Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
549
Views
0
Helpful
2
Replies

PIX 515E Extrenal SMTP & POP access from DMZ

Go to solution
sukhesh
Level 1
Level 1

‎02-22-2006 02:22 AM - edited ‎02-21-2020 12:43 AM

Hi All,

I need some help to resolve the problem I am facing on the configuration.

config : PIX515E Ver 6.3(1), with 6 interfaces, Outside interface is connected to Internet router and assigned Public IP. Internet access is configured for Users connected to Inside Interface only using Nat & Global command (Global Outside 1 Interface). I want to enable E-mail (SMTP & POP3) access from couple of hosts in one of the DMZ's.

configured NAT 1 on the interface & applied access list. If I permit SMTP & POP only I am not even getting any hit on the access-list. If I permit IP any from those hosts, I am able to browse the net, E-mail etc. After that when I restict for SMTP & POP only, it works for sometime, after some time I can see no hit coming to the access-list.

What could the case of such behaviour, have I missing anything...?, I am bit confused.

Thanks in advance.

Best regards,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎02-22-2006 02:40 AM

Make sure you allow DNS from these hosts too (UDP/53), as they'll be doing DNS queries first for the remote host IP address and MX record of the domain before they can make a connection to the relevant external mail host.

If you allow all IP then they'll be able to do the DNS query then make the SMTP/POP connection, and they'll cache those DNS queries for a while which is why it works for a while after removing the ACL. Once the DNS cache times out in those hosts they have to do another DNS query which then fails cause you haven't allowed it thru the ACL.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎02-22-2006 02:40 AM

Make sure you allow DNS from these hosts too (UDP/53), as they'll be doing DNS queries first for the remote host IP address and MX record of the domain before they can make a connection to the relevant external mail host.

If you allow all IP then they'll be able to do the DNS query then make the SMTP/POP connection, and they'll cache those DNS queries for a while which is why it works for a while after removing the ACL. Once the DNS cache times out in those hosts they have to do another DNS query which then fails cause you haven't allowed it thru the ACL.

0 Helpful

Go to solution
sukhesh
Level 1
Level 1
In response to gfullage

‎02-22-2006 04:55 AM

Hi,

Thank you for your Input.

I tried telneting from these hosts to the SMTP port of the server also, but there agian I used the name of the SMTP Server. Your input has been rally helpful.

Best regards,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card