Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
647
Views
4
Helpful
5
Replies

Help allowing smtp through a PIX

gda
Level 1
Level 1

‎09-12-2006 12:26 PM - edited ‎02-21-2020 01:10 AM

I am "simply" trying to allow smtp traffic from the internet through a PIX to my Exchange Server. I could not get this to work, so I have set up a test bed with the following configuration:

PIXFirewall# show run

: Saved

:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname PIXFirewall

domain-name Workgroup

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_access_in permit tcp any host 172.17.2.61 eq smtp

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 172.17.2.60 255.255.255.0

ip address inside 172.20.1.88 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

pdm location 172.20.1.202 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 10 172.17.2.62-172.17.2.66 netmask 255.255.255.0

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 172.17.2.61 172.20.1.202 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 172.17.2.220 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 172.20.1.202 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxx

: end

I realize that the inside and outside IP's are both private IP's, but this is just for testing my configuration. I still cannot Telnet to the smtp port of the outside interface and get a response. Please help as I thought it should be a very simple process.

Thanks,

smtp lost

0 Helpful
5 Replies 5

a.kiprawih
Level 7
Level 7

‎09-12-2006 09:25 PM

Hi,

The config looks ok. I wonder why the fixup for SMTP is disabled. You should have it run or leave it turn-on by default (fixup protocol smtp 25). In production network, fixup protects your SMTP server from unnecessary SMTP command/access violation.

To eliminate SMTP issue, try to isolate it by runnin gother services like FTP or WWW on the same SMTP server. Open access to it by adding FTP or WWW in your existing ACL, and perhaps add/allow ICMP (ping) as well. It might be not firewall, but the SMTP server/services. If these services are through/successful, you may need to look at the SMTP services. But pls try to isolate it with the test (and enable the fixup protocol smtp).

access-list outside_access_in permit tcp any host 172.17.2.61 eq ftp

access-list outside_access_in permit tcp any host 172.17.2.61 eq www

access-list outside_access_in permit icmp any any ---------> just allow ICMP to pass from any to any in your test environment

Rgds,

AK

gda
Level 1
Level 1
In response to a.kiprawih

‎09-13-2006 07:13 AM

Thanks for the reply AK.

I tried what you suggested and I am able to telnet to port ftp and www. I still cannot telnet to smtp. Here is the new config:

PIXFirewall(config)# show run

: Saved

:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIXFirewall

domain-name Workgroup

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_access_in permit tcp any host 172.17.2.61 eq smtp

access-list outside_access_in permit tcp any host 172.17.2.61 eq ftp

access-list outside_access_in permit tcp any host 172.17.2.61 eq www

access-list outside_access_in permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 172.17.2.60 255.255.255.0

ip address inside 172.20.1.88 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

pdm location 172.20.1.202 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 10 172.17.2.62-172.17.2.66 netmask 255.255.255.0

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 172.17.2.61 172.20.1.202 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 172.17.2.220 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 172.20.1.202 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:492748be5c6aa1f7b991628ab718cab4

: end

Thanks again,

smtp lost

0 Helpful

gda
Level 1
Level 1
In response to gda

‎09-13-2006 07:22 AM

One other mention, I CAN Telnet to 172.20.1.202 25 from the inside network (LAN) from another workstation. Also, I have tried this config on two different PIX firewalls to eliminate a possible firmware issue.

smtp lost

0 Helpful

gda
Level 1
Level 1
In response to gda

‎09-13-2006 08:59 AM

Well, I tried the telnet to smtp from 2 different pc's on the Outside network and viola, It works! It appears that there is an issue with the workstation that I was testing from that will not allow it to telnet to any smtp server. Imagine that. I guess that is a Windows forum question. :)

Thanks all for the help!

SMTP FOUND

0 Helpful

a.kiprawih
Level 7
Level 7
In response to gda

‎09-13-2006 02:08 PM

As mentioned earlier, it might be not the firewall issue but other factor(s).

Pls rate all useful post(s).

Rgds,

AK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card