Solved

Inbound SMTP Traffic through PIX515

Posted on 2008-10-06
14
420 Views
Last Modified: 2011-10-03
I am having a very odd intermittent problem with my PIX515 firewall.  The architecture is as follows.  

I have a fullt T1 connection that's protected by a PIX 515 firewall.  This firewall has 3 interfaces (Inside, Outside, DMZ).  On the inside interface the firewall is plugged into a Cisco CAT4507 switch.  Also on that switch is a Sonicwall Email Security 200 appliance for SPAM filtering.  The sonicwall is on the "internal" corporate network (no separate VLANs or other Firewalls involved).  The Sonicwall scans the email, and then forwards on to a corporate exchange server again, on the same internal network.

Almost on a daily basis, but not at definable intervals, we are unable to recieve inbound SMTP traffic through the firewall.  A telnet from the outside to the NAT mail interface on port 25 fails (when mail is flowing the SMTP Telnet is normal, no fixup/mailguard is enabled).  HOWEVER, when mail is not flowing, a Telnet to port 25 of the Email Security Appliance INSIDE the firewall is fine, as is all outbound SMTP traffic, and the http/https management utilites on the device.  Inbound is the only thing affected.  A hard reboot of the Email Security Device usually gets things up and running again.  

I'm getting a lot of finger pointing back and forth but haven't had much luck...

Any ideas?
0
Comment
Question by:jaysin144
  • 7
  • 7
14 Comments
 
LVL 4

Expert Comment

by:ckozloski
ID: 22649865
Have you checked for an IOS upgrade for that PIX? It almost sounds like your xlates are getting trashed. I would check that first.
0
 

Author Comment

by:jaysin144
ID: 22649983
I think that 8.0(3) is one of the newest releases.  
0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22650015
What kind of traffic volume are you pushing through your T-1? Does this seem to be happening during peak work times throughout the day?
It could be a bandwidth issue. I had an issue similar to that that caused severe service issues because We were overrunning our T1.  
0
 

Author Comment

by:jaysin144
ID: 22650030
It happens in the middle of the night, during the day, on weekends.  Sometimes during high utilization periords, but more often than not during times where there is NO utilization.  
0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22650074
The one thing that doesn't make sense to me is that if this is a firewall problem, then rebooting the email device wouldn't correct the problem.
Are there any log entries in the email device when this happens?
0
 

Author Comment

by:jaysin144
ID: 22650115
That's what I thought, but sure enough it happens every time.  I thing there might be something to your xlate comment though.  When we bring that device back up, it's going to re-establish the xlates right?  Next time it happens I'm going to try clearing the xlates to see if that brings the connection back up.  

Logging on both sides really does not show anything.  As far as the sonicwall is concerned everything is just fine.  
0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22650173
Yes, it should reset all your xlates when you reset the device.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:jaysin144
ID: 22677239
Well, clearing the XLATE's didn't do anything.  Anyone else have any other ideas on this issue.  I'm at a loss.  We had normal mail flow for almost 36 hours, but it bailed at 5AM this morning.
0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22678055
How do you have NAT configured on the PIX? Are you using a 1-to-1 translation for that mail device?
Is there anything in the PIX logs for traffic to that IP when it goes down like that?
0
 

Author Comment

by:jaysin144
ID: 22678111

I attached a snip of code from the PIX.  

I don't see anything out of the ordinary in the LOGs during the time when the mail stops.  It just does, and as far as the firewall is concerned we get nothing...


object-group service DM_INLINE_TCP_4 tcp

 port-object eq https

 port-object eq smtp

 port-object eq www

access-list outside_access_in extended permit tcp any host x.x.x.x object-group DM_INLINE_TCP_4 

Open in new window

0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22678233
Ok. Well that's your ACL and object group for those services you created to allow the traffic inbound. But my question is actually about the NAT translation that is happening.
Based on your question, you are using a private IP for the Sonicwall Email device. So I am assuming that you are NAT'ing a public IP to that private address via the PIX. Correct?
If that is the way it is configured, you should have a static NAT rule set up to point the public IP to the private IP. Check out this article:
http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_static_NAT_/_static_PAT_command_in_the_PIX%2C_ASA_and_FWSM
How are you accomplishing this in the PIX? You should have a config line in there somewhere that shows your NAT / PAT rules.
0
 

Author Comment

by:jaysin144
ID: 22678324
My bad, I just forgot to paste the NAT rule...We have a 1 to 1 static NAT mapping so it really is pretty simple on that end...

name x.x.x.x Internal-Emailsecurity

name p.p.p.p Public-EmailSecurity

static (inside,outside) Public-EmailSecurity Internal-Emailsecurity netmask 255.255.255.255

Open in new window

0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22678359
Honestly, I'd start checking the simple stuff like the ports and the cables to make sure you don't have a bad or loose cable that could be causing the problem.
0
 

Accepted Solution

by:
jaysin144 earned 0 total points
ID: 25260453
Manufacturer made some changes to the device to devrease CPU load.  Appears to have been causing the issues since they have not returned since.  First level support pointed fingers, senior support admitted, yeah it's a CPU load issue that hands the SMTP Daemon they use...
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now