Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
825
Views
0
Helpful
5
Replies

inside -> outside policy for SMTP connection

Go to solution
jamesl0112
Level 1
Level 1

‎07-28-2008 10:58 AM - edited ‎03-11-2019 06:21 AM

Hi,

Using ASDM, I have created an access rule for a pix 525 that allows as follows:

Interface: inside

Direction: incoming

Source IP address: internal IP of inside server, e.g. 192.168.1.10

Destination IP address: external IP of an external mail server. I have tried several and it doesn't work for any - for instance, one example is the MX for Gmail, gmail-smtp-in.l.google.com which resolves to 66.249.91.27

Protocol: tcp

Source port: any

Destination port: smtp

This is what happens:

Before the policy is added, attempting to telnet to the mail server IP on port 25 times out, as you might expect.

When the policy is added, the outbound connection starts, because when testing from the inside server I get this:

220 **************************************

However nothing else happens, no ehlo commands can be entered or anything like that. Eventually it the external mail server just sends back a 421 SMTP timeout error.

It is not a problem with the destination server because they work from anywhere else - I have tried several 3rd party external servers as examples, such as Gmail. Connecting to the Gmail server works fine from elsewhere:

$ t 66.249.91.27 25

Trying 66.249.91.27...

Connected to 66.249.91.27.

Escape character is '^]'.

220 mx.google.com ESMTP c24si20282948ika.4

ehlo test

250-mx.google.com at your service, [217.154.131.202]

250-SIZE 28311552

250-8BITMIME

250 ENHANCEDSTATUSCODES

quit

221 2.0.0 mx.google.com closing connection c24si20282948ika.4

Connection closed by foreign host.

When I test the access rule with a packet trace it all passes - but strangely, the server never gets to communicate any further than the initial 220.

Has anyone else experienced this with a pix access rule to an external mail server?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
g.meerkoetter
Level 1
Level 1
In response to jamesl0112

‎08-01-2008 06:46 AM

you probably want to get the smtp application inspection (formerly called fixup) out of your way, since it is rather conservative in what kind of conversation it allows.

Try "no fixup smtp" for versions < 7.0.

In later versions you might be happy

with ESMTP instead of SMTP inspection.

It can be changed in ASDM under "Configuration > Security Police > Service Policy Rules".

Edit the inspection_default class and go to the "Rule Actions > Protocol Inspection" Tab.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
dhananjoy chowdhury
Level 5
Level 5

‎07-28-2008 10:00 PM

Hi,

Do "clear arp" and "clear xlate" and then try to connect.

Also please post the config (sanitized).

0 Helpful

Go to solution
mohammed_moustafa
Level 1
Level 1

‎07-29-2008 04:02 AM

Hi James,

I see you have a mail server in your network and need to allow it to access external mail servers. you can't specify the destination of gmail, yahoo or hotmail as this servers have many IP addresses.

Try to make the destination ip address any and port number 25.

secondly: many mail servers like yahoo and hotmail doesn't allow any further communications like hello message only you can telnet and see the starts nothing more. so try to send an e-mail and see if it's recieved.

Please update me with what happens.

B.regards,

M.Moustafa.

0 Helpful

Go to solution
jamesl0112
Level 1
Level 1
In response to mohammed_moustafa

‎08-01-2008 06:01 AM

Hi all,

How much downtime does clear xlate cause?

Anyway - I know that Hotmail etc. have lots of IPs, that was just an example as the same issue happened with all mail servers, even if the destination was any.

The weirdest thing is - I set up a POP mailbox in OE on the server and it was able to successfully send mail, even though telnet to the mail server on port 25 came up with the error.

Since telnet to the mail server on port 25 works perfectly from anything that isn't behind this pix, I find that to be a bit odd.

0 Helpful

Go to solution
g.meerkoetter
Level 1
Level 1
In response to jamesl0112

‎08-01-2008 06:46 AM

you probably want to get the smtp application inspection (formerly called fixup) out of your way, since it is rather conservative in what kind of conversation it allows.

Try "no fixup smtp" for versions < 7.0.

In later versions you might be happy

with ESMTP instead of SMTP inspection.

It can be changed in ASDM under "Configuration > Security Police > Service Policy Rules".

Edit the inspection_default class and go to the "Rule Actions > Protocol Inspection" Tab.

0 Helpful

Go to solution
jamesl0112
Level 1
Level 1
In response to g.meerkoetter

‎08-01-2008 09:18 AM

Thanks very much!

It is version 7.2, I went with no fixup protocol smtp 25 to test first of all, and was able to telnet to a mail server and get normal responses straight away.

I then switched it back on again, and will check out the inspection rules in ASDM as well.

Thanks again!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top