 0
static (inside,outside) web-external web-dmz netmask 255.255.255.255 0 0
static (inside,outside) silverback-external silverback-dmz netmask 255.255.255.255 0 0
static (inside,outside) sonicwall-external sonicwall-dmz netmask 255.255.255.255 0 0
access-group inbound_access in interface outside
route outside 0.0.0.0 0.0.0.0 70.43.155.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community certified
no snmp-server enable traps
tftp-server inside 172.31.1.15 tftp-server
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 7thwave-ts esp-3des esp-md5-hmac
crypto ipsec transform-set hammond-ts esp-des esp-md5-hmac
crypto map certified-care 10 ipsec-isakmp
crypto map certified-care 10 match address 7thwave-vpn
crypto map certified-care 10 set peer 66.49.5.136
crypto map certified-care 10 set transform-set 7thwave-ts
crypto map certified-care 20 ipsec-isakmp
crypto map certified-care 20 match address hammond-vpn
crypto map certified-care 20 set peer 209.135.145.178
crypto map certified-care 20 set transform-set hammond-ts
crypto map certified-care interface outside
isakmp enable outside
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 172.31.1.0 255.255.255.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.31.1.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
terminal width 80
Cryptochecksum:224fe86ce99
: end
Any help would be appretiated. I have my CCNA so I understand what most of the commands are doing, but have not ever worked with a PIX before so I need any assistance I can get.
: Saved
: Written by enable_15 at 17:08:50.184 UTC Sun Oct 14 2007
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nX.AR/aSyOyMIBlI encrypted
passwd nX.AR/aSyOyMIBlI encrypted
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 70.43.155.211 sonicwall-external
name 70.43.155.212 citrix-external
name 70.43.155.213 new-external
name 70.43.155.214 web-external
name 70.43.155.215 silverback-external
name 172.31.1.2 sonicwall-dmz
name 172.31.1.24 silverback-dmz
name 172.31.1.230 new-dmz
name 172.31.1.231 citrix-dmz
name 172.31.1.232 web-dmz
object-group service smtp tcp
port-object eq smtp
object-group service rdp tcp
port-object eq 3389
object-group service citrix-web tcp
port-object eq 8080
port-object eq www
object-group service citrix-ica tcp
port-object eq citrix-ica
object-group service http tcp
port-object eq www
object-group service https tcp
port-object eq https
object-group service network-streaming tcp
port-object eq 5500
object-group service sw-viewpoint tcp
port-object eq 8000
object-group service isakmp udp
port-object eq isakmp
object-group service silverback-checkpoint tcp
port-object eq 264
object-group service silverback-vpn udp
port-object eq 2746
object-group service pop3 tcp
port-object eq pop3
object-group service cnets-new tcp
group-object smtp
group-object rdp
group-object http
group-object https
group-object pop3
object-group service cnets-web tcp
group-object rdp
group-object http
group-object https
group-object network-streaming
group-object sw-viewpoint
object-group service cnets-citrix-tcp tcp
group-object rdp
group-object citrix-web
group-object citrix-ica
object-group service silverback-udp udp
group-object isakmp
group-object silverback-vpn
object-group network silverback-vpn-servers
network-object host 209.202.134.20
network-object host 209.202.134.21
network-object host 209.202.134.22
object-group network silverback-checkpoint-fire
network-object host 65.161.230.6
network-object host 65.161.231.6
object-group network silverback-remote-connecti
group-object silverback-vpn-servers
group-object silverback-checkpoint-fire
object-group protocol citrix-udp-tcp
protocol-object udp
protocol-object tcp
object-group protocol udp-tcp
protocol-object udp
protocol-object tcp
object-group service citrix-udp udp
port-object eq 1604
object-group service silverback-rs tcp
port-object eq 23000
object-group service silverback-tcp tcp
group-object https
group-object rdp
group-object silverback-rs
object-group network test
access-list nonat permit ip 172.31.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 172.31.1.0 255.255.255.0 10.0.0.0 255.255.254.0
access-list inbound_access permit tcp any host new-external object-group cnets-new
access-list inbound_access permit tcp any host web-external object-group cnets-web
access-list inbound_access permit tcp any host citrix-external object-group cnets-citrix-tcp
access-list inbound_access permit udp any host citrix-external object-group citrix-udp
access-list inbound_access permit udp object-group silverback-remote-connecti
access-list inbound_access permit tcp object-group silverback-remote-connecti
access-list inbound_access permit icmp any any
access-list inbound_access permit tcp any host silverback-external object-group silverback-tcp
access-list inbound_access permit tcp any host sonicwall-external eq https
access-list 7thwave-vpn permit ip 172.31.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list hammond-vpn permit ip 172.31.1.0 255.255.255.0 10.0.0.0 255.255.254.0
pager lines 24
logging queue 0
mtu outside 1500
mtu inside 1500
ip address outside 70.43.155.210 255.255.255.240
ip address inside 172.31.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) new-external new-dmz netmask 255.255.255.255 0 0
static (inside,outside) citrix-external citrix-dmz netmask 255.255.255.255 0 0
static (inside,outside) web-external web-dmz netmask 255.255.255.255 0 0
static (inside,outside) silverback-external silverback-dmz netmask 255.255.255.255 0 0
static (inside,outside) sonicwall-external sonicwall-dmz netmask 255.255.255.255 0 0
access-group inbound_access in interface outside
route outside 0.0.0.0 0.0.0.0 70.43.155.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community certified
no snmp-server enable traps
tftp-server inside 172.31.1.15 tftp-server
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 7thwave-ts esp-3des esp-md5-hmac
crypto ipsec transform-set hammond-ts esp-des esp-md5-hmac
crypto map certified-care 10 ipsec-isakmp
crypto map certified-care 10 match address 7thwave-vpn
crypto map certified-care 10 set peer 66.49.5.136
crypto map certified-care 10 set transform-set 7thwave-ts
crypto map certified-care 20 ipsec-isakmp
crypto map certified-care 20 match address hammond-vpn
crypto map certified-care 20 set peer 209.135.145.178
crypto map certified-care 20 set transform-set hammond-ts
crypto map certified-care interface outside
isakmp enable outside
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 172.31.1.0 255.255.255.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.31.1.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
terminal width 80
Cryptochecksum:224fe86ce99
: end
giltjr
Easiest thing to do, IMHO, is to issue the command "show access-list | I x.x.x.x" where "x.x.x.x" is the external/public IP address that your new SMTP server is NAT'ed to. Then verify that there is a ACL that allows inbound connections to it with the destination port of 25 (smtp).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"Add the following configuration :-
object-group service cnets-web tcp
group-object smtp"
This was one thing I realized pretty early in and I tried moving both the SMTP and POP3 group objects from the cnets-new into the cnets-web. I committed this to memory on the device then reloaded it. After the reload I still was not getting traffic across.
object-group service cnets-web tcp
group-object smtp"
This was one thing I realized pretty early in and I tried moving both the SMTP and POP3 group objects from the cnets-new into the cnets-web. I committed this to memory on the device then reloaded it. After the reload I still was not getting traffic across.
Just making the change is sufficient. You dont need to reload.
Since you did not same the configuration the reload effectivly undid the change.
Make the change again and then also run the command "wri mem" to save the configuration. You dont need to reboot.
Since you did not same the configuration the reload effectivly undid the change.
Make the change again and then also run the command "wri mem" to save the configuration. You dont need to reboot.
ASKER
Sorry for the confusion, I had tried letting it run with just the changes in the run config, then i added the changes to the startup config as well by doing the write mem, was still having trouble. I have the network back in its old state right now with mail flowing fine (new exchange server not in place and old PIX config) and I did a little sniffing. I can see the SMTP traffic just fine when I hub off the old mail server(on the intranet), but if I watch just inside the PIX (the dmz) I cannot seem smtp traffic going across. Does the PIX spit the traffic out in a different form?
You didn't need to put the old configuration back since the new email server is on a different external IP address (same external address as the web server - 70.43.155.214).
I would suggest putting the configuration back in, saving it and then either rebooting or issuing the 'clear xlate' command which refreshes the translation table. Then try it again.
You will need to test the connection from a machine on a completely different network (not connected to any interface on the pix). I can do a quick test if you wish.
I would suggest putting the configuration back in, saving it and then either rebooting or issuing the 'clear xlate' command which refreshes the translation table. Then try it again.
You will need to test the connection from a machine on a completely different network (not connected to any interface on the pix). I can do a quick test if you wish.
ASKER
I am going to do some additional testing on Wednesday evening after hours. I will try to clear xlate command then to see if this helps. I will let you know where I am at after the testing on Wednesday. Thanks so far for your directions.
ASKER
So I did some sniffing last night and here is what I found:
I can see the SMTP traffic just fine on the internet side going to the new IP address (.214). So the Frontbridge change was effective (have to change what IP it send our mail in to). When I flip over to the LAN I cannot see the SMTP traffic if I set my IP to what the new server is set to. I also cannot see the traffic if I just hub off the new server. This testing was done with the smtp and pop3 object group on the PIX set under the "Web" server, which maps to our new Exchange server.
There is a Sonicwall that does the NAT between the PIX and the LAN, but I have a feeling it is still something on the PIX that is stopping the smtp traffic before it even hits the sonicwall.
I can see the SMTP traffic just fine on the internet side going to the new IP address (.214). So the Frontbridge change was effective (have to change what IP it send our mail in to). When I flip over to the LAN I cannot see the SMTP traffic if I set my IP to what the new server is set to. I also cannot see the traffic if I just hub off the new server. This testing was done with the smtp and pop3 object group on the PIX set under the "Web" server, which maps to our new Exchange server.
There is a Sonicwall that does the NAT between the PIX and the LAN, but I have a feeling it is still something on the PIX that is stopping the smtp traffic before it even hits the sonicwall.
Can you post the complete configuration again as it was when you did the testing.
So you have:
SMTPSRV <--> Sonicwall - Doing NAT <--> PIX <--> Internet
SMTPSRV <--> Sonicwall - Doing NAT <--> PIX <--> Internet
ASKER
SMTPSRV <--> Sonicwall - Doing NAT <--> PIX <--> Internet
This is correct.
The complete config is like the one above, EXCEPT the smtp and pop3 objects are under 'cnets-web' instead of 'cnets-new'
The 'cnets-web' maps to the new Exchange server.
This is correct.
The complete config is like the one above, EXCEPT the smtp and pop3 objects are under 'cnets-web' instead of 'cnets-new'
The 'cnets-web' maps to the new Exchange server.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
SMTP traffic comes in to 'web-external' (70.43.155.214) it is then NAT'ed in the PIX to a DMZ address of 172.31.1.232. The Sonicwall accepts the traffic destined to 172.31.1.232 and then NATs it to an internal IP on a 192.168 network.
When I give the following command: 'show access-list | I smtp' It does show the correct ACL setting. I am going to do some more work with it Monday evening after hours and may get Cisco on the phone to see if they can offer anything. I have written out the packet path a couple of different times while looking through the configs and the configs seem to be setup right, not sure why the traffic is stopping.
Maybe if we look at this another way. The config above is the original config before any of this migration started. What would I need to change in it to have smtp traffic pass through to 172.31.1.232 which is the web-dmz.
When I give the following command: 'show access-list | I smtp' It does show the correct ACL setting. I am going to do some more work with it Monday evening after hours and may get Cisco on the phone to see if they can offer anything. I have written out the packet path a couple of different times while looking through the configs and the configs seem to be setup right, not sure why the traffic is stopping.
Maybe if we look at this another way. The config above is the original config before any of this migration started. What would I need to change in it to have smtp traffic pass through to 172.31.1.232 which is the web-dmz.
ASKER
THe issue ended up being Exchange. The receive connector was setup to allow connections from the range 0.0.0.0-255.255.255.255 and I figured this would be a catch all. After I changed it to specific servers we receive email from it worked properly.
Thank you for your time and effort into helping me!
Thank you for your time and effort into helping me!