Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
822
Views
17
Helpful
5
Replies

AJ: PIX with mail server problem

ajarina
Level 1
Level 1

‎09-24-2002 09:27 PM - edited ‎02-20-2020 10:16 PM

I have a PIX 501 running V6.1(2). Im using a DSL line connected to the PIX, then from the PIX i connect 2 servers with 2 LAN cards. The other cards are connected to the inner LAN (172.16.0.0). The first server runs proxy to allow the inner network to surf the internet and the second server is a mail server. Heres a trascript of my configuration:

DSL

|

202.2.2.240

|

PIX

|

192.168.0.0

|

Mail(192.168.0.3) / Proxy(192.168.0.2)

|

LAN(172.16.0.0)

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit tcp any host 202.2.2.242 eq smtp

ip address outside 202.2.2.246 255.255.255.248

ip address inside 192.168.0.1 255.255.255.0

global (outside) 1 202.2.2.244

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside, outside) 202.2.2.242 192.168.0.3

route outside 0.0.0.0 0.0.0.0 202.2.2.241

access-group 100 in interface outside

The problem is when I inject static, access-list, access-group then clear xlate, the mail server will not be able to surf, send and accept email (Proxy still works fine). The email server works fine when given with a public IP and connected directly to the DSL line. Anyone got an explanation to this?

0 Helpful
5 Replies 5

josh-perkins
Level 1
Level 1

‎09-25-2002 10:01 AM

Hey,

What's the default gateway on the mail server?

0 Helpful

ajarina
Level 1
Level 1
In response to josh-perkins

‎09-30-2002 08:54 PM

default gateway is the inside address of the PIX which is 192.168.0.1

bdube
Level 2
Level 2

‎10-01-2002 05:01 AM

Hi Allan,

1- Check if you have a static translation (show xlate) for your mail server

2- If not, try the more generic command format for your static entry.

static (inside, outside) 202.2.2.242 192.168.0.3 netmask 255.255.255.255 0 0

3- If it's not working yet, use debug in combination with Syslog to see what's going through the PIX and what's rejected.

4- Another test, are you able to surf (Web) from your mail server, it should be?

Another comment, your inside network is largely open, you should restrict it by applying access-list to inside interface.

Regards,

Ben

m.mohamedmohideen
Level 1
Level 1
In response to bdube

‎11-02-2002 11:03 PM

When you make changes did you check whether the access group command is still there. when you remove the access-list and put it back you have to put back the access-group command as well.

ajarina
Level 1
Level 1
In response to m.mohamedmohideen

‎11-04-2002 06:47 PM

Thanks all for your response. I got it working now. The problem there was that my mail server uses ESMTP (Microsoft Excahange) . I just turn off the Mail Guard (no fixup protocol smtp) since PIX doesnt support the non-standard ESMTP commands while allowing static entry for mail protocol. Now its working. Thats one good lesson ive learned.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card