Solved

Problem with inbound email on Pix Firewall

Posted on 2010-09-14
2
450 Views
Last Modified: 2012-05-10
I'm having trouble configuring inbound email correctly on a PIX firewall. I thought I entered the ACL correctly but the only way I can get inbound email flowing is with a conduit command. I'm upgrading this firewall to an asa soon. Please help me get rid of this conduit command and make the acl work. Mail is coming from an MXlogic spam filter if that matters. Pix version is 6.3.

clock summer-time EST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit icmp any any
access-list 101 permit tcp any host *.*.8.230 eq www
access-list 101 permit tcp any host *.*.8.230 eq https
access-list 101 permit tcp *.*.144.0 255.255.248.0 host *.*.8.230 eq smtp
access-list 101 permit tcp *.*.64.0 255.255.252.0 host *.*.8.230 eq smtp
access-list 101 permit tcp any host *.*.8.228 eq 3389
access-list 101 permit tcp any host *.*.8.227 eq www
access-list 101 permit tcp any host *.*.8.227 eq 9000
access-list outside_coming_in permit tcp any host *.*.8.228 eq 3389
access-list outside_coming_in permit icmp any any
access-list outside_coming_in permit tcp any host *.*.8.230 eq www
access-list outside_coming_in permit tcp any host *.*.8.230 eq https
access-list outside_coming_in permit tcp any host *.*.8.230 eq smtp
access-list outside_coming_in permit tcp any host *.*.8.227 eq www
access-list outside_coming_in permit tcp any host *.*.8.227 eq 9000
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside *.*.8.229 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnips 10.10.10.1-10.10.10.50
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp *.*.8.230 3389 192.168.1.10 3389 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp *.*.8.230 https 192.168.1.10 https netmask 255.255
.255.255 0 0
static (inside,outside) tcp *.*.8.230 smtp 192.168.1.10 smtp netmask 255.255.2
55.255 0 0
static (inside,outside) tcp *.*.8.230 www 192.168.1.10 www netmask 255.255.255
.255 0 0
static (inside,outside) *.*.8.228 192.168.1.136 netmask 255.255.255.255 0 0
static (inside,outside) *.*.8.227 192.168.1.119 netmask 255.255.255.255 0 0
access-group outside_coming_in in interface outside
conduit permit tcp host *.*.8.230 eq smtp any
route outside 0.0.0.0 0.0.0.0 *.*.8.225 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup *** address-pool vpnips
vpngroup *** dns-server 192.168.1.10
vpngroup *** wins-server 192.168.1.10
vpngroup *** default-domain ***.com
vpngroup *** split-tunnel 100
vpngroup *** idle-time 1800
vpngroup *** password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd ping_timeout 750
terminal width 80
0
Comment
Question by:tommydeal
2 Comments
 
LVL 10

Accepted Solution

by:
Sorenson earned 500 total points
ID: 33673305
the config for smtp / acl looks correct.
I would try the following:

-take out the conduit command

no conduit permit tcp host *.*.8.230 eq smtp any

- take out the acl
no access-group outside_coming_in in interface outside

- clear the existing translations
clear xlate

- update the dns fixup to support longer dns names
fixup protocol dns maximum-length 1024

-take off the fixup for smtp
no fixup protocol smtp 25

- reapply access list
access-group outside_coming_in in interface outside

and test from there.

-Scott
0
 

Author Closing Comment

by:tommydeal
ID: 33673438
That did it! Thanks for the speedy response.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now