cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1856
Views
10
Helpful
12
Replies

PIX 515 E WebServer in DMZ can't send email

Hi all, I have a problem with my mail server in the DMZ, after the help provided by this forum, I was able to receive mail to my mail server locate in the DMZ, but i can't sent any email also when I tried to use dig utility to lookup an external domain, I get the message that it can't locate the external domain.

How do I allow all hosts located in the dmz to access internet ?

What I did so far:

Access-list outsidein permit tcp any host 209.160.170.220 eq smtp

Access-list outsidein permit tcp any host 209.160.170.220 eq imap

Access-list outsidein permit tcp any host 209.160.170.220 eq pop3

Access-group outsidein in interface outside

Then I created the static address translation to the outside users:

Static (dmz,outside) tcp 209.160.170.220 smtp 192.180.1.20 smtp netmask 255.255.255.255

Static (dmz,outside) tcp 209.160.170.220 imap 192.180.1.20 imap netmask 255.255.255.255

Static (dmz,outside) tcp 209.160.170.220 pop3 192.180.1.20 pop3 netmask 255.255.255.255

5 Accepted Solutions

Accepted Solutions

Hi,

If you have these commands:

Static (dmz,outside) tcp 209.160.170.220 smtp 192.180.1.20 smtp netmask 255.255.255.255

Static (dmz,outside) tcp 209.160.170.220 imap 192.180.1.20 imap netmask 255.255.255.255

Static (dmz,outside) tcp 209.160.170.220 pop3 192.180.1.20 pop3 netmask 255.255.255.255

It means that inbound traffic destined to 209.160.170.220 that is SMTP, IMAP and POP3 will be redirected to 192.180.1.20 on the same ports.

But if 192.180.1.20 wants to get out to the Internet (on any other port) is not going to be able to use the above commands.

Try this:

nat (dmz) 1 192.180.1.0 255.255.255.0

global (outside) 1 interface

In this way, any host residing on the DMZ (assuming you have a mask of /24), will be able to initiate an outgoing connection to the Internet.

Also check if there's an ACL applied to the DMZ ''sh access-group'' that it allows the outbound traffic.

Hope it helps.

Federico.

View solution in original post

We need to look at the logs.

conf t

logging on

logging buffered 7

exit

sh logg | i 192.180.1.20

and see what the syslogs say.

-KS

View solution in original post

Hmm...I am really surprised.

This should work and not give you those syslogs about translation creation failed messages.

Have you tried to change the /32 address to a subnet address and try from a different pc or laptop on the DMZ?

conf t

no nat (DMZ) 101 192.80.1.20 255.255.255.255

nat (DMZ) 101 192.180.1.20 255.255.255.255

I think you typed the second octet incorrectly.

-KS

View solution in original post

Pls. read my very first response.

How can this static pat be bi-directional for outbound connections sourced from a high port  >1024 by this e-mail server? If it sources all connections from port 25, port 110 then yes. If you have 1-1 static "static (dmz,outside)  209.160.170.220 192.180.1.20 netmask 255.255.255.255" then what you say is correct. Not when you have static pat for certain ports.

So, you need the nat/global that I provided in my very first response. Pls. refer that.

Hope you fixed the typo and the dmz host is able to go out to the internet?

Pls. mark this thread resolved if it is.

-KS

View solution in original post

Glad to hear. This thread is resolved.

Would you mind spinning up a new thread for this new question and provide additional details?

zimbra.mydomain.com resolves to  (216.34.94.184):

Who is unable to access this IP address? The mail server can't or the inside users can't?

Need more detail. Who owns this IP address? What logs do you see on the firewall when you try to access this ip address?

-KS

View solution in original post

12 Replies 12

Hi,

If you have these commands:

Static (dmz,outside) tcp 209.160.170.220 smtp 192.180.1.20 smtp netmask 255.255.255.255

Static (dmz,outside) tcp 209.160.170.220 imap 192.180.1.20 imap netmask 255.255.255.255

Static (dmz,outside) tcp 209.160.170.220 pop3 192.180.1.20 pop3 netmask 255.255.255.255

It means that inbound traffic destined to 209.160.170.220 that is SMTP, IMAP and POP3 will be redirected to 192.180.1.20 on the same ports.

But if 192.180.1.20 wants to get out to the Internet (on any other port) is not going to be able to use the above commands.

Try this:

nat (dmz) 1 192.180.1.0 255.255.255.0

global (outside) 1 interface

In this way, any host residing on the DMZ (assuming you have a mask of /24), will be able to initiate an outgoing connection to the Internet.

Also check if there's an ACL applied to the DMZ ''sh access-group'' that it allows the outbound traffic.

Hope it helps.

Federico.

Hello,

While what Federico provided will allow all dmz hosts to access the internet,

209.160.170.22 - I believe is the MX record.

In which case most of the times, the requirement is for the mail server whether on the inside or on the dmz to send e-mail out looking like 209.160.170.22. 

Is this is the case then, if the mail server that will send out e-mail is in the dmz they would need:

nat (dmz) 100 192.180.1.20 255.255.255.255

global (outside) 100 209.160.170.22

or if the mail server is on the inside they would need:

nat (inside) 110 x.x.x.x 255.255.255.255

global (outside) 110 209.160.170.22

I have addressed this in my webcast that you can watch here: http://www.youtube.com/watch?v=kRY8DuaRp5U

-KS

Hi Thank you both for answering to my post,  I just applied the following instructions to pix but  I still cant access to outside from dmz interface, i can ping the inside interface from dmz but can't ping the outside interface its  strange.

nat (dmz) 100 192.180.1.20 255.255.255.255

global (outside) 100 interface

We need to look at the logs.

conf t

logging on

logging buffered 7

exit

sh logg | i 192.180.1.20

and see what the syslogs say.

-KS

Hi  Poonguzhali Sankar,

First thank you for the help you are providing, i just check the log file, e send you the result.

3 Jan 25 2011 11:14:47 305006 193.126.240.131   portmap translation creation failed for icmp src DMZ:192.180.1.20 dst outside:193.126.240.131 (type 8, code 0)
3 Jan 25 2011 11:14:50 305006 193.126.240.131   portmap translation creation failed for icmp src DMZ:192.180.1.20 dst outside:193.126.240.131 (type 8, code 0)
3 Jan 25 2011 11:14:50 305006 192.228.79.201   portmap translation creation failed for udp src DMZ:192.180.1.20/53 dst outside:192.228.79.201/53
3 Jan 25 2011 11:21:34 305006 192.33.4.12   portmap translation creation failed for udp src DMZ:192.180.1.20/53 dst outside:192.33.4.12/53
3 Jan 25 2011 11:21:34 305006 192.33.4.12   portmap translation creation failed for udp src DMZ:192.180.1.20/53 dst outside:192.33.4.12/53
3 Jan 25 2011 11:25:06 305006 198.6.1.181   portmap translation creation failed for udp src DMZ:192.180.1.20/53 dst outside:198.6.1.181/53
3 Jan 25 2011 11:25:06 305006 198.6.1.181   portmap translation creation failed for udp src DMZ:192.180.1.20/53 dst outside:198.6.1.181/53

Regards

Nuno Martins

Are you sure you have these two lines? The one in red in particular. The logs say that line is missing.

nat (dmz) 100 192.180.1.20 255.255.255.255

global (outside) 100 interface

If you want all the dmz hosts to go out then you need to change the nat line to this

nat (dmz) 100 192.180.1.0 255.255.255.0

Pls post the output of

sh run nat

sh run global

Also clear xlate for 192.180.1.20 the command is "clear local 192.180.1.20"

-KS

Yes, I do have the two lines also i already clear the xlate to the server (clear local 192.180.1.20 ),

pixfirewall(config)# sh run nat

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101  0.0.0.0 0.0.0.0

nat (DMZ) 101 192.80.1.20 255.255.255.255


pixfirewall(config)# sh run global
global (outside) 101 interface

Hmm...I am really surprised.

This should work and not give you those syslogs about translation creation failed messages.

Have you tried to change the /32 address to a subnet address and try from a different pc or laptop on the DMZ?

conf t

no nat (DMZ) 101 192.80.1.20 255.255.255.255

nat (DMZ) 101 192.180.1.20 255.255.255.255

I think you typed the second octet incorrectly.

-KS

Hello Sankar and federico,

Static (dmz,outside) tcp 209.160.170.220 smtp 192.180.1.20 smtp netmask 255.255.255.255

The above statement is bidirectional if i m not worng,, The server when transmits it will translates to  the public IP 209.160.170.220 and when it receives it will recieve to the same public IP.

Why did your'l suggested such configuration in u rfirst mail.??? please clearify.

Please correct meif i m wrong uptil now i was thinking it is bidirectional.

Thanks

Pls. read my very first response.

How can this static pat be bi-directional for outbound connections sourced from a high port  >1024 by this e-mail server? If it sources all connections from port 25, port 110 then yes. If you have 1-1 static "static (dmz,outside)  209.160.170.220 192.180.1.20 netmask 255.255.255.255" then what you say is correct. Not when you have static pat for certain ports.

So, you need the nat/global that I provided in my very first response. Pls. refer that.

Hope you fixed the typo and the dmz host is able to go out to the internet?

Pls. mark this thread resolved if it is.

-KS

Hi  Poonguzhali Sankar,

I just find out that the problem wasn't related to the pix, i did what you sugested in the the previous post i tested another machine in the DMZ  and  i was able to  dig an outside domain I also send an email and receive a response from " @msn.com>: host  mx4.hotmail.com[65.55.92.184] said: 550 DY-001  Unfortunately, messages  from x.x.x.x weren't sent. Please contact your Internet service  provider. You can tell them that Hotmail does notcrelay  dynamically-assigned IP ranges. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors.", so I presume the pix is working fine, I just have to check the mail server configuration.

Just one more question If you please, i can access from inside to the ip address of the mail server in the DMZ, but i can' t access to the url of the server zimbra.mydomain.com. If i trie to  access from  another network i can access to the url without any problem.

Thank you very much for your help

Nuno Martins


Glad to hear. This thread is resolved.

Would you mind spinning up a new thread for this new question and provide additional details?

zimbra.mydomain.com resolves to  (216.34.94.184):

Who is unable to access this IP address? The mail server can't or the inside users can't?

Need more detail. Who owns this IP address? What logs do you see on the firewall when you try to access this ip address?

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: