Solved

Enable two smtp server on PIX

Posted on 2009-12-22
7
244 Views
Last Modified: 2012-05-08
Scenario:

Internet Router <-----> Pix <-----> ISA1 <------->Exch1
......................................................ISA2 <------->Exch2

Dear Sirs, due the necessity of changing our domain, I want to implement the scenario above.
I have installed the setting on the line 1 and work fine, then I want to add a second ISA and second Exchange. I trying just copy the configuration from 1 to 2 with correct IPs, but there is no email flowing between the two domain.
0
Comment
Question by:candacosta
  • 3
  • 2
7 Comments
 
LVL 13

Expert Comment

by:p_nuts
ID: 26103696
do you mean that the pix should use 2 smtp's or that you want to enable smtp traffic to flow to 2 different smtp servers?
if you want the last.
What direction do you want to allow the traffic to flow? and do you have multiple External IP addresses?
 
0
 

Author Comment

by:candacosta
ID: 26104835
Yes I want that PIX use 2 diferent smtp servers.

Canda
0
 
LVL 4

Expert Comment

by:periferral
ID: 26107869
can you post the existing configuration of the working smtp server? you can change the IPs to not reveal your network information
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:candacosta
ID: 26110390
First of all I want to say that for teste purpose to avoid any problem from the Firewall (ISA2006), all traffic are enable.

PIX Configuration:
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

access-list exchange permit tcp any host xx.x.x.3 eq smtp ---ACL to the SMT Server that not Work
access-list exchange permit tcp any host xx.x.x.7 eq smtp ---ACL to the SMT Server that Work

pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500

ip address outside xx.x.x.x 255.255.255.0
ip address inside xxx.xxx.xxx.x 255.255.255.0
ip address intf2 xxx.xxx.xxx.x 255.255.255.0

ip audit info action alarm
ip audit attack action alarm reset
pdm location xxx.xxx.xxx.x 255.255.255.0 inside
pdm location xxx.xxx.xxx.x 255.255.255.0 inside
pdm history enable
arp timeout 14400

global (outside) 1 xx.x.x.x

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp xx.x.x.3 smtp xxx.xxx.xxx.x smtp netmask 255.255.255.255 ----Static translation for SMTP Server that not Working

static (inside,outside) tcp xx.x.x.7 smtp xxx.xxx.xxx.x smtp netmask 255.255.255.255 ----Static translation for SMTP Server Working

access-group exchange in interface outside

route outside 0.0.0.0 0.0.0.0 xx.x.x.x ------ Route to EndRouter


route inside 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.x  -----Route to Isa1

route inside 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.x ------Route to Isa2

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http xxx.xxx.xxx.0 255.255.255.0 inside
http xxx.xxx.xxx.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
telnet 192.xxx.xxx.0 255.255.255.0 inside
telnet 192.xxx.xxx.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 30
console timeout 0
0
 

Author Comment

by:candacosta
ID: 26110440
Just to be more clear, we have in place a configuration called "back to back firewall" ISA behind the PIX

tks

Canda
0
 
LVL 4

Accepted Solution

by:
periferral earned 500 total points
ID: 26119843
two things.
one, you might want to enable smtp fixup
fixup protocol smtp 25

second
route inside 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.x  -----Route to Isa1
route inside 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.x ------Route to Isa2

are the 2 192 subnets different? it is unclear from the route statements. If they are the same, then it wont work. I will probably do a first match.

the rest of your configuration looks okay to me.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now