• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 428
  • Last Modified:

Inbound SMTP Traffic through PIX515

I am having a very odd intermittent problem with my PIX515 firewall.  The architecture is as follows.  

I have a fullt T1 connection that's protected by a PIX 515 firewall.  This firewall has 3 interfaces (Inside, Outside, DMZ).  On the inside interface the firewall is plugged into a Cisco CAT4507 switch.  Also on that switch is a Sonicwall Email Security 200 appliance for SPAM filtering.  The sonicwall is on the "internal" corporate network (no separate VLANs or other Firewalls involved).  The Sonicwall scans the email, and then forwards on to a corporate exchange server again, on the same internal network.

Almost on a daily basis, but not at definable intervals, we are unable to recieve inbound SMTP traffic through the firewall.  A telnet from the outside to the NAT mail interface on port 25 fails (when mail is flowing the SMTP Telnet is normal, no fixup/mailguard is enabled).  HOWEVER, when mail is not flowing, a Telnet to port 25 of the Email Security Appliance INSIDE the firewall is fine, as is all outbound SMTP traffic, and the http/https management utilites on the device.  Inbound is the only thing affected.  A hard reboot of the Email Security Device usually gets things up and running again.  

I'm getting a lot of finger pointing back and forth but haven't had much luck...

Any ideas?
0
jaysin144
Asked:
jaysin144
  • 7
  • 7
1 Solution
 
ckozloskiCommented:
Have you checked for an IOS upgrade for that PIX? It almost sounds like your xlates are getting trashed. I would check that first.
0
 
jaysin144Author Commented:
I think that 8.0(3) is one of the newest releases.  
0
 
ckozloskiCommented:
What kind of traffic volume are you pushing through your T-1? Does this seem to be happening during peak work times throughout the day?
It could be a bandwidth issue. I had an issue similar to that that caused severe service issues because We were overrunning our T1.  
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
jaysin144Author Commented:
It happens in the middle of the night, during the day, on weekends.  Sometimes during high utilization periords, but more often than not during times where there is NO utilization.  
0
 
ckozloskiCommented:
The one thing that doesn't make sense to me is that if this is a firewall problem, then rebooting the email device wouldn't correct the problem.
Are there any log entries in the email device when this happens?
0
 
jaysin144Author Commented:
That's what I thought, but sure enough it happens every time.  I thing there might be something to your xlate comment though.  When we bring that device back up, it's going to re-establish the xlates right?  Next time it happens I'm going to try clearing the xlates to see if that brings the connection back up.  

Logging on both sides really does not show anything.  As far as the sonicwall is concerned everything is just fine.  
0
 
ckozloskiCommented:
Yes, it should reset all your xlates when you reset the device.
0
 
jaysin144Author Commented:
Well, clearing the XLATE's didn't do anything.  Anyone else have any other ideas on this issue.  I'm at a loss.  We had normal mail flow for almost 36 hours, but it bailed at 5AM this morning.
0
 
ckozloskiCommented:
How do you have NAT configured on the PIX? Are you using a 1-to-1 translation for that mail device?
Is there anything in the PIX logs for traffic to that IP when it goes down like that?
0
 
jaysin144Author Commented:

I attached a snip of code from the PIX.  

I don't see anything out of the ordinary in the LOGs during the time when the mail stops.  It just does, and as far as the firewall is concerned we get nothing...


object-group service DM_INLINE_TCP_4 tcp
 port-object eq https
 port-object eq smtp
 port-object eq www
access-list outside_access_in extended permit tcp any host x.x.x.x object-group DM_INLINE_TCP_4 

Open in new window

0
 
ckozloskiCommented:
Ok. Well that's your ACL and object group for those services you created to allow the traffic inbound. But my question is actually about the NAT translation that is happening.
Based on your question, you are using a private IP for the Sonicwall Email device. So I am assuming that you are NAT'ing a public IP to that private address via the PIX. Correct?
If that is the way it is configured, you should have a static NAT rule set up to point the public IP to the private IP. Check out this article:
http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_static_NAT_/_static_PAT_command_in_the_PIX%2C_ASA_and_FWSM
How are you accomplishing this in the PIX? You should have a config line in there somewhere that shows your NAT / PAT rules.
0
 
jaysin144Author Commented:
My bad, I just forgot to paste the NAT rule...We have a 1 to 1 static NAT mapping so it really is pretty simple on that end...

name x.x.x.x Internal-Emailsecurity
name p.p.p.p Public-EmailSecurity
static (inside,outside) Public-EmailSecurity Internal-Emailsecurity netmask 255.255.255.255

Open in new window

0
 
ckozloskiCommented:
Honestly, I'd start checking the simple stuff like the ports and the cables to make sure you don't have a bad or loose cable that could be causing the problem.
0
 
jaysin144Author Commented:
Manufacturer made some changes to the device to devrease CPU load.  Appears to have been causing the issues since they have not returned since.  First level support pointed fingers, senior support admitted, yeah it's a CPU load issue that hands the SMTP Daemon they use...
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now