?
Solved

PIX 525 Email not going

Posted on 2010-04-07
4
Medium Priority
?
418 Views
Last Modified: 2012-06-22
i have just setup some new rules for my pix and i can not get email to flow through to the destination server


please help
: Saved
:
PIX Version 7.2(4) 
!
hostname pixfirewall
domain-name iteal.local
enable password iMJCYSF9e3ba/od. encrypted
passwd iMJCYSF9e3ba/od. encrypted
names
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 209.xxx.xxx.5 255.255.255.0 
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0 
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 domain-name iteal.local
object-group service RDP tcp-udp
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq telnet
object-group service DM_INLINE_TCP_2 tcp
 port-object eq ftp
 port-object eq www
 port-object eq https
object-group service RIM tcp
 port-object eq 3101
object-group service DM_INLINE_TCP_3 tcp
 group-object RDP
 port-object eq www
 port-object eq https
access-list outside_access_in extended permit tcp any host 209.xxx.xxx.12 object-group DM_INLINE_TCP_1 
access-list outside_access_in extended permit tcp any host 209.xxx.xxx.15 object-group DM_INLINE_TCP_2 
access-list outside_access_in extended permit tcp any host 209.xxx.xxx.21 eq 3101 
access-list outside_access_in extended permit tcp any host 209.xxx.xxx.20 eq 5000 
access-list outside_access_in extended permit object-group TCPUDP any host 209.xxx.xxx.16 eq 3389 
access-list ITEA-VPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0 
access-list test1234_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.10.0.0 255.255.0.0 
pager lines 24
logging enable
logging monitor informational
logging asdm informational
logging mail informational
mtu outside 1500
mtu inside 1500
ip local pool ITEA-VPN-POOL 10.10.10.200-10.10.10.225 mask 255.255.255.0
ip local pool test 10.10.10.226-10.10.10.250 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp 209.xxx.xxx.12 smtp 10.10.10.12 smtp netmask 255.255.255.255 
static (inside,outside) tcp 209.xxx.xxx.15 www 10.10.10.15 www netmask 255.255.255.255 
static (inside,outside) tcp 209.xxx.xxx.20 3101 10.10.10.20 5000 netmask 255.255.255.255 
static (inside,outside) tcp 209.xxx.xxx.21 3101 10.10.10.21 3101 netmask 255.255.255.255 
static (inside,outside) tcp 209.xxx.xxx.16 3389 10.10.10.16 3389 netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no eou allow clientless
http server enable
http 0.0.0.0 0.0.0.0 inside
http 209.xxx.xxx.5 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group7
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 7
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
group-policy test1234 internal
group-policy test1234 attributes
 wins-server value 10.10.10.10 10.10.10.11
 dns-server value 10.10.10.10 10.10.10.11
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value test1234_splitTunnelAcl
 default-domain value ITEA
group-policy ITEA-VPN internal
group-policy ITEA-VPN attributes
 wins-server value 10.10.10.10 10.10.10.11
 dns-server value 10.10.10.10 10.10.10.11
 vpn-tunnel-protocol IPSec 
 group-lock value ITEA-VPN
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ITEA-VPN_splitTunnelAcl
 default-domain value itea.local
username jkesoglou password Tj1TtUiOdoTXy7ai encrypted privilege 15
username jkesoglou attributes
 vpn-group-policy test1234
 vpn-tunnel-protocol IPSec 
tunnel-group ITEA-VPN type ipsec-ra
tunnel-group ITEA-VPN general-attributes
 address-pool ITEA-VPN-POOL
 default-group-policy ITEA-VPN
 authorization-required
tunnel-group ITEA-VPN ipsec-attributes
 pre-shared-key *
tunnel-group test1234 type ipsec-ra
tunnel-group test1234 general-attributes
 address-pool test
 default-group-policy test1234
tunnel-group test1234 ipsec-attributes
 pre-shared-key *
!
class-map class_sip_udp
 match port udp eq sip
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect netbios 
  inspect sunrpc 
  inspect xdmcp 
 class class_sip_udp
  inspect sip 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:1288e5adf83094b7bdb59c4fe3d2ed5a
: end
asdm image flash:/asdm-524.bin
asdm location 209.xxx.xxx.20 255.255.255.255 inside
asdm location 10.10.10.20 255.255.255.255 inside
asdm location 209.xxx.xxx.16 255.255.255.255 inside
asdm location 209.xxx.xxx.21 255.255.255.255 inside
asdm location 209.xxx.xxx.15 255.255.255.255 inside
asdm location 10.10.10.16 255.255.255.255 inside
asdm location 10.10.10.15 255.255.255.255 inside
asdm location 10.10.10.21 255.255.255.255 inside
no asdm history enable

Open in new window

0
Comment
Question by:johnkesoglou
  • 2
4 Comments
 
LVL 3

Expert Comment

by:zwart072
ID: 30098975
you configuration regarding access-lists and static nat rules seems ok. Did you enable the inspect smtp rule also? You can do this under
policy-map global_policy
 class inspection_default
  inspect netbios
  inspect sunrpc
  inspect xdmcp
  inspect smtp
0
 
LVL 3

Expert Comment

by:zwart072
ID: 30099077
or inspect esmtp
0
 
LVL 3

Accepted Solution

by:
dixson_almeida earned 2000 total points
ID: 30101231
Have u configured outbound access list? Telnet one of the MX ips for a domain that u send mesages to regularly and check !
0
 

Author Comment

by:johnkesoglou
ID: 30143587
i am able to send out emails however i cant telnet to my mail.domain.com

send me an example of the command line so i can structure


thanks
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After a recent Outlook migration from a 2007 to 2010 environment, some issues with Distribution List owners were realized. In this article, I explain how that was rectified.
Disk errors can be the source of sundry problems for the Exchange server, the most common one being that the database fails to mount.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.  Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …

599 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question