Link to home
Start Free TrialLog in
Avatar of Marka Mekapse
Marka MekapseFlag for United States of America

asked on

PIX 525 Email not going

i have just setup some new rules for my pix and i can not get email to flow through to the destination server


please help
: Saved
:
PIX Version 7.2(4) 
!
hostname pixfirewall
domain-name iteal.local
enable password iMJCYSF9e3ba/od. encrypted
passwd iMJCYSF9e3ba/od. encrypted
names
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 209.xxx.xxx.5 255.255.255.0 
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0 
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 domain-name iteal.local
object-group service RDP tcp-udp
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq telnet
object-group service DM_INLINE_TCP_2 tcp
 port-object eq ftp
 port-object eq www
 port-object eq https
object-group service RIM tcp
 port-object eq 3101
object-group service DM_INLINE_TCP_3 tcp
 group-object RDP
 port-object eq www
 port-object eq https
access-list outside_access_in extended permit tcp any host 209.xxx.xxx.12 object-group DM_INLINE_TCP_1 
access-list outside_access_in extended permit tcp any host 209.xxx.xxx.15 object-group DM_INLINE_TCP_2 
access-list outside_access_in extended permit tcp any host 209.xxx.xxx.21 eq 3101 
access-list outside_access_in extended permit tcp any host 209.xxx.xxx.20 eq 5000 
access-list outside_access_in extended permit object-group TCPUDP any host 209.xxx.xxx.16 eq 3389 
access-list ITEA-VPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0 
access-list test1234_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.10.0.0 255.255.0.0 
pager lines 24
logging enable
logging monitor informational
logging asdm informational
logging mail informational
mtu outside 1500
mtu inside 1500
ip local pool ITEA-VPN-POOL 10.10.10.200-10.10.10.225 mask 255.255.255.0
ip local pool test 10.10.10.226-10.10.10.250 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp 209.xxx.xxx.12 smtp 10.10.10.12 smtp netmask 255.255.255.255 
static (inside,outside) tcp 209.xxx.xxx.15 www 10.10.10.15 www netmask 255.255.255.255 
static (inside,outside) tcp 209.xxx.xxx.20 3101 10.10.10.20 5000 netmask 255.255.255.255 
static (inside,outside) tcp 209.xxx.xxx.21 3101 10.10.10.21 3101 netmask 255.255.255.255 
static (inside,outside) tcp 209.xxx.xxx.16 3389 10.10.10.16 3389 netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no eou allow clientless
http server enable
http 0.0.0.0 0.0.0.0 inside
http 209.xxx.xxx.5 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group7
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 7
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
group-policy test1234 internal
group-policy test1234 attributes
 wins-server value 10.10.10.10 10.10.10.11
 dns-server value 10.10.10.10 10.10.10.11
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value test1234_splitTunnelAcl
 default-domain value ITEA
group-policy ITEA-VPN internal
group-policy ITEA-VPN attributes
 wins-server value 10.10.10.10 10.10.10.11
 dns-server value 10.10.10.10 10.10.10.11
 vpn-tunnel-protocol IPSec 
 group-lock value ITEA-VPN
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ITEA-VPN_splitTunnelAcl
 default-domain value itea.local
username jkesoglou password Tj1TtUiOdoTXy7ai encrypted privilege 15
username jkesoglou attributes
 vpn-group-policy test1234
 vpn-tunnel-protocol IPSec 
tunnel-group ITEA-VPN type ipsec-ra
tunnel-group ITEA-VPN general-attributes
 address-pool ITEA-VPN-POOL
 default-group-policy ITEA-VPN
 authorization-required
tunnel-group ITEA-VPN ipsec-attributes
 pre-shared-key *
tunnel-group test1234 type ipsec-ra
tunnel-group test1234 general-attributes
 address-pool test
 default-group-policy test1234
tunnel-group test1234 ipsec-attributes
 pre-shared-key *
!
class-map class_sip_udp
 match port udp eq sip
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect netbios 
  inspect sunrpc 
  inspect xdmcp 
 class class_sip_udp
  inspect sip 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:1288e5adf83094b7bdb59c4fe3d2ed5a
: end
asdm image flash:/asdm-524.bin
asdm location 209.xxx.xxx.20 255.255.255.255 inside
asdm location 10.10.10.20 255.255.255.255 inside
asdm location 209.xxx.xxx.16 255.255.255.255 inside
asdm location 209.xxx.xxx.21 255.255.255.255 inside
asdm location 209.xxx.xxx.15 255.255.255.255 inside
asdm location 10.10.10.16 255.255.255.255 inside
asdm location 10.10.10.15 255.255.255.255 inside
asdm location 10.10.10.21 255.255.255.255 inside
no asdm history enable

Open in new window

Avatar of zwart072
zwart072
you configuration regarding access-lists and static nat rules seems ok. Did you enable the inspect smtp rule also? You can do this under
policy-map global_policy
 class inspection_default
  inspect netbios
  inspect sunrpc
  inspect xdmcp
  inspect smtp
Avatar of zwart072
zwart072
or inspect esmtp
ASKER CERTIFIED SOLUTION
Avatar of dixson_almeida
dixson_almeida
Flag of India image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Marka Mekapse
Marka Mekapse
Flag of United States of America image

ASKER

i am able to send out emails however i cant telnet to my mail.domain.com

send me an example of the command line so i can structure


thanks