Solved

Unable to tracert behind Cisco Pix

Posted on 2013-12-13
8
472 Views
Last Modified: 2014-02-08
So I have a client that uses MS Exchange 2010 and the network sits behind a Cisco Pix. This server is unable to email anyone with an MSN account. At first I thought it was a blacklist issue, but confirmed it was not. Then I check my queue and realized that all messages get stuck when addressed to msn.com, then I did a telnet to mx1.hotmail.com 25 and was able to connect but when I tracert 216.32.183.201 i get nothing but timeouts, I went to another mail server also behind a pix and I have the same issue. Is this just a coincidence? I have multiple mail servers behind ASAs and don't have this issue, is there something on the PIX causing this?
0
Comment
Question by:TJacoberger1
  • 5
  • 3
8 Comments
 

Author Comment

by:TJacoberger1
ID: 39717736
Update, I am able to send email to Hotmail from the second server, so I am no longer convinced its a pix issue even though I cannot tracert.

Problem remains however, whenever I try to send an email to MSN Hotmail Live or Outlook, the email sits in my queue and is eventually delayed then fails. I do not have issues with any other domains.


2013-12-13T19:15:21.714Z,Outbound Email,08D05B0BC3DEC948,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:15:42.723Z,Outbound Email,08D05B0BC3DEC948,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:16:34.042Z,Outbound Email,08D0C64EF869F803,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:16:55.049Z,Outbound Email,08D0C64EF869F803,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:17:55.074Z,Outbound Email,08D0C64EF869F808,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:18:16.073Z,Outbound Email,08D0C64EF869F808,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:19:16.075Z,Outbound Email,08D0C64EF869F80B,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:19:37.056Z,Outbound Email,08D0C64EF869F80B,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:20:37.098Z,Outbound Email,08D0C64EF869F80E,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:20:58.084Z,Outbound Email,08D0C64EF869F80E,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:21:04.871Z,Outbound Email,08D0C64F99FC7570,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:21:25.880Z,Outbound Email,08D0C64F99FC7570,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:22:25.910Z,Outbound Email,08D0C64F99FC7576,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:22:46.913Z,Outbound Email,08D0C64F99FC7576,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:23:46.909Z,Outbound Email,08D0C64F99FC7579,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:24:07.927Z,Outbound Email,08D0C64F99FC7579,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39717829
Two things. One, it is probably a good idea to run the "no fixup protocol smtp 25" command on your PIX's. Microsoft uses ESMTP which has a few things about it that don't conform purely to the standard, and the PIX/ASA attempts to "correct" the packets. I have yet to see this correction... well... correct anything. Normally it causes issues. The other great thing about that command, is that, depending on code version, it doesn't show up in the configuration. You have to blindly run the command and remember to reapply it to any PIX/ASA that has had its configuration erased. Before running this command, go to mxtoolbox.com and enter your domain. It will come back with a bit of info. From there, run the "SMTP test". In the session transcript window, if you see "200***************************" then you are experiencing the fixup protocol issue. Run the command, and then rerun the smtp test and you will get a response relative to your server's information. This might not fix your issue, but it certainly shouldn't hurt.

Second, on the traceroute topic, PIX/ASA by default does not allow any type of icmp through the firewall. You will need to permit that traffic inbound on the outside interface, and possibly add "inspect icmp" to the global service policy (or whichever policy is applied to your interfaces). If the rule doesn't exist yet, you shouldn't be able to get a traceroute response from any website.
0
 

Author Comment

by:TJacoberger1
ID: 39717857
Ok, so I was able to determine that the issue has nothing to do with the router. Its related to my exchange server and DNS, when I create a new send connector and include each specific domain then route it through a smart host the emails go through. So when I use my DNS MX records to route mail I cannot send to MSN Outlook Live or Hotmail. Any ideas why?
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39717935
do you have reverse DNS configured correctly?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:TJacoberger1
ID: 39718006
on the domain controller?
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39719560
When you send an email, it arrives at a destination server. As part of an integrity/spam check, two thing are usually required to pass. One is that the sending domain (your domain.com) has not been blacklisted, and also that the source ip the emailed was received from resolves to a matching domain. The email server does a reverse dns lookup for 1.2.3.4 (your public ip) and expects that the response matches your domain.com. If it does not match, your email can be rejected on the basis that it could be a spoofed message. The reverse dns entry is controlled by whomever truly owns the public IP address. Commonly, this is your ISP, but if you have public dns servers then you would have control over the entries. To check reverse dns, run the command "nslookup [your public ip] 8.8.8.8". If it does not have a response of your domain.com then reverse dns is not setup.
0
 

Accepted Solution

by:
TJacoberger1 earned 0 total points
ID: 39830894
I ended up creating a separate send connector on my exchange server, adding the problem domains and relaying through a smart host. Still unclear why my exchange server is not able to reach these domains, it must be DNS, but this is a good work around until I get it figured out.
0
 

Author Closing Comment

by:TJacoberger1
ID: 39843920
Resolved by Me.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now