Solved

Inbound SMTP Traffic through PIX515

Posted on 2008-10-06
14
421 Views
Last Modified: 2011-10-03
I am having a very odd intermittent problem with my PIX515 firewall.  The architecture is as follows.  

I have a fullt T1 connection that's protected by a PIX 515 firewall.  This firewall has 3 interfaces (Inside, Outside, DMZ).  On the inside interface the firewall is plugged into a Cisco CAT4507 switch.  Also on that switch is a Sonicwall Email Security 200 appliance for SPAM filtering.  The sonicwall is on the "internal" corporate network (no separate VLANs or other Firewalls involved).  The Sonicwall scans the email, and then forwards on to a corporate exchange server again, on the same internal network.

Almost on a daily basis, but not at definable intervals, we are unable to recieve inbound SMTP traffic through the firewall.  A telnet from the outside to the NAT mail interface on port 25 fails (when mail is flowing the SMTP Telnet is normal, no fixup/mailguard is enabled).  HOWEVER, when mail is not flowing, a Telnet to port 25 of the Email Security Appliance INSIDE the firewall is fine, as is all outbound SMTP traffic, and the http/https management utilites on the device.  Inbound is the only thing affected.  A hard reboot of the Email Security Device usually gets things up and running again.  

I'm getting a lot of finger pointing back and forth but haven't had much luck...

Any ideas?
0
Comment
Question by:jaysin144
  • 7
  • 7
14 Comments
 
LVL 4

Expert Comment

by:ckozloski
ID: 22649865
Have you checked for an IOS upgrade for that PIX? It almost sounds like your xlates are getting trashed. I would check that first.
0
 

Author Comment

by:jaysin144
ID: 22649983
I think that 8.0(3) is one of the newest releases.  
0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22650015
What kind of traffic volume are you pushing through your T-1? Does this seem to be happening during peak work times throughout the day?
It could be a bandwidth issue. I had an issue similar to that that caused severe service issues because We were overrunning our T1.  
0
 

Author Comment

by:jaysin144
ID: 22650030
It happens in the middle of the night, during the day, on weekends.  Sometimes during high utilization periords, but more often than not during times where there is NO utilization.  
0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22650074
The one thing that doesn't make sense to me is that if this is a firewall problem, then rebooting the email device wouldn't correct the problem.
Are there any log entries in the email device when this happens?
0
 

Author Comment

by:jaysin144
ID: 22650115
That's what I thought, but sure enough it happens every time.  I thing there might be something to your xlate comment though.  When we bring that device back up, it's going to re-establish the xlates right?  Next time it happens I'm going to try clearing the xlates to see if that brings the connection back up.  

Logging on both sides really does not show anything.  As far as the sonicwall is concerned everything is just fine.  
0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22650173
Yes, it should reset all your xlates when you reset the device.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:jaysin144
ID: 22677239
Well, clearing the XLATE's didn't do anything.  Anyone else have any other ideas on this issue.  I'm at a loss.  We had normal mail flow for almost 36 hours, but it bailed at 5AM this morning.
0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22678055
How do you have NAT configured on the PIX? Are you using a 1-to-1 translation for that mail device?
Is there anything in the PIX logs for traffic to that IP when it goes down like that?
0
 

Author Comment

by:jaysin144
ID: 22678111

I attached a snip of code from the PIX.  

I don't see anything out of the ordinary in the LOGs during the time when the mail stops.  It just does, and as far as the firewall is concerned we get nothing...


object-group service DM_INLINE_TCP_4 tcp

 port-object eq https

 port-object eq smtp

 port-object eq www

access-list outside_access_in extended permit tcp any host x.x.x.x object-group DM_INLINE_TCP_4 

Open in new window

0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22678233
Ok. Well that's your ACL and object group for those services you created to allow the traffic inbound. But my question is actually about the NAT translation that is happening.
Based on your question, you are using a private IP for the Sonicwall Email device. So I am assuming that you are NAT'ing a public IP to that private address via the PIX. Correct?
If that is the way it is configured, you should have a static NAT rule set up to point the public IP to the private IP. Check out this article:
http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_static_NAT_/_static_PAT_command_in_the_PIX%2C_ASA_and_FWSM
How are you accomplishing this in the PIX? You should have a config line in there somewhere that shows your NAT / PAT rules.
0
 

Author Comment

by:jaysin144
ID: 22678324
My bad, I just forgot to paste the NAT rule...We have a 1 to 1 static NAT mapping so it really is pretty simple on that end...

name x.x.x.x Internal-Emailsecurity

name p.p.p.p Public-EmailSecurity

static (inside,outside) Public-EmailSecurity Internal-Emailsecurity netmask 255.255.255.255

Open in new window

0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22678359
Honestly, I'd start checking the simple stuff like the ports and the cables to make sure you don't have a bad or loose cable that could be causing the problem.
0
 

Accepted Solution

by:
jaysin144 earned 0 total points
ID: 25260453
Manufacturer made some changes to the device to devrease CPU load.  Appears to have been causing the issues since they have not returned since.  First level support pointed fingers, senior support admitted, yeah it's a CPU load issue that hands the SMTP Daemon they use...
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Website through the inside interface. 6 67
Basic ASA setup 1 75
Cisco ASA 5516-X Configuration 4 68
ASA 5510 PAT question 1 27
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now