topic Re: Pix 501 problem, I cant receive smtp mail in Network Security

Pix 501 problem, I cant receive smtp mail

firebird9 — Fri, 21 Feb 2020 07:58:36 GMT

Currently I can send mail but cannot receive mail from the Internet, if I remove the Pix and connect directly to the Modem/Router then I can SMTP in on port 25 and SMTP mail works fine both in & out.

All we want this Pix to allow at present is:

a) Internet access to all internal network clients

b) Allow clients to pop mail from web mail accounts

c) We wish to use Exchange & Outlook and host our own e-mail using SMTP

Please find attached two documents: -

1. A current edited running config of my 501 Pix

2. A PowerPoint diagram of my network.

I very much appreciate any help.

Vinny.

Re: Pix 501 problem, I cant receive smtp mail

nefkensp — Mon, 21 Feb 2005 17:59:58 GMT

Hello Vinny,

I've looked at your network setup, but it states that the NetGear modem is forwarding port 25 to 192.168.1.1. It should actually forward to either the interface or a static ip-address in the 192.168.0.x range.

Is there a reason why you want to have your clients go through the server, then through the pix and then through the netgear on the Internet?

Below is an example how it could work:

Internet <--> 80.x.x.225 Netgear 192.168.1.1 <-> 192.168.1.2 (outside) PIX (inside) 192.168.0.1

The PIX would become the default gateway for the clients and the server. A static translation can be set for 192.168.1.3 to the internal ipaddress of the server:

static (inside,outside) 192.168.1.3 192.168.0.y

access-list acl_out permit tcp any host 192.168.1.3 eq smtp

and configure the netgear router to forward smtp to 192.168.1.3

then the network configuration is much easier and the clients will connect through the PIX.

Look at the following url for more information:

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml

Hope this helps,

Pieter-Jan

Re: Pix 501 problem, I cant receive smtp mail

Patrick Iseli — Tue, 22 Feb 2005 01:46:31 GMT

You mixed some IPs the smtp, www and pop3 traffic should go 192.168.1.2 which is your internal IP address and not the inside IP of your PIX !!!

ip address inside 192.168.1.1 255.255.255.0

static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.25

5 0 0

static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.

255 0 0

static (inside,outside) tcp interface pop3 192.168.1.2 pop3 netmask 255.255.255.

255 0 0

sincerely

Patrick

Re: Pix 501 problem, I cant receive smtp mail

firebird9 — Tue, 22 Feb 2005 14:50:38 GMT

Hi Patrick,

Thanks for you input.

If I understand you correctly I should use 192.168.1.2 which is the external interface of my mail server, for the static commands that relate to (www, smtp & pop3).

What about my last static command? do I leave this as 192.168.1.1?

static (inside,outside) 80.x.x.168.1.1 netmask 255.x.x.255 0 0

I currently have the Router/modem port forwarding to 192.168.0.2 which is the External interface of the Pix, is this still OK?

I have made the changes as I understood them and I still do not get mail back in, please let me know if I have done something wrong.

Thanks again, Vinny.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

names

access-list acl_out permit tcp any host 80.xxx.xxx.225 eq smtp

access-list acl_out permit tcp any host 80.xxx.xxx.225 eq pop3

access-list acl_out permit tcp any host 80.xxx.xxx.225 eq www

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.x.x.x.0.0 0 0

static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.25

5 0 0

static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.

255 0 0

static (inside,outside) tcp interface pop3 192.168.1.2 pop3 netmask 255.255.255.

255 0 0

static (inside,outside) 80.xxx.xxx.225 192.168.1.1 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.2 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxx

: end

[OK]

pixfirewall(config)#

Re: Pix 501 problem, I cant receive smtp mail

Patrick Iseli — Tue, 22 Feb 2005 15:18:45 GMT

Yes this should be fine.

Have you done a:

"clear xlate" on the PIX Firewall after you have changed the static configuration?

Basicly all smtp, pop and www should be forwarded on the public IP that you defined, which is your router outside IP. Then you forward this trafic to the PIX outside IP and finaly you Port forwarding this three protocols on the Mail Servers internal IP.

This is the way how it works.

To test that traffic:

On an externel connection on the internet do a

telnet YourMailServerPublicIP 25

You should get a mail server banner !

You can also use the capture command (PIX sniffer) to check if you see the packets comming on the outside PIX interface.

example:

access-list smtp permit tcp any any eq 25

capture smtpcap access-list smtp interface outside

show capture smtpcap access-list smtp detail

to remove the capture:

no capture smtpcap

#Do this twice to remove the data from the capture on the PIX

no capture smtpcap

no access-list smtp

sincerely

Patrick

Re: Pix 501 problem, I cant receive smtp mail

firebird9 — Tue, 22 Feb 2005 16:27:57 GMT

Hi Patrick,

I have done a clear xlate but still no joy getting mail back.

mail bounces with the following message: -

Sorry, I wasn't able to establish an SMTP connection. (#4.4.1)

I'm not going to try again; this message has been in the queue too long.

can't telnet in as connection is refused.

But if I remove Pix both the above work fine!

Any help would much appreciated

Regards

Vinny.

Re: Pix 501 problem, I cant receive smtp mail

jmia — Tue, 22 Feb 2005 16:39:07 GMT

Vinny,

Can you enable logging on the pix, this way we should be able to see what the pix is doing when trying to send/receive SMTP mail.

(in config mode)

logging on

logging buffer debug

sho log

[to disable logging do: no logging on]

post the results here, taking out any sensitive info.

Jay

Re: Pix 501 problem, I cant receive smtp mail

Patrick Iseli — Tue, 22 Feb 2005 16:50:05 GMT

I have seen that your outside interface has a Dynamic IP. How did you setup the network between the router and PIX. It is better to use a static IP on the PIX outside interface !!!

What is the outside IP ?

You configured that access-list:

access-list acl_out permit tcp any host 80.xxx.xxx.225 eq smtp

access-list acl_out permit tcp any host 80.xxx.xxx.225 eq pop3

access-list acl_out permit tcp any host 80.xxx.xxx.225 eq www

The 80.xxx.xxx.225 should be the IP address of the PIX outside interface !!

You also coould configure that the access-list use the DHCP outside IP with:

access-list acl_out permit tcp any interface outside eq smtp

access-list acl_out permit tcp any interface outside eq pop3

access-list acl_out permit tcp any interface outside eq www

sincerely

Patrick

Re: Pix 501 problem, I cant receive smtp mail

firebird9 — Tue, 22 Feb 2005 17:22:05 GMT

Hi Jay,

Thanks for you help.

Please find attached the sho log you requested.

Rgds

Vinny.

Re: Pix 501 problem, I cant receive smtp mail

firebird9 — Wed, 23 Feb 2005 01:50:46 GMT

Patrick,

My outside interface receives DHCP from the Router/Modem but I have limited the range of IP addresses to only one, so the outside interface of the Pix can only ever be 192.168.0.2.

The Router is 192.168.0.1.

You said: -

'The 80.xxx.xxx.225 should be the IP address of the PIX outside interface'

I'm sorry but I don't understand, I only have one static IP address from my ISP, you suggest this static IP address should be assigned to the outside interface of the Pix, so what IP address would the Router be?

I am sorry if these questions sound dumb but I am a little confused.

Thanks once again for your help.

Vinny.

Re: Pix 501 problem, I cant receive smtp mail

Patrick Iseli — Wed, 23 Feb 2005 13:57:46 GMT

I finaly found the problem.

On the ADSL Router you have configured the same Network 192.168.0.0/24 as you use behind the Mail

Server. This setup will not work because this leads into a duplicated IP range and you will have routing

problems.

Change the setup for another IP range between the ADSL router and the PIX Firewall and everthing will

work.

Note the only Public IP that is configured, received is on the Netgear ADSL router all other interfaces uses

public IPs.

Resume of the networks and IPs:

80.x.y.z/255.255.255.x = Netgear outside IP

192.168.2.0/255.255.255.0 = Network between the Netgear internal and the PIX outside interface

192.168.1.0/255.255.255.0 = Network between the PIX inside and the Mail Server external interface

192.168.0.0/255.255.255.0 = Network between the Mail server internal interface and the Mail clients.

Use 192.168.2.0 255.255.255.0 for this network, then configure 192.168.2.1 for your ADSL Router inside

interface, use a static IP 192.168.2.2 255.255.255.0 on the PIX Firewall outside interface.

ADSL Setup:

You can choose on the Netgear between forwarding all traffic from the public IP 80.x.y.z to 192.168.2.2 which is NAT or

you can port forward the http, pop3 and smtp, it does not really matter, it is just important that you NAT or PAT it

to the PIX Firewall.

PIX setup example:

All traffic received on the PIX outside interface for http, pop3 and smtp is then forwarded from 192.168.2.2 to the mail

server 192.168.1.2 external IP.

ip address outside 192.168.2.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

access-list acl_out permit tcp any host 192.168.2.2 eq http

access-list acl_out permit tcp any host 192.168.2.2 eq pop

access-list acl_out permit tcp any host 192.168.2.2 eq smtp

access-group acl_out in interface outside

static (inside,outside) tcp 192.168.2.2 80 192.168.1.2 80 netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.2.2 110 192.168.1.2 110 netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.2.2 25 192.168.1.2 25 netmask 255.255.255.255 0 0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.2.1

Mail Server setup:

The mail server has a default route to the PIX Firewall.

Default gateway on Mail server = 192.168.1.1

Do you NAt or PAT the internal clients on the Mail server to go to the Internet in direction of the PIX? If no then you have to add another route on the PIX, so that the PIX know that the network 192.168.0.0/24 is behind the Mail Server as this device is doing the routing for this network.

Add a route on the PIX inside interface:

route inside 192.168.0.0 255.255.255.0 192.168.1.2

Mail clients:

All mail clients have the Mail Server internal IP as default gateway.

Default gateway = 192.168.0.3

This setup will work at 100%

Sorry if I confused you.

sincerely

Patrick

Re: Pix 501 problem, I cant receive smtp mail

Patrick Iseli — Wed, 23 Feb 2005 14:13:22 GMT

Another way could be to NAT on the PIX so that all traffic from 192.168.1.0 is forwarded one to one to 192.168.2.0 instead of NATing, port forwarding the traffic. This would increase the performance but I don't think that performance is an issue on the PIX.

Please let me know if this setup is more interesting for you.

Good luck

Patrick

Re: Pix 501 problem, I cant receive smtp mail

firebird9 — Wed, 23 Feb 2005 14:46:05 GMT

Hi Patrick,

Thanks very much I understand this much better now.

I would still be very interested to learn the NAT method with the Router port forwarding all traffic to the extrenal interface of the Pix.

Thanks

Vinny

Re: Pix 501 problem, I cant receive smtp mail

firebird9 — Wed, 23 Feb 2005 19:34:20 GMT

Hi Patrick,

I have implemented your suggestion but still no cigar!

I unfortunately have another problem, since trying this our clients no longer get out on the Internet, but dns is working.

The server on the other hand still has Internet access as per usual.

Mail still gets out but mail can’t get back in.

Please have a look at the latest attached config & sho log.

Thank you for your patients & hanging in there with me.

Rgds

Vinny

Re: Pix 501 problem, I cant receive smtp mail

Patrick Iseli — Wed, 23 Feb 2005 21:34:24 GMT

If you connect a Notebook directly on the PIX network 192.168.1.0 and you connect to the internet then it works ?

Have you done a clear xlate on the PIX ?

Re: Pix 501 problem, I cant receive smtp mail

firebird9 — Wed, 23 Feb 2005 23:20:44 GMT

Yes, the mail server is on 192.168.1.2 and it works fine on the internet, but mail still does not get in.

Plus, clients are not getting internet, it’s weird because if I ping www.yahoo.com it resolves the address & requests times out (which is what I would expect).

All clients lost internet when I changed the router internal address to 192.168.2.1 & Pix External address to be 192.168.2.2

Patrick, you did not suggest a line of code to assign my public fixed IP address (80.xxx.xxx.225) to a specific interface, I put in the following line of code but I am not sure if this is correct: -

static (inside,outside) 80.177.115.225 192.168.1.1 netmask 255.255.255.255 0 0

After changing the code, I performed a write m and then a clear xlate, in that order.

I will perform a test using a laptop to be certain.

Thanks again

Vinny

Re: Pix 501 problem, I cant receive smtp mail

Patrick Iseli — Wed, 23 Feb 2005 23:34:00 GMT

No this line should not be there

no static (inside,outside) 80.177.115.225 192.168.1.1 netmask 255.255.255.255 0 0

and

clear xlate.

Have you tryed if the connection to the internet from the 192.168.1.x network works ?

sincerely

Patrick

Re: Pix 501 problem, I cant receive smtp mail

Patrick Iseli — Thu, 24 Feb 2005 00:49:09 GMT

Have you changed the PAT and NAT settings on your ADSL Router ?

Other question what is the idea to connect your Mail clients behind another ethernet interface on the Mail server. This might be the problem. Connect them instead to the same network as the PIX inside interface.

sincerely

Patrick

Re: Pix 501 problem, I cant receive smtp mail

Patrick Iseli — Thu, 24 Feb 2005 01:45:45 GMT

Lets change the config completly and disable NAT !

Note the only Public IP that is configured, received is on the Netgear ADSL router all other interfaces uses private IPs.

Resume of the networks and IPs:

80.x.y.z/255.255.255.x = Netgear outside IP

192.168.2.0/255.255.255.0 = Network between the Netgear internal and the PIX outside interface

192.168.1.0/255.255.255.0 = Network between the PIX inside and the Mail Server external interface

192.168.0.0/255.255.255.0 = Network between the Mail server internal interface and the Mail clients.

The netgear ADSL Router forwards all smtp, pop3 and http traffic to 192.168.1.2. Configure Port Address translation (masquerading) for 192.168.0.0 255.255.0.0 to your public IP 80.x.y.225 on the netgear Router.

example PIX without NAT:

access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list acl_out permit tcp any host 192.168.1.2 eq smtp

access-list acl_out permit tcp any host 192.168.1.2 eq www

access-list acl_out permit tcp any host 192.168.1.2 eq pop3

ip address outside 192.168.2.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

nat (inside) 0 access-list NONAT

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

route inside 192.168.0.0 255.255.255.0 192.168.1.2 1

dhcpd address 192.168.1.2-192.168.1.2 inside

dhcpd dns YourDNSIP-1 YourDNSIP-2

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

Mail Server setup:

The mail server has a default route to the PIX Firewall = 192.168.1.1. The Mail server should not do any NAT just forwarding the traffic. But I think the setup would be much easyer if you would remove that internal interface on the mail server an instead connect all clients on the PIX inside interface 192.168.1.0 and not 192.168.0.0.

good luck.

Might be also a good idea to sniff to anlyse that traffic is correctly forwarded. You could use Ethereal to check that or the PIX capture command.

sincerely

Patrick

Re: Pix 501 problem, I cant receive smtp mail

firebird9 — Fri, 25 Feb 2005 21:34:05 GMT

Hi Patrick,

I have tried the above but still no joy with mail coming back in.

On the plus side we do have Internet back on all clients.

I have attached the latest config, if you could please have a look, in case I have done something wrong.

I am prepared to do away with 192.168.0.0 subnet and go with your suggestion of connecting all clients to the 192.168.1.0 subnet.

Is there anything I need to be careful of before I do this?

Kind Regards

Vinny.