Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
0
Helpful
1
Replies

PIX DMZ relay smtp server problem

roelfs
Level 1
Level 1

‎03-07-2004 12:42 AM - edited ‎02-20-2020 11:16 PM

Hi

Have a 515E PIX with a "Internet" ip range for both the outside and DMZ interface.

I'm having a problem when I specify and access list to allow the mail relay to forward mail to the internal mail server.

This is my config

fixup protocol smtp 25

access-list Sydney2match permit ip 192.168.107.0 255.255.255.0 192.168.33.0 255.255.255.0

access-list Sydney2match permit ip 192.168.107.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list Sydney2match permit ip 192.168.184.0 255.255.248.0 192.168.33.0 255.255.255.0

access-list Sydney2match permit ip 192.168.184.0 255.255.248.0 192.168.100.0 255.255.255.0

access-list SMTP permit tcp any host x.y.163.178 eq smtp

access-list NONAT permit ip 192.168.184.0 255.255.248.0 192.168.100.0 255.255.255.0

access-list NONAT permit ip 192.168.184.0 255.255.248.0 192.168.33.0 255.255.255.0

access-list NONAT permit ip 192.168.107.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list NONAT permit ip 192.168.107.0 255.255.255.0 192.168.33.0 255.255.255.0

access-list dmz_outbound_nat0_acl permit ip x.y.163.176 255.255.255.240 any

access-list SMTPINSIDE permit tcp host x.y.163.178 host 192.168.185.50 eq smtp

access-list SMTPINSIDE permit tcp host x.y.163.178 any eq smtp

ip address outside x.y.165.22 255.255.255.248

ip address inside 192.168.185.1 255.255.255.0

ip address dmz x.y.163.177 255.255.255.240

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 192.168.185.0 255.255.255.0 0 0

nat (dmz) 0 access-list dmz_outbound_nat0_acl

static (inside,dmz) 192.168.185.0 192.168.185.0 netmask 255.255.255.0 0 0

access-group SMTP in interface outside

access-group SMTPINSIDE in interface dmz

route outside 0.0.0.0 0.0.0.0 x.y.165.21 1

route inside 192.168.107.0 255.255.255.0 192.168.185.253 1

crypto map SYDIMC 100 match address Sydney2match

PS. If I remove "access-group SMTPINSIDE " I can telnet to the relay server, but not the inside mail server.

Thanks

0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎03-15-2004 11:27 AM

I'm a little confused as to what you're trying to do here. You mention you can telnet to the relay server, from where? To get to the relay server from the outside you need:

static (dmz,outside) x.y.163.178 x.y.163.178 netmask 255.255.255.255

along with your SMTP access-list. From there, if the DMZ server is supposed to send mail to the inside server, then your SMTPINSIDE and static that you have shown should be enough. What do you get if, from the DMZ server, type:

> telnet 192.168.185.50 25

If you get connected then the static/ACL is working as it should. If this is a Exchange server you may need to turn of the SMTP fixup with:

> no fixup protocol smtp 25

Other than that, whenever you have connectivity problems, always enable syslogging with:

logging on

logging cons debug

and try a connection, the PIX will then tell you exactly what it's allowing and/or denying.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card