PIX does not allow new SMTP traffic

Posted on 2007-10-14
Last Modified: 2010-04-09
We are setting up a new Exchange 2007 server but instead of migrating it was asked to recreate the domain (small with about 15 users). So we have a new domain created with the Ex07 box but when we put up the Ex07 box, we are not able to receive mail (smtp). We can send and receive internally from it and can send externally with it. I think I have narrowed the problem down to the internet facing PIX as I can sniff and see the smtp traffic before the pix, but it dissapears after the PIX. At the bottom you will see the config for the PIX. Mail used to come in to the "New" box. We are keeping the "New" server so I have tried moving the SMTP and POP3 group-objects to the "Web" box on the config, but this still did not resolve my issue. THe IP that Web is pointing to in the config to is mapped to an internal IP for the new exchange box on another firewall down the line.

Any help would be appretiated. I have my CCNA so I understand what most of the commands are doing, but have not ever worked with a PIX before so I need any assistance I can get.

: Saved
: Written by enable_15 at 17:08:50.184 UTC Sun Oct 14 2007
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nX.AR/aSyOyMIBlI encrypted
passwd nX.AR/aSyOyMIBlI encrypted
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name sonicwall-external
name citrix-external
name new-external
name web-external
name silverback-external
name sonicwall-dmz
name silverback-dmz
name new-dmz
name citrix-dmz
name web-dmz
object-group service smtp tcp
  port-object eq smtp
object-group service rdp tcp
  port-object eq 3389
object-group service citrix-web tcp
  port-object eq 8080
  port-object eq www
object-group service citrix-ica tcp
  port-object eq citrix-ica
object-group service http tcp
  port-object eq www
object-group service https tcp
  port-object eq https
object-group service network-streaming tcp
  port-object eq 5500
object-group service sw-viewpoint tcp
  port-object eq 8000
object-group service isakmp udp
  port-object eq isakmp
object-group service silverback-checkpoint tcp
  port-object eq 264
object-group service silverback-vpn udp
  port-object eq 2746
object-group service pop3 tcp
  port-object eq pop3
object-group service cnets-new tcp
  group-object smtp
  group-object rdp
  group-object http
  group-object https
  group-object pop3
object-group service cnets-web tcp
  group-object rdp
  group-object http
  group-object https
  group-object network-streaming
  group-object sw-viewpoint
object-group service cnets-citrix-tcp tcp
  group-object rdp
  group-object citrix-web
  group-object citrix-ica
object-group service silverback-udp udp
  group-object isakmp
  group-object silverback-vpn
object-group network silverback-vpn-servers
  network-object host
  network-object host
  network-object host
object-group network silverback-checkpoint-firewalls
  network-object host
  network-object host
object-group network silverback-remote-connections
  group-object silverback-vpn-servers
  group-object silverback-checkpoint-firewalls
object-group protocol citrix-udp-tcp
  protocol-object udp
  protocol-object tcp
object-group protocol udp-tcp
  protocol-object udp
  protocol-object tcp
object-group service citrix-udp udp
  port-object eq 1604
object-group service silverback-rs tcp
  port-object eq 23000
object-group service silverback-tcp tcp
  group-object https
  group-object rdp
  group-object silverback-rs
object-group network test
access-list nonat permit ip
access-list nonat permit ip
access-list inbound_access permit tcp any host new-external object-group cnets-new
access-list inbound_access permit tcp any host web-external object-group cnets-web
access-list inbound_access permit tcp any host citrix-external object-group cnets-citrix-tcp
access-list inbound_access permit udp any host citrix-external object-group citrix-udp
access-list inbound_access permit udp object-group silverback-remote-connections host silverback-external object-group silverback-udp
access-list inbound_access permit tcp object-group silverback-remote-connections host silverback-external object-group silverback-checkpoint
access-list inbound_access permit icmp any any
access-list inbound_access permit tcp any host silverback-external object-group silverback-tcp
access-list inbound_access permit tcp any host sonicwall-external eq https
access-list 7thwave-vpn permit ip
access-list hammond-vpn permit ip
pager lines 24
logging queue 0
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0 0
static (inside,outside) new-external new-dmz netmask 0 0
static (inside,outside) citrix-external citrix-dmz netmask 0 0
static (inside,outside) web-external web-dmz netmask 0 0
static (inside,outside) silverback-external silverback-dmz netmask 0 0
static (inside,outside) sonicwall-external sonicwall-dmz netmask 0 0
access-group inbound_access in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community certified
no snmp-server enable traps
tftp-server inside tftp-server
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 7thwave-ts esp-3des esp-md5-hmac
crypto ipsec transform-set hammond-ts esp-des esp-md5-hmac
crypto map certified-care 10 ipsec-isakmp
crypto map certified-care 10 match address 7thwave-vpn
crypto map certified-care 10 set peer
crypto map certified-care 10 set transform-set 7thwave-ts
crypto map certified-care 20 ipsec-isakmp
crypto map certified-care 20 match address hammond-vpn
crypto map certified-care 20 set peer
crypto map certified-care 20 set transform-set hammond-ts
crypto map certified-care interface outside
isakmp enable outside
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet inside
telnet timeout 30
ssh outside
ssh inside
ssh inside
ssh timeout 30
console timeout 0
terminal width 80
: end
Question by:paulbridges02
    LVL 57

    Expert Comment

    Easiest thing to do, IMHO, is to issue the command "show access-list | I x.x.x.x" where "x.x.x.x" is the external/public IP address that your new SMTP server is NAT'ed to.  Then verify that there is a ACL that allows inbound connections to it with the destination port of 25 (smtp).
    LVL 36

    Accepted Solution

    > static (inside,outside) web-external web-dmz netmask 0

    > access-list inbound_access permit tcp any host web-external object-group cnets-web
    cnets-web is the access-group permitted in this acl.

    > object-group service cnets-web tcp
    >   group-object rdp
    >   group-object http
    >   group-object https
    >   group-object network-streaming
    >   group-object sw-viewpoint
    No smtp being allowed here.

    Add the following configuration :-
    object-group service cnets-web tcp
      group-object smtp

    Author Comment

    "Add the following configuration :-
    object-group service cnets-web tcp
      group-object smtp"

    This was one thing I realized pretty early in and I tried moving both the SMTP and POP3  group objects from the cnets-new into the cnets-web. I committed this to memory on the device then reloaded it. After the reload I still was not getting traffic across.
    LVL 36

    Expert Comment

    Just making the change is sufficient. You dont need to reload.
    Since you did not same the configuration the reload effectivly undid the change.

    Make the change again and then also run the command "wri mem" to save the configuration. You dont need to reboot.

    Author Comment

    Sorry for the confusion, I had tried letting it run with just the changes in the run config, then i added the changes to the startup config as well by doing the write mem, was still having trouble. I have the network back in its old state right now with mail flowing fine (new exchange server not in place and old PIX config) and I did a little sniffing. I can see the SMTP traffic just fine when I hub off the old mail server(on the intranet), but if I watch just inside the PIX (the dmz) I cannot seem smtp traffic going across. Does the PIX spit the traffic out in a different form?
    LVL 36

    Expert Comment

    You didn't need to put the old configuration back since the new email server is on a different external IP address (same external address as the web server -

    I would suggest putting the configuration back in, saving it and then either rebooting or issuing the 'clear xlate' command which refreshes the translation table. Then try it again.
    You will need to test the connection from a machine on a completely different network (not connected to any interface on the pix). I can do a quick test if you wish.

    Author Comment

    I am going to do some additional testing on Wednesday evening after hours. I will try to clear xlate command then to see if this helps. I will let you know where I am at after the testing on Wednesday. Thanks so far for your directions.

    Author Comment

    So I did some sniffing last night and here is what I found:
    I can see the SMTP traffic just fine on the internet side going to the new IP address (.214). So the Frontbridge change was effective (have to change what IP it send our mail in to). When I flip over to the LAN I cannot see the SMTP traffic if I set my IP to what the new server is set to. I also cannot see the traffic if I just hub off the new server. This testing was done with the smtp and pop3 object group on the PIX set under the "Web" server, which maps to our new Exchange server.

    There is a Sonicwall that does the NAT between the PIX and the LAN, but I have a feeling it is still something on the PIX that is stopping the smtp traffic before it even hits the sonicwall.
    LVL 36

    Expert Comment

    Can you post the complete configuration again as it was when you did the testing.
    LVL 57

    Expert Comment

    So you have:

     SMTPSRV <--> Sonicwall - Doing NAT <--> PIX <--> Internet


    Author Comment

    SMTPSRV <--> Sonicwall - Doing NAT <--> PIX <--> Internet  

    This is correct.

    The complete config is like the one above, EXCEPT the smtp and pop3 objects are under 'cnets-web' instead of 'cnets-new'

    The 'cnets-web' maps to the new Exchange server.
    LVL 57

    Assisted Solution

    So if you do:

         show access-list | I smtp

    on the PIX, do you see an ACL that is correct?  Correct ACL name, source address, source port, dst address, dst port?

    I am also bit confused.  You seem to have a NAT setup in the PIX for "web-external".  So it seems that you are doing NAT in the PIX.  You also stated that you have a sonic wall that is also doing nat.  Are you nat'ing web-external in both places?

    Author Comment

    SMTP traffic comes in to 'web-external' ( it is then NAT'ed in the PIX to a DMZ address of The Sonicwall accepts the traffic destined to and then NATs it to an internal IP on a 192.168 network.

    When I give the following command: 'show access-list | I smtp'  It does show the correct ACL setting. I am going to do some more work with it Monday evening after hours and may get Cisco on the phone to see if they can offer anything. I have written out the packet path a couple of different times while looking through the configs and the configs seem to be setup right, not sure why the traffic is stopping.

    Maybe if we look at this another way. The config above is the original config before any of this migration started. What would I need to change in it to have smtp traffic pass through to which is the web-dmz.  

    Author Comment

    THe issue ended up being Exchange. The receive connector was setup to allow connections from the range and I figured this would be a catch all. After I changed it to specific servers we receive email from it worked properly.

    Thank you for your time and effort into helping me!

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Email statistics and Mailbox database quotas You might have an interest in attaining information such as mailbox details, mailbox statistics and mailbox database details from Exchange server. At that point, knowing how to retrieve this information …
    "Migrate" an SMTP relay receive connector to a new server using info from an old server.
    In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
    The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now