Solved

Enable two smtp server on PIX

Posted on 2009-12-22
7
233 Views
Last Modified: 2012-05-08
Scenario:

Internet Router <-----> Pix <-----> ISA1 <------->Exch1
......................................................ISA2 <------->Exch2

Dear Sirs, due the necessity of changing our domain, I want to implement the scenario above.
I have installed the setting on the line 1 and work fine, then I want to add a second ISA and second Exchange. I trying just copy the configuration from 1 to 2 with correct IPs, but there is no email flowing between the two domain.
0
Comment
Question by:candacosta
  • 3
  • 2
7 Comments
 
LVL 13

Expert Comment

by:p_nuts
Comment Utility
do you mean that the pix should use 2 smtp's or that you want to enable smtp traffic to flow to 2 different smtp servers?
if you want the last.
What direction do you want to allow the traffic to flow? and do you have multiple External IP addresses?
 
0
 

Author Comment

by:candacosta
Comment Utility
Yes I want that PIX use 2 diferent smtp servers.

Canda
0
 
LVL 4

Expert Comment

by:periferral
Comment Utility
can you post the existing configuration of the working smtp server? you can change the IPs to not reveal your network information
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:candacosta
Comment Utility
First of all I want to say that for teste purpose to avoid any problem from the Firewall (ISA2006), all traffic are enable.

PIX Configuration:
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

access-list exchange permit tcp any host xx.x.x.3 eq smtp ---ACL to the SMT Server that not Work
access-list exchange permit tcp any host xx.x.x.7 eq smtp ---ACL to the SMT Server that Work

pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500

ip address outside xx.x.x.x 255.255.255.0
ip address inside xxx.xxx.xxx.x 255.255.255.0
ip address intf2 xxx.xxx.xxx.x 255.255.255.0

ip audit info action alarm
ip audit attack action alarm reset
pdm location xxx.xxx.xxx.x 255.255.255.0 inside
pdm location xxx.xxx.xxx.x 255.255.255.0 inside
pdm history enable
arp timeout 14400

global (outside) 1 xx.x.x.x

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp xx.x.x.3 smtp xxx.xxx.xxx.x smtp netmask 255.255.255.255 ----Static translation for SMTP Server that not Working

static (inside,outside) tcp xx.x.x.7 smtp xxx.xxx.xxx.x smtp netmask 255.255.255.255 ----Static translation for SMTP Server Working

access-group exchange in interface outside

route outside 0.0.0.0 0.0.0.0 xx.x.x.x ------ Route to EndRouter


route inside 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.x  -----Route to Isa1

route inside 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.x ------Route to Isa2

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http xxx.xxx.xxx.0 255.255.255.0 inside
http xxx.xxx.xxx.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
telnet 192.xxx.xxx.0 255.255.255.0 inside
telnet 192.xxx.xxx.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 30
console timeout 0
0
 

Author Comment

by:candacosta
Comment Utility
Just to be more clear, we have in place a configuration called "back to back firewall" ISA behind the PIX

tks

Canda
0
 
LVL 4

Accepted Solution

by:
periferral earned 500 total points
Comment Utility
two things.
one, you might want to enable smtp fixup
fixup protocol smtp 25

second
route inside 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.x  -----Route to Isa1
route inside 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.x ------Route to Isa2

are the 2 192 subnets different? it is unclear from the route statements. If they are the same, then it wont work. I will probably do a first match.

the rest of your configuration looks okay to me.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This video discusses moving either the default database or any database to a new volume.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now