Link to home
Start Free TrialLog in
Avatar of Birdsemple

asked on

External Email blocked by Firewall.

We have been trying to set up  Double Take Application Manager software to protect our Microsoft Exchange 2003 system.  We have encountered a problem where after failover we are unable to send or receive external messages and we think this has something to do with our firewall settings.  We have a Cisco Pix 515E  running Cisco IOS 6.2

With DTAM the backup server does not take over the IP address and identity of the failed server.  Instead Double Take will update DNS servers to re-route end-users to the backup server and then re-assign all mailboxes and Public Folders from the failed server to the backup server. After failover, internal emails are fine, but external mail does not work for either incoming our outgoing mail.

On going through the PIX configuration we have found these entries, and I think that as the backup server has a different ip address to the expected internal ip address. The firewall is blocking the mail, unfortunately my Cisco knowledge limited so I am not sure the best way around this.  

name {internal ip address} inside_mail
name {external ip address}  public_mail
access-list 100 permit tcp any host public_mail eq smtp
access-list 300 permit tcp host inside_mail any eq smtp
pdm location inside_mail inside
static (inside,outside) public_mail inside_mail netmask 0 0
vpngroup pixvpn wins-server inside_mail

Is it possible to set up more than one internal mail address on the pix? Or is there another way round the problem?

Any ideas would be appreciated.

Many thanks

Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Hi Sharon,

The Access List portion is pretty easy:

name {internal ip 2 address} inside_mail_backup

access-list 300 permit tcp host inside_mail_backup any eq smtp

This grants permission for our new IP to connect to any remote system using SMTP.

The static NAT is more of a problem. I'd looked to do something similar in my environment, however the PIX isn't capable of differentiating between outbound and inbound. That makes inbound delivery rather difficult because it's not quite certain which server to deliver it to.

I take it you don't have a system that acts as a mail gateway? And that public mail flows straight into the Exchange system above?


Avatar of Birdsemple


Thanks for your reply Chris.

We don't have a mail gateway so the public mails flows straight into Exchange.  

The who point of Double Take is that it is supposed to automate failover and so save on down time but it does not look as if it is going to do that.

Does this mean the only way to get external mail to work after we fail over is to go into the firewall and change the IP address of the mail server?
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The older version did take on the IP address but we were told to use the Application Manager for the Exchange Server as we had some problems with not being able to send external mail.  Now we have changed over we cant send or receive mail, isnt progress a wonderful thing?

Thanks for your help Chris, it looks as though we can at least get around the problem, even if we wont be able to automate it.