w6hr
asked on
Mail sent from Mirapoint Mail Server is not allowed through my Cisco PIX firewall.
I had this question after viewing PIX blocking SMTP request from the inside to the outside..
I have a PIX 515e with two networks (INSIDE at 192.168.128.0 and DMZ at 192.168.1.0). I have a Mirapoint Mail Server on the DMZ network at 192.168.1.200. Inbound mail (from the Internet) works perfectly.
Outbound mail is another issue. I have isolated my problem(s) to the Mirapoint, and more specifically the Mirapoint routing configuration. I also have some issues with the configuration of the LDAP server built into the Mirapoint.
The question is whether there are any Mirapoint experts available on Experts-Exchange?
I have a PIX 515e with two networks (INSIDE at 192.168.128.0 and DMZ at 192.168.1.0). I have a Mirapoint Mail Server on the DMZ network at 192.168.1.200. Inbound mail (from the Internet) works perfectly.
Outbound mail is another issue. I have isolated my problem(s) to the Mirapoint, and more specifically the Mirapoint routing configuration. I also have some issues with the configuration of the LDAP server built into the Mirapoint.
The question is whether there are any Mirapoint experts available on Experts-Exchange?
ArneLovius
i would suggest that you posted (as a text file attachment) a suitably sanitised copy of your PIX config
ASKER
Here it is . . .
# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname PIX-1
domain-name my_domain.com
clock timezone Pacific -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.101 ns1
name 192.168.1.102 ns2
name 192.168.1.111 www
name 192.168.1.112 www2
name 192.168.1.100 ns0
name 192.168.1.200 mail
object-group network WEBSERVERS
network-object 100.100.100.243 255.255.255.255
network-object 100.100.100.244 255.255.255.255
network-object 100.100.100.245 255.255.255.255
network-object 100.100.100.246 255.255.255.255
object-group network NAMESERVERS
network-object 100.100.100.243 255.255.255.255
network-object 100.100.100.244 255.255.255.255
object-group network WEBSERVERS_real1
network-object ns1 255.255.255.255
network-object ns2 255.255.255.255
network-object www 255.255.255.255
network-object www2 255.255.255.255
object-group network NAMESERVERS_real1
network-object ns1 255.255.255.255
network-object ns2 255.255.255.255
object-group network MAILSERVERS
network-object 100.100.100.247 255.255.255.255
object-group network MAILSERVERS_real1
network-object mail 255.255.255.255
access-list PERMIT-INBOUND permit tcp any object-group WEBSERVERS eq www
access-list PERMIT-INBOUND permit tcp any object-group NAMESERVERS eq domain
access-list PERMIT-INBOUND permit udp any object-group NAMESERVERS eq domain
access-list PERMIT-INBOUND permit tcp any object-group MAILSERVERS eq smtp
access-list PERMIT-INBOUND permit icmp any any echo-reply
access-list PERMIT-INBOUND deny ip any any
access-list NO-NAT permit ip 192.168.128.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list DMZ permit icmp any any echo-reply
access-list DMZ deny ip any 192.168.128.0 255.255.255.0
access-list DMZ permit ip 192.168.1.0 255.255.255.0 any
access-list DMZ deny ip any any
pager lines 24
logging on
logging trap alerts
logging host inside 192.168.128.160
icmp permit any inside
icmp permit any dmz
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 100.100.100.242 255.255.255.240
ip address inside 192.168.128.1 255.255.255.0
ip address dmz 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 100.100.100.248-100.100.10
global (outside) 1 100.100.100.253 netmask 255.255.255.255
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 100.100.100.243 ns1 netmask 255.255.255.255 0 0
static (dmz,outside) 100.100.100.244 ns2 netmask 255.255.255.255 0 0
static (dmz,outside) 100.100.100.245 www netmask 255.255.255.255 0 0
static (dmz,outside) 100.100.100.246 www2 netmask 255.255.255.255 0 0
static (dmz,outside) 100.100.100.247 mail netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-group PERMIT-INBOUND in interface outside
access-group DMZ in interface dmz
route outside 0.0.0.0 0.0.0.0 100.100.100.241 1
route inside 0.0.0.0 0.0.0.0 192.168.128.1 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp authenticate
ntp server 164.67.62.194 source outside prefer
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.128.160 pixconfig
floodguard enable
sysopt noproxyarp inside
sysopt noproxyarp dmz
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.128.200-192.168.12
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 7200
dhcpd ping_timeout 750
dhcpd domain my_domain.com
dhcpd enable inside
terminal width 80
Cryptochecksum:fd091f33131
: end
# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname PIX-1
domain-name my_domain.com
clock timezone Pacific -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.101 ns1
name 192.168.1.102 ns2
name 192.168.1.111 www
name 192.168.1.112 www2
name 192.168.1.100 ns0
name 192.168.1.200 mail
object-group network WEBSERVERS
network-object 100.100.100.243 255.255.255.255
network-object 100.100.100.244 255.255.255.255
network-object 100.100.100.245 255.255.255.255
network-object 100.100.100.246 255.255.255.255
object-group network NAMESERVERS
network-object 100.100.100.243 255.255.255.255
network-object 100.100.100.244 255.255.255.255
object-group network WEBSERVERS_real1
network-object ns1 255.255.255.255
network-object ns2 255.255.255.255
network-object www 255.255.255.255
network-object www2 255.255.255.255
object-group network NAMESERVERS_real1
network-object ns1 255.255.255.255
network-object ns2 255.255.255.255
object-group network MAILSERVERS
network-object 100.100.100.247 255.255.255.255
object-group network MAILSERVERS_real1
network-object mail 255.255.255.255
access-list PERMIT-INBOUND permit tcp any object-group WEBSERVERS eq www
access-list PERMIT-INBOUND permit tcp any object-group NAMESERVERS eq domain
access-list PERMIT-INBOUND permit udp any object-group NAMESERVERS eq domain
access-list PERMIT-INBOUND permit tcp any object-group MAILSERVERS eq smtp
access-list PERMIT-INBOUND permit icmp any any echo-reply
access-list PERMIT-INBOUND deny ip any any
access-list NO-NAT permit ip 192.168.128.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list DMZ permit icmp any any echo-reply
access-list DMZ deny ip any 192.168.128.0 255.255.255.0
access-list DMZ permit ip 192.168.1.0 255.255.255.0 any
access-list DMZ deny ip any any
pager lines 24
logging on
logging trap alerts
logging host inside 192.168.128.160
icmp permit any inside
icmp permit any dmz
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 100.100.100.242 255.255.255.240
ip address inside 192.168.128.1 255.255.255.0
ip address dmz 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 100.100.100.248-100.100.10
global (outside) 1 100.100.100.253 netmask 255.255.255.255
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 100.100.100.243 ns1 netmask 255.255.255.255 0 0
static (dmz,outside) 100.100.100.244 ns2 netmask 255.255.255.255 0 0
static (dmz,outside) 100.100.100.245 www netmask 255.255.255.255 0 0
static (dmz,outside) 100.100.100.246 www2 netmask 255.255.255.255 0 0
static (dmz,outside) 100.100.100.247 mail netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-group PERMIT-INBOUND in interface outside
access-group DMZ in interface dmz
route outside 0.0.0.0 0.0.0.0 100.100.100.241 1
route inside 0.0.0.0 0.0.0.0 192.168.128.1 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp authenticate
ntp server 164.67.62.194 source outside prefer
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.128.160 pixconfig
floodguard enable
sysopt noproxyarp inside
sysopt noproxyarp dmz
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.128.200-192.168.12
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 7200
dhcpd ping_timeout 750
dhcpd domain my_domain.com
dhcpd enable inside
terminal width 80
Cryptochecksum:fd091f33131
: end
Rather than "a PIX 515e with two networks" you would appear to have three connected networks, an "inside", an "outside", and a "dmz".
Based on most of the config that you posted directly inline instead of attaching as a text file.
There are some areas that need looking at
Based on most of the config that you posted directly inline instead of attaching as a text file.
There are some areas that need looking at
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0 route outside 0.0.0.0 0.0.0.0 100.100.100.241 1
route inside 0.0.0.0 0.0.0.0 192.168.128.1 255telnet 192.168.128.0 255.255.255.0 insidentp server 164.67.62.194 source outside preferASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You marked the question as solved, by you.
You have two routes to 0.0.0.0 0.0.0.0 with different gateways and different metrics, one gateway appears to be external, and the other internal, if you need to reach other internal networks, create static routes for those networks.
You have two routes to 0.0.0.0 0.0.0.0 with different gateways and different metrics, one gateway appears to be external, and the other internal, if you need to reach other internal networks, create static routes for those networks.