Solved

Unable to tracert behind Cisco Pix

Posted on 2013-12-13
8
474 Views
Last Modified: 2014-02-08
So I have a client that uses MS Exchange 2010 and the network sits behind a Cisco Pix. This server is unable to email anyone with an MSN account. At first I thought it was a blacklist issue, but confirmed it was not. Then I check my queue and realized that all messages get stuck when addressed to msn.com, then I did a telnet to mx1.hotmail.com 25 and was able to connect but when I tracert 216.32.183.201 i get nothing but timeouts, I went to another mail server also behind a pix and I have the same issue. Is this just a coincidence? I have multiple mail servers behind ASAs and don't have this issue, is there something on the PIX causing this?
0
Comment
Question by:TJacoberger1
  • 5
  • 3
8 Comments
 

Author Comment

by:TJacoberger1
ID: 39717736
Update, I am able to send email to Hotmail from the second server, so I am no longer convinced its a pix issue even though I cannot tracert.

Problem remains however, whenever I try to send an email to MSN Hotmail Live or Outlook, the email sits in my queue and is eventually delayed then fails. I do not have issues with any other domains.


2013-12-13T19:15:21.714Z,Outbound Email,08D05B0BC3DEC948,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:15:42.723Z,Outbound Email,08D05B0BC3DEC948,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:16:34.042Z,Outbound Email,08D0C64EF869F803,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:16:55.049Z,Outbound Email,08D0C64EF869F803,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:17:55.074Z,Outbound Email,08D0C64EF869F808,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:18:16.073Z,Outbound Email,08D0C64EF869F808,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:19:16.075Z,Outbound Email,08D0C64EF869F80B,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:19:37.056Z,Outbound Email,08D0C64EF869F80B,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:20:37.098Z,Outbound Email,08D0C64EF869F80E,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:20:58.084Z,Outbound Email,08D0C64EF869F80E,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:21:04.871Z,Outbound Email,08D0C64F99FC7570,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:21:25.880Z,Outbound Email,08D0C64F99FC7570,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:22:25.910Z,Outbound Email,08D0C64F99FC7576,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:22:46.913Z,Outbound Email,08D0C64F99FC7576,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:23:46.909Z,Outbound Email,08D0C64F99FC7579,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:24:07.927Z,Outbound Email,08D0C64F99FC7579,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39717829
Two things. One, it is probably a good idea to run the "no fixup protocol smtp 25" command on your PIX's. Microsoft uses ESMTP which has a few things about it that don't conform purely to the standard, and the PIX/ASA attempts to "correct" the packets. I have yet to see this correction... well... correct anything. Normally it causes issues. The other great thing about that command, is that, depending on code version, it doesn't show up in the configuration. You have to blindly run the command and remember to reapply it to any PIX/ASA that has had its configuration erased. Before running this command, go to mxtoolbox.com and enter your domain. It will come back with a bit of info. From there, run the "SMTP test". In the session transcript window, if you see "200***************************" then you are experiencing the fixup protocol issue. Run the command, and then rerun the smtp test and you will get a response relative to your server's information. This might not fix your issue, but it certainly shouldn't hurt.

Second, on the traceroute topic, PIX/ASA by default does not allow any type of icmp through the firewall. You will need to permit that traffic inbound on the outside interface, and possibly add "inspect icmp" to the global service policy (or whichever policy is applied to your interfaces). If the rule doesn't exist yet, you shouldn't be able to get a traceroute response from any website.
0
 

Author Comment

by:TJacoberger1
ID: 39717857
Ok, so I was able to determine that the issue has nothing to do with the router. Its related to my exchange server and DNS, when I create a new send connector and include each specific domain then route it through a smart host the emails go through. So when I use my DNS MX records to route mail I cannot send to MSN Outlook Live or Hotmail. Any ideas why?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 20

Expert Comment

by:rauenpc
ID: 39717935
do you have reverse DNS configured correctly?
0
 

Author Comment

by:TJacoberger1
ID: 39718006
on the domain controller?
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39719560
When you send an email, it arrives at a destination server. As part of an integrity/spam check, two thing are usually required to pass. One is that the sending domain (your domain.com) has not been blacklisted, and also that the source ip the emailed was received from resolves to a matching domain. The email server does a reverse dns lookup for 1.2.3.4 (your public ip) and expects that the response matches your domain.com. If it does not match, your email can be rejected on the basis that it could be a spoofed message. The reverse dns entry is controlled by whomever truly owns the public IP address. Commonly, this is your ISP, but if you have public dns servers then you would have control over the entries. To check reverse dns, run the command "nslookup [your public ip] 8.8.8.8". If it does not have a response of your domain.com then reverse dns is not setup.
0
 

Accepted Solution

by:
TJacoberger1 earned 0 total points
ID: 39830894
I ended up creating a separate send connector on my exchange server, adding the problem domains and relaying through a smart host. Still unclear why my exchange server is not able to reach these domains, it must be DNS, but this is a good work around until I get it figured out.
0
 

Author Closing Comment

by:TJacoberger1
ID: 39843920
Resolved by Me.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Lync - CUCM Integration Question 2 28
ACL Logging Optimization 7 41
nexus filter logs 3 44
cisco switch 3750E port channel down 11 17
How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question