Thanks. I have modified my config on both router & pix. And I see some improvement. I did a portqry on the mail server and I no longer get the NOT LISTENING message. I now get:-

TCP port 25 (smtp service): FILTERED.

I even turned fixup off on smtp 25. Still I can't get through. What else should I do?

Where are you seeing the message TCP port 25 (smtp service): FILTERED. ? The port scanner? What does the log in the PIX say?

The message is the response to my portqry on the mail server:-

portqry -n mail.gymnconference.org -e 25

The log does not show anything to on port 25 or the mail server..

XXXXXX# sh log

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Standby logging: disabled

Console logging: disabled

Monitor logging: level debugging, 0 messages logged

Buffer logging: level notifications, 1326593 messages logged

Trap logging: disabled

History logging: disabled

Device ID: disabled

401004: Shunned packet: 100.100.101.98 ==> 109.9.248.67 on interface inside

Please change your buffer logging to debug-

logging buffer debug

Then try portqry again and post the log results.

I just copied some of the log:- 100.100.101.80 is the mail server

401004: Shunned packet: 100.100.101.98 ==> 59.47.169.9 on interface inside

710005: UDP request discarded from 100.100.101.80/137 to inside:100.255.255.255/netbios-ns

302014: Teardown TCP connection 1820309 for outside:217.14.83.102/25 to inside:100.100.101.80/1216 duration 0:02:01 bytes 0 SYN Timeout

connection 1820358 for outside:67.195.168.31/25 (67.195.168.31/25) to inside:100.100.101.80/1407 (192.168.8.253/1407)

Message 302014 shows that a connection is being built, so that's good. It does show 0 bytes though. Everything is working on the mail server right? Can you telnet to port 25 from the local LAN?

telnet 100.100.101.80 25 gives:-

220 mail.gymconference.org Microsoft ESMTP MAIL Service, Version: 6.0.3790.0 ready at Tue, 8 Sep 2009 21:44:03 +0100

helo

250 mail.gymconference.org Hello [100.100.100.11]

ehlo

250-mail.gymconference.org Hello [100.100.100.11]

250-TURN

250-SIZE

250-ETRN

250-PIPELINING

250-DSN

250-ENHANCEDSTATUSCODES

250-8bitmime

250-BINARYMIME

250-CHUNKING

250-VRFY

250-X-LINK2STATE

250-XEXCH50

250 OK

quit

221 2.0.0 mail.gymconference.org Service closing transmission channel

You mail server goes out this PIX to get to the outside correct? Typically when you see a connection and 0 bytes, the mail server can't respond. It's usually a service has stopped, asymmetric routing, etc.

So what do I do to solve the problem? I have even turned off fixup on smtp

You can enable packet capture on the PIX and make sure the packets come back. Do you have other routes out?

Nope. The route is just through the Cisco 3700 router out. I need to be sure which device is blocking/dropping the traffic. How can I test if port 25 is allowed on the router?

Create an ACL logging SMTP-

access-list 101 permit tcp any any eq 25 log

access-list 101 permit ip any any

Then apply to your interfaces. Make sure your logging is set appropriately too. Once you test with your port scanner, you should hit counts on the ACL and a message in the log.

From the hit count, there does not seem to be any activity through the smtp.

access-list out-in line 1 permit tcp any host 217.14.83.102 eq smtp (hitcnt=0)

access-list 101; 2 elements

access-list 101 line 1 permit tcp any any eq smtp log 6 interval 300 (hitcnt=0)

access-list 101 line 2 permit ip any any (hitcnt=14)