02-21-2005 07:46 AM - edited 02-20-2020 11:58 PM
Currently I can send mail but cannot receive mail from the Internet, if I remove the Pix and connect directly to the Modem/Router then I can SMTP in on port 25 and SMTP mail works fine both in & out.
All we want this Pix to allow at present is:
a) Internet access to all internal network clients
b) Allow clients to pop mail from web mail accounts
c) We wish to use Exchange & Outlook and host our own e-mail using SMTP
Please find attached two documents: -
1. A current edited running config of my 501 Pix
2. A PowerPoint diagram of my network.
I very much appreciate any help.
Vinny.
Solved! Go to Solution.
02-23-2005 05:57 AM
I finaly found the problem.
On the ADSL Router you have configured the same Network 192.168.0.0/24 as you use behind the Mail
Server. This setup will not work because this leads into a duplicated IP range and you will have routing
problems.
Change the setup for another IP range between the ADSL router and the PIX Firewall and everthing will
work.
Note the only Public IP that is configured, received is on the Netgear ADSL router all other interfaces uses
public IPs.
Resume of the networks and IPs:
80.x.y.z/255.255.255.x = Netgear outside IP
192.168.2.0/255.255.255.0 = Network between the Netgear internal and the PIX outside interface
192.168.1.0/255.255.255.0 = Network between the PIX inside and the Mail Server external interface
192.168.0.0/255.255.255.0 = Network between the Mail server internal interface and the Mail clients.
Use 192.168.2.0 255.255.255.0 for this network, then configure 192.168.2.1 for your ADSL Router inside
interface, use a static IP 192.168.2.2 255.255.255.0 on the PIX Firewall outside interface.
ADSL Setup:
You can choose on the Netgear between forwarding all traffic from the public IP 80.x.y.z to 192.168.2.2 which is NAT or
you can port forward the http, pop3 and smtp, it does not really matter, it is just important that you NAT or PAT it
to the PIX Firewall.
PIX setup example:
All traffic received on the PIX outside interface for http, pop3 and smtp is then forwarded from 192.168.2.2 to the mail
server 192.168.1.2 external IP.
ip address outside 192.168.2.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
access-list acl_out permit tcp any host 192.168.2.2 eq http
access-list acl_out permit tcp any host 192.168.2.2 eq pop
access-list acl_out permit tcp any host 192.168.2.2 eq smtp
access-group acl_out in interface outside
static (inside,outside) tcp 192.168.2.2 80 192.168.1.2 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.2.2 110 192.168.1.2 110 netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.2.2 25 192.168.1.2 25 netmask 255.255.255.255 0 0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.2.1
Mail Server setup:
The mail server has a default route to the PIX Firewall.
Default gateway on Mail server = 192.168.1.1
Do you NAt or PAT the internal clients on the Mail server to go to the Internet in direction of the PIX? If no then you have to add another route on the PIX, so that the PIX know that the network 192.168.0.0/24 is behind the Mail Server as this device is doing the routing for this network.
Add a route on the PIX inside interface:
route inside 192.168.0.0 255.255.255.0 192.168.1.2
Mail clients:
All mail clients have the Mail Server internal IP as default gateway.
Default gateway = 192.168.0.3
This setup will work at 100%
Sorry if I confused you.
sincerely
Patrick
02-21-2005 09:59 AM
Hello Vinny,
I've looked at your network setup, but it states that the NetGear modem is forwarding port 25 to 192.168.1.1. It should actually forward to either the interface or a static ip-address in the 192.168.0.x range.
Is there a reason why you want to have your clients go through the server, then through the pix and then through the netgear on the Internet?
Below is an example how it could work:
Internet <--> 80.x.x.225 Netgear 192.168.1.1 <-> 192.168.1.2 (outside) PIX (inside) 192.168.0.1
The PIX would become the default gateway for the clients and the server. A static translation can be set for 192.168.1.3 to the internal ipaddress of the server:
static (inside,outside) 192.168.1.3 192.168.0.y
access-list acl_out permit tcp any host 192.168.1.3 eq smtp
and configure the netgear router to forward smtp to 192.168.1.3
then the network configuration is much easier and the clients will connect through the PIX.
Look at the following url for more information:
Hope this helps,
Pieter-Jan
02-21-2005 05:46 PM
You mixed some IPs the smtp, www and pop3 traffic should go 192.168.1.2 which is your internal IP address and not the inside IP of your PIX !!!
ip address inside 192.168.1.1 255.255.255.0
static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.25
5 0 0
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface pop3 192.168.1.2 pop3 netmask 255.255.255.
255 0 0
sincerely
Patrick
02-22-2005 06:50 AM
Hi Patrick,
Thanks for you input.
If I understand you correctly I should use 192.168.1.2 which is the external interface of my mail server, for the static commands that relate to (www, smtp & pop3).
What about my last static command? do I leave this as 192.168.1.1?
static (inside,outside) 80.x.x.168.1.1 netmask 255.x.x.255 0 0
I currently have the Router/modem port forwarding to 192.168.0.2 which is the External interface of the Pix, is this still OK?
I have made the changes as I understood them and I still do not get mail back in, please let me know if I have done something wrong.
Thanks again, Vinny.
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx
passwd xxxx
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_out permit tcp any host 80.xxx.xxx.225 eq smtp
access-list acl_out permit tcp any host 80.xxx.xxx.225 eq pop3
access-list acl_out permit tcp any host 80.xxx.xxx.225 eq www
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.x.x.x.0.0 0 0
static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.25
5 0 0
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface pop3 192.168.1.2 pop3 netmask 255.255.255.
255 0 0
static (inside,outside) 80.xxx.xxx.225 192.168.1.1 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.2-192.168.1.2 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxx
: end
[OK]
pixfirewall(config)#
02-22-2005 07:18 AM
Yes this should be fine.
Have you done a:
"clear xlate" on the PIX Firewall after you have changed the static configuration?
Basicly all smtp, pop and www should be forwarded on the public IP that you defined, which is your router outside IP. Then you forward this trafic to the PIX outside IP and finaly you Port forwarding this three protocols on the Mail Servers internal IP.
This is the way how it works.
To test that traffic:
On an externel connection on the internet do a
telnet YourMailServerPublicIP 25
You should get a mail server banner !
You can also use the capture command (PIX sniffer) to check if you see the packets comming on the outside PIX interface.
example:
access-list smtp permit tcp any any eq 25
capture smtpcap access-list smtp interface outside
show capture smtpcap access-list smtp detail
to remove the capture:
no capture smtpcap
#Do this twice to remove the data from the capture on the PIX
no capture smtpcap
no access-list smtp
sincerely
Patrick
02-22-2005 08:27 AM
Hi Patrick,
I have done a clear xlate but still no joy getting mail back.
mail bounces with the following message: -
Sorry, I wasn't able to establish an SMTP connection. (#4.4.1)
I'm not going to try again; this message has been in the queue too long.
can't telnet in as connection is refused.
But if I remove Pix both the above work fine!
Any help would much appreciated
Regards
Vinny.
02-22-2005 08:39 AM
Vinny,
Can you enable logging on the pix, this way we should be able to see what the pix is doing when trying to send/receive SMTP mail.
(in config mode)
logging on
logging buffer debug
sho log
[to disable logging do: no logging on]
post the results here, taking out any sensitive info.
Jay
02-22-2005 09:22 AM
02-22-2005 08:50 AM
I have seen that your outside interface has a Dynamic IP. How did you setup the network between the router and PIX. It is better to use a static IP on the PIX outside interface !!!
What is the outside IP ?
You configured that access-list:
access-list acl_out permit tcp any host 80.xxx.xxx.225 eq smtp
access-list acl_out permit tcp any host 80.xxx.xxx.225 eq pop3
access-list acl_out permit tcp any host 80.xxx.xxx.225 eq www
The 80.xxx.xxx.225 should be the IP address of the PIX outside interface !!
You also coould configure that the access-list use the DHCP outside IP with:
access-list acl_out permit tcp any interface outside eq smtp
access-list acl_out permit tcp any interface outside eq pop3
access-list acl_out permit tcp any interface outside eq www
sincerely
Patrick
02-22-2005 05:50 PM
Patrick,
My outside interface receives DHCP from the Router/Modem but I have limited the range of IP addresses to only one, so the outside interface of the Pix can only ever be 192.168.0.2.
The Router is 192.168.0.1.
You said: -
'The 80.xxx.xxx.225 should be the IP address of the PIX outside interface'
I'm sorry but I don't understand, I only have one static IP address from my ISP, you suggest this static IP address should be assigned to the outside interface of the Pix, so what IP address would the Router be?
I am sorry if these questions sound dumb but I am a little confused.
Thanks once again for your help.
Vinny.
02-23-2005 05:57 AM
I finaly found the problem.
On the ADSL Router you have configured the same Network 192.168.0.0/24 as you use behind the Mail
Server. This setup will not work because this leads into a duplicated IP range and you will have routing
problems.
Change the setup for another IP range between the ADSL router and the PIX Firewall and everthing will
work.
Note the only Public IP that is configured, received is on the Netgear ADSL router all other interfaces uses
public IPs.
Resume of the networks and IPs:
80.x.y.z/255.255.255.x = Netgear outside IP
192.168.2.0/255.255.255.0 = Network between the Netgear internal and the PIX outside interface
192.168.1.0/255.255.255.0 = Network between the PIX inside and the Mail Server external interface
192.168.0.0/255.255.255.0 = Network between the Mail server internal interface and the Mail clients.
Use 192.168.2.0 255.255.255.0 for this network, then configure 192.168.2.1 for your ADSL Router inside
interface, use a static IP 192.168.2.2 255.255.255.0 on the PIX Firewall outside interface.
ADSL Setup:
You can choose on the Netgear between forwarding all traffic from the public IP 80.x.y.z to 192.168.2.2 which is NAT or
you can port forward the http, pop3 and smtp, it does not really matter, it is just important that you NAT or PAT it
to the PIX Firewall.
PIX setup example:
All traffic received on the PIX outside interface for http, pop3 and smtp is then forwarded from 192.168.2.2 to the mail
server 192.168.1.2 external IP.
ip address outside 192.168.2.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
access-list acl_out permit tcp any host 192.168.2.2 eq http
access-list acl_out permit tcp any host 192.168.2.2 eq pop
access-list acl_out permit tcp any host 192.168.2.2 eq smtp
access-group acl_out in interface outside
static (inside,outside) tcp 192.168.2.2 80 192.168.1.2 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.2.2 110 192.168.1.2 110 netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.2.2 25 192.168.1.2 25 netmask 255.255.255.255 0 0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.2.1
Mail Server setup:
The mail server has a default route to the PIX Firewall.
Default gateway on Mail server = 192.168.1.1
Do you NAt or PAT the internal clients on the Mail server to go to the Internet in direction of the PIX? If no then you have to add another route on the PIX, so that the PIX know that the network 192.168.0.0/24 is behind the Mail Server as this device is doing the routing for this network.
Add a route on the PIX inside interface:
route inside 192.168.0.0 255.255.255.0 192.168.1.2
Mail clients:
All mail clients have the Mail Server internal IP as default gateway.
Default gateway = 192.168.0.3
This setup will work at 100%
Sorry if I confused you.
sincerely
Patrick
02-23-2005 06:13 AM
Another way could be to NAT on the PIX so that all traffic from 192.168.1.0 is forwarded one to one to 192.168.2.0 instead of NATing, port forwarding the traffic. This would increase the performance but I don't think that performance is an issue on the PIX.
Please let me know if this setup is more interesting for you.
Good luck
Patrick
02-23-2005 06:46 AM
Hi Patrick,
Thanks very much I understand this much better now.
I would still be very interested to learn the NAT method with the Router port forwarding all traffic to the extrenal interface of the Pix.
Thanks
Vinny
02-23-2005 11:34 AM
Hi Patrick,
I have implemented your suggestion but still no cigar!
I unfortunately have another problem, since trying this our clients no longer get out on the Internet, but dns is working.
The server on the other hand still has Internet access as per usual.
Mail still gets out but mail cant get back in.
Please have a look at the latest attached config & sho log.
Thank you for your patients & hanging in there with me.
Rgds
Vinny
02-23-2005 01:34 PM
If you connect a Notebook directly on the PIX network 192.168.1.0 and you connect to the internet then it works ?
Have you done a clear xlate on the PIX ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide