Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Problem with inbound email on Pix Firewall

Posted on 2010-09-14
2
Medium Priority
?
461 Views
Last Modified: 2012-05-10
I'm having trouble configuring inbound email correctly on a PIX firewall. I thought I entered the ACL correctly but the only way I can get inbound email flowing is with a conduit command. I'm upgrading this firewall to an asa soon. Please help me get rid of this conduit command and make the acl work. Mail is coming from an MXlogic spam filter if that matters. Pix version is 6.3.

clock summer-time EST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit icmp any any
access-list 101 permit tcp any host *.*.8.230 eq www
access-list 101 permit tcp any host *.*.8.230 eq https
access-list 101 permit tcp *.*.144.0 255.255.248.0 host *.*.8.230 eq smtp
access-list 101 permit tcp *.*.64.0 255.255.252.0 host *.*.8.230 eq smtp
access-list 101 permit tcp any host *.*.8.228 eq 3389
access-list 101 permit tcp any host *.*.8.227 eq www
access-list 101 permit tcp any host *.*.8.227 eq 9000
access-list outside_coming_in permit tcp any host *.*.8.228 eq 3389
access-list outside_coming_in permit icmp any any
access-list outside_coming_in permit tcp any host *.*.8.230 eq www
access-list outside_coming_in permit tcp any host *.*.8.230 eq https
access-list outside_coming_in permit tcp any host *.*.8.230 eq smtp
access-list outside_coming_in permit tcp any host *.*.8.227 eq www
access-list outside_coming_in permit tcp any host *.*.8.227 eq 9000
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside *.*.8.229 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnips 10.10.10.1-10.10.10.50
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp *.*.8.230 3389 192.168.1.10 3389 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp *.*.8.230 https 192.168.1.10 https netmask 255.255
.255.255 0 0
static (inside,outside) tcp *.*.8.230 smtp 192.168.1.10 smtp netmask 255.255.2
55.255 0 0
static (inside,outside) tcp *.*.8.230 www 192.168.1.10 www netmask 255.255.255
.255 0 0
static (inside,outside) *.*.8.228 192.168.1.136 netmask 255.255.255.255 0 0
static (inside,outside) *.*.8.227 192.168.1.119 netmask 255.255.255.255 0 0
access-group outside_coming_in in interface outside
conduit permit tcp host *.*.8.230 eq smtp any
route outside 0.0.0.0 0.0.0.0 *.*.8.225 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup *** address-pool vpnips
vpngroup *** dns-server 192.168.1.10
vpngroup *** wins-server 192.168.1.10
vpngroup *** default-domain ***.com
vpngroup *** split-tunnel 100
vpngroup *** idle-time 1800
vpngroup *** password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd ping_timeout 750
terminal width 80
0
Comment
Question by:tommydeal
2 Comments
 
LVL 10

Accepted Solution

by:
Sorenson earned 2000 total points
ID: 33673305
the config for smtp / acl looks correct.
I would try the following:

-take out the conduit command

no conduit permit tcp host *.*.8.230 eq smtp any

- take out the acl
no access-group outside_coming_in in interface outside

- clear the existing translations
clear xlate

- update the dns fixup to support longer dns names
fixup protocol dns maximum-length 1024

-take off the fixup for smtp
no fixup protocol smtp 25

- reapply access list
access-group outside_coming_in in interface outside

and test from there.

-Scott
0
 

Author Closing Comment

by:tommydeal
ID: 33673438
That did it! Thanks for the speedy response.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question