topic Re: AJ: PIX with mail server problem in Network Security

AJ: PIX with mail server problem

ajarina — Fri, 21 Feb 2020 06:16:09 GMT

I have a PIX 501 running V6.1(2). Im using a DSL line connected to the PIX, then from the PIX i connect 2 servers with 2 LAN cards. The other cards are connected to the inner LAN (172.16.0.0). The first server runs proxy to allow the inner network to surf the internet and the second server is a mail server. Heres a trascript of my configuration:

DSL

202.2.2.240

PIX

192.168.0.0

Mail(192.168.0.3) / Proxy(192.168.0.2)

LAN(172.16.0.0)

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit tcp any host 202.2.2.242 eq smtp

ip address outside 202.2.2.246 255.255.255.248

ip address inside 192.168.0.1 255.255.255.0

global (outside) 1 202.2.2.244

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside, outside) 202.2.2.242 192.168.0.3

route outside 0.0.0.0 0.0.0.0 202.2.2.241

access-group 100 in interface outside

The problem is when I inject static, access-list, access-group then clear xlate, the mail server will not be able to surf, send and accept email (Proxy still works fine). The email server works fine when given with a public IP and connected directly to the DSL line. Anyone got an explanation to this?

Re: AJ: PIX with mail server problem

josh-perkins — Wed, 25 Sep 2002 17:01:56 GMT

Hey,

What's the default gateway on the mail server?

Re: AJ: PIX with mail server problem

ajarina — Tue, 01 Oct 2002 03:54:04 GMT

default gateway is the inside address of the PIX which is 192.168.0.1

Re: AJ: PIX with mail server problem

bdube — Tue, 01 Oct 2002 12:01:06 GMT

Hi Allan,

1- Check if you have a static translation (show xlate) for your mail server

2- If not, try the more generic command format for your static entry.

static (inside, outside) 202.2.2.242 192.168.0.3 netmask 255.255.255.255 0 0

3- If it's not working yet, use debug in combination with Syslog to see what's going through the PIX and what's rejected.

4- Another test, are you able to surf (Web) from your mail server, it should be?

Another comment, your inside network is largely open, you should restrict it by applying access-list to inside interface.

Regards,

Ben

Re: AJ: PIX with mail server problem

m.mohamedmohideen — Sun, 03 Nov 2002 07:03:50 GMT

When you make changes did you check whether the access group command is still there. when you remove the access-list and put it back you have to put back the access-group command as well.

Re: AJ: PIX with mail server problem

ajarina — Tue, 05 Nov 2002 02:47:51 GMT

Thanks all for your response. I got it working now. The problem there was that my mail server uses ESMTP (Microsoft Excahange) . I just turn off the Mail Guard (no fixup protocol smtp) since PIX doesnt support the non-standard ESMTP commands while allowing static entry for mail protocol. Now its working. Thats one good lesson ive learned.