[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 576
  • Last Modified:

PIX does not allow new SMTP traffic

We are setting up a new Exchange 2007 server but instead of migrating it was asked to recreate the domain (small with about 15 users). So we have a new domain created with the Ex07 box but when we put up the Ex07 box, we are not able to receive mail (smtp). We can send and receive internally from it and can send externally with it. I think I have narrowed the problem down to the internet facing PIX as I can sniff and see the smtp traffic before the pix, but it dissapears after the PIX. At the bottom you will see the config for the PIX. Mail used to come in to the "New" box. We are keeping the "New" server so I have tried moving the SMTP and POP3 group-objects to the "Web" box on the config, but this still did not resolve my issue. THe IP that Web is pointing to in the config to is mapped to an internal IP for the new exchange box on another firewall down the line.

Any help would be appretiated. I have my CCNA so I understand what most of the commands are doing, but have not ever worked with a PIX before so I need any assistance I can get.

: Saved
: Written by enable_15 at 17:08:50.184 UTC Sun Oct 14 2007
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nX.AR/aSyOyMIBlI encrypted
passwd nX.AR/aSyOyMIBlI encrypted
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 70.43.155.211 sonicwall-external
name 70.43.155.212 citrix-external
name 70.43.155.213 new-external
name 70.43.155.214 web-external
name 70.43.155.215 silverback-external
name 172.31.1.2 sonicwall-dmz
name 172.31.1.24 silverback-dmz
name 172.31.1.230 new-dmz
name 172.31.1.231 citrix-dmz
name 172.31.1.232 web-dmz
object-group service smtp tcp
  port-object eq smtp
object-group service rdp tcp
  port-object eq 3389
object-group service citrix-web tcp
  port-object eq 8080
  port-object eq www
object-group service citrix-ica tcp
  port-object eq citrix-ica
object-group service http tcp
  port-object eq www
object-group service https tcp
  port-object eq https
object-group service network-streaming tcp
  port-object eq 5500
object-group service sw-viewpoint tcp
  port-object eq 8000
object-group service isakmp udp
  port-object eq isakmp
object-group service silverback-checkpoint tcp
  port-object eq 264
object-group service silverback-vpn udp
  port-object eq 2746
object-group service pop3 tcp
  port-object eq pop3
object-group service cnets-new tcp
  group-object smtp
  group-object rdp
  group-object http
  group-object https
  group-object pop3
object-group service cnets-web tcp
  group-object rdp
  group-object http
  group-object https
  group-object network-streaming
  group-object sw-viewpoint
object-group service cnets-citrix-tcp tcp
  group-object rdp
  group-object citrix-web
  group-object citrix-ica
object-group service silverback-udp udp
  group-object isakmp
  group-object silverback-vpn
object-group network silverback-vpn-servers
  network-object host 209.202.134.20
  network-object host 209.202.134.21
  network-object host 209.202.134.22
object-group network silverback-checkpoint-firewalls
  network-object host 65.161.230.6
  network-object host 65.161.231.6
object-group network silverback-remote-connections
  group-object silverback-vpn-servers
  group-object silverback-checkpoint-firewalls
object-group protocol citrix-udp-tcp
  protocol-object udp
  protocol-object tcp
object-group protocol udp-tcp
  protocol-object udp
  protocol-object tcp
object-group service citrix-udp udp
  port-object eq 1604
object-group service silverback-rs tcp
  port-object eq 23000
object-group service silverback-tcp tcp
  group-object https
  group-object rdp
  group-object silverback-rs
object-group network test
access-list nonat permit ip 172.31.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 172.31.1.0 255.255.255.0 10.0.0.0 255.255.254.0
access-list inbound_access permit tcp any host new-external object-group cnets-new
access-list inbound_access permit tcp any host web-external object-group cnets-web
access-list inbound_access permit tcp any host citrix-external object-group cnets-citrix-tcp
access-list inbound_access permit udp any host citrix-external object-group citrix-udp
access-list inbound_access permit udp object-group silverback-remote-connections host silverback-external object-group silverback-udp
access-list inbound_access permit tcp object-group silverback-remote-connections host silverback-external object-group silverback-checkpoint
access-list inbound_access permit icmp any any
access-list inbound_access permit tcp any host silverback-external object-group silverback-tcp
access-list inbound_access permit tcp any host sonicwall-external eq https
access-list 7thwave-vpn permit ip 172.31.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list hammond-vpn permit ip 172.31.1.0 255.255.255.0 10.0.0.0 255.255.254.0
pager lines 24
logging queue 0
mtu outside 1500
mtu inside 1500
ip address outside 70.43.155.210 255.255.255.240
ip address inside 172.31.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) new-external new-dmz netmask 255.255.255.255 0 0
static (inside,outside) citrix-external citrix-dmz netmask 255.255.255.255 0 0
static (inside,outside) web-external web-dmz netmask 255.255.255.255 0 0
static (inside,outside) silverback-external silverback-dmz netmask 255.255.255.255 0 0
static (inside,outside) sonicwall-external sonicwall-dmz netmask 255.255.255.255 0 0
access-group inbound_access in interface outside
route outside 0.0.0.0 0.0.0.0 70.43.155.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community certified
no snmp-server enable traps
tftp-server inside 172.31.1.15 tftp-server
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 7thwave-ts esp-3des esp-md5-hmac
crypto ipsec transform-set hammond-ts esp-des esp-md5-hmac
crypto map certified-care 10 ipsec-isakmp
crypto map certified-care 10 match address 7thwave-vpn
crypto map certified-care 10 set peer 66.49.5.136
crypto map certified-care 10 set transform-set 7thwave-ts
crypto map certified-care 20 ipsec-isakmp
crypto map certified-care 20 match address hammond-vpn
crypto map certified-care 20 set peer 209.135.145.178
crypto map certified-care 20 set transform-set hammond-ts
crypto map certified-care interface outside
isakmp enable outside
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 172.31.1.0 255.255.255.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.31.1.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
terminal width 80
Cryptochecksum:224fe86ce994e3b2b23b4753d97a346d
: end
0
paulbridges02
Asked:
paulbridges02
  • 7
  • 4
  • 3
2 Solutions
 
giltjrCommented:
Easiest thing to do, IMHO, is to issue the command "show access-list | I x.x.x.x" where "x.x.x.x" is the external/public IP address that your new SMTP server is NAT'ed to.  Then verify that there is a ACL that allows inbound connections to it with the destination port of 25 (smtp).
0
 
grbladesCommented:
> static (inside,outside) web-external web-dmz netmask 255.255.255.255 0
correct

> access-list inbound_access permit tcp any host web-external object-group cnets-web
cnets-web is the access-group permitted in this acl.

> object-group service cnets-web tcp
>   group-object rdp
>   group-object http
>   group-object https
>   group-object network-streaming
>   group-object sw-viewpoint
No smtp being allowed here.

Add the following configuration :-
object-group service cnets-web tcp
  group-object smtp
0
 
paulbridges02Author Commented:
"Add the following configuration :-
object-group service cnets-web tcp
  group-object smtp"

This was one thing I realized pretty early in and I tried moving both the SMTP and POP3  group objects from the cnets-new into the cnets-web. I committed this to memory on the device then reloaded it. After the reload I still was not getting traffic across.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
grbladesCommented:
Just making the change is sufficient. You dont need to reload.
Since you did not same the configuration the reload effectivly undid the change.

Make the change again and then also run the command "wri mem" to save the configuration. You dont need to reboot.
0
 
paulbridges02Author Commented:
Sorry for the confusion, I had tried letting it run with just the changes in the run config, then i added the changes to the startup config as well by doing the write mem, was still having trouble. I have the network back in its old state right now with mail flowing fine (new exchange server not in place and old PIX config) and I did a little sniffing. I can see the SMTP traffic just fine when I hub off the old mail server(on the intranet), but if I watch just inside the PIX (the dmz) I cannot seem smtp traffic going across. Does the PIX spit the traffic out in a different form?
0
 
grbladesCommented:
You didn't need to put the old configuration back since the new email server is on a different external IP address (same external address as the web server - 70.43.155.214).

I would suggest putting the configuration back in, saving it and then either rebooting or issuing the 'clear xlate' command which refreshes the translation table. Then try it again.
You will need to test the connection from a machine on a completely different network (not connected to any interface on the pix). I can do a quick test if you wish.
0
 
paulbridges02Author Commented:
I am going to do some additional testing on Wednesday evening after hours. I will try to clear xlate command then to see if this helps. I will let you know where I am at after the testing on Wednesday. Thanks so far for your directions.
0
 
paulbridges02Author Commented:
So I did some sniffing last night and here is what I found:
I can see the SMTP traffic just fine on the internet side going to the new IP address (.214). So the Frontbridge change was effective (have to change what IP it send our mail in to). When I flip over to the LAN I cannot see the SMTP traffic if I set my IP to what the new server is set to. I also cannot see the traffic if I just hub off the new server. This testing was done with the smtp and pop3 object group on the PIX set under the "Web" server, which maps to our new Exchange server.

There is a Sonicwall that does the NAT between the PIX and the LAN, but I have a feeling it is still something on the PIX that is stopping the smtp traffic before it even hits the sonicwall.
0
 
grbladesCommented:
Can you post the complete configuration again as it was when you did the testing.
0
 
giltjrCommented:
So you have:

 SMTPSRV <--> Sonicwall - Doing NAT <--> PIX <--> Internet



0
 
paulbridges02Author Commented:
SMTPSRV <--> Sonicwall - Doing NAT <--> PIX <--> Internet  

This is correct.

The complete config is like the one above, EXCEPT the smtp and pop3 objects are under 'cnets-web' instead of 'cnets-new'

The 'cnets-web' maps to the new Exchange server.
0
 
giltjrCommented:
So if you do:

     show access-list | I smtp

on the PIX, do you see an ACL that is correct?  Correct ACL name, source address, source port, dst address, dst port?

I am also bit confused.  You seem to have a NAT setup in the PIX for "web-external".  So it seems that you are doing NAT in the PIX.  You also stated that you have a sonic wall that is also doing nat.  Are you nat'ing web-external in both places?
0
 
paulbridges02Author Commented:
SMTP traffic comes in to 'web-external' (70.43.155.214) it is then NAT'ed in the PIX to a DMZ address of 172.31.1.232. The Sonicwall accepts the traffic destined to 172.31.1.232 and then NATs it to an internal IP on a 192.168 network.

When I give the following command: 'show access-list | I smtp'  It does show the correct ACL setting. I am going to do some more work with it Monday evening after hours and may get Cisco on the phone to see if they can offer anything. I have written out the packet path a couple of different times while looking through the configs and the configs seem to be setup right, not sure why the traffic is stopping.

Maybe if we look at this another way. The config above is the original config before any of this migration started. What would I need to change in it to have smtp traffic pass through to 172.31.1.232 which is the web-dmz.  
0
 
paulbridges02Author Commented:
THe issue ended up being Exchange. The receive connector was setup to allow connections from the range 0.0.0.0-255.255.255.255 and I figured this would be a catch all. After I changed it to specific servers we receive email from it worked properly.

Thank you for your time and effort into helping me!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 7
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now