Solved

Enable two smtp server on PIX

Posted on 2009-12-22
7
268 Views
Last Modified: 2012-05-08
Scenario:

Internet Router <-----> Pix <-----> ISA1 <------->Exch1
......................................................ISA2 <------->Exch2

Dear Sirs, due the necessity of changing our domain, I want to implement the scenario above.
I have installed the setting on the line 1 and work fine, then I want to add a second ISA and second Exchange. I trying just copy the configuration from 1 to 2 with correct IPs, but there is no email flowing between the two domain.
0
Comment
Question by:candacosta
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 13

Expert Comment

by:p_nuts
ID: 26103696
do you mean that the pix should use 2 smtp's or that you want to enable smtp traffic to flow to 2 different smtp servers?
if you want the last.
What direction do you want to allow the traffic to flow? and do you have multiple External IP addresses?
 
0
 

Author Comment

by:candacosta
ID: 26104835
Yes I want that PIX use 2 diferent smtp servers.

Canda
0
 
LVL 4

Expert Comment

by:periferral
ID: 26107869
can you post the existing configuration of the working smtp server? you can change the IPs to not reveal your network information
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:candacosta
ID: 26110390
First of all I want to say that for teste purpose to avoid any problem from the Firewall (ISA2006), all traffic are enable.

PIX Configuration:
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

access-list exchange permit tcp any host xx.x.x.3 eq smtp ---ACL to the SMT Server that not Work
access-list exchange permit tcp any host xx.x.x.7 eq smtp ---ACL to the SMT Server that Work

pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500

ip address outside xx.x.x.x 255.255.255.0
ip address inside xxx.xxx.xxx.x 255.255.255.0
ip address intf2 xxx.xxx.xxx.x 255.255.255.0

ip audit info action alarm
ip audit attack action alarm reset
pdm location xxx.xxx.xxx.x 255.255.255.0 inside
pdm location xxx.xxx.xxx.x 255.255.255.0 inside
pdm history enable
arp timeout 14400

global (outside) 1 xx.x.x.x

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp xx.x.x.3 smtp xxx.xxx.xxx.x smtp netmask 255.255.255.255 ----Static translation for SMTP Server that not Working

static (inside,outside) tcp xx.x.x.7 smtp xxx.xxx.xxx.x smtp netmask 255.255.255.255 ----Static translation for SMTP Server Working

access-group exchange in interface outside

route outside 0.0.0.0 0.0.0.0 xx.x.x.x ------ Route to EndRouter


route inside 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.x  -----Route to Isa1

route inside 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.x ------Route to Isa2

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http xxx.xxx.xxx.0 255.255.255.0 inside
http xxx.xxx.xxx.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
telnet 192.xxx.xxx.0 255.255.255.0 inside
telnet 192.xxx.xxx.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 30
console timeout 0
0
 

Author Comment

by:candacosta
ID: 26110440
Just to be more clear, we have in place a configuration called "back to back firewall" ISA behind the PIX

tks

Canda
0
 
LVL 4

Accepted Solution

by:
periferral earned 500 total points
ID: 26119843
two things.
one, you might want to enable smtp fixup
fixup protocol smtp 25

second
route inside 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.x  -----Route to Isa1
route inside 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.x ------Route to Isa2

are the 2 192 subnets different? it is unclear from the route statements. If they are the same, then it wont work. I will probably do a first match.

the rest of your configuration looks okay to me.
0

Featured Post

Ready to get started with anonymous questions?

It's easy! Check out this step-by-step guide for asking an anonymous question on Experts Exchange.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses
Course of the Month7 days, 14 hours left to enroll

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question