cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4659
Views
0
Helpful
15
Replies

Problem forwarding port 25 to Mail server (through router & pix)

prince.ibe
Level 1
Level 1

I have a Mail Server behind Firewall. With an ipcop firewall connected and port 25 forwarded to the mail server ip, the exchange server works perfectly.

Now I have a combination of Cisco router and PIX. I cannot seem to be able to configure the pix and router to allow smtp traffic to the mail server. HELP!

Internet -->Cisco 3700 --> Pix 515E --> Mail Server

What do I do to get the router and the pix to forward port 25 to the Mail Server.

Detail - http://pivweb.net/fun/Network.jpg

Thanks

15 Replies 15

Collin Clark
VIP Alumni
VIP Alumni

Check the ACL on your PIX that is applied to the outside interface.

access-list OUT-IN permit tcp any host 10.10.11.80 eq smtp

It should be:

access-list OUT-IN permit tcp any host 201.13.12.102 eq smtp

You need to set the destination IP to the IP's located on the outside interface, not the private IPs.

Hope that helps.

Thanks. I have modified my config on both router & pix. And I see some improvement. I did a portqry on the mail server and I no longer get the NOT LISTENING message. I now get:-

TCP port 25 (smtp service): FILTERED.

I even turned fixup off on smtp 25. Still I can't get through. What else should I do?

Where are you seeing the message TCP port 25 (smtp service): FILTERED. ? The port scanner? What does the log in the PIX say?

The message is the response to my portqry on the mail server:-

portqry -n mail.gymnconference.org -e 25

The log does not show anything to on port 25 or the mail server..

XXXXXX# sh log

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Standby logging: disabled

Console logging: disabled

Monitor logging: level debugging, 0 messages logged

Buffer logging: level notifications, 1326593 messages logged

Trap logging: disabled

History logging: disabled

Device ID: disabled

401004: Shunned packet: 100.100.101.98 ==> 109.9.248.67 on interface inside

Please change your buffer logging to debug-

logging buffer debug

Then try portqry again and post the log results.

I just copied some of the log:- 100.100.101.80 is the mail server

401004: Shunned packet: 100.100.101.98 ==> 59.47.169.9 on interface inside

710005: UDP request discarded from 100.100.101.80/137 to inside:100.255.255.255/netbios-ns

302014: Teardown TCP connection 1820309 for outside:217.14.83.102/25 to inside:100.100.101.80/1216 duration 0:02:01 bytes 0 SYN Timeout

connection 1820358 for outside:67.195.168.31/25 (67.195.168.31/25) to inside:100.100.101.80/1407 (192.168.8.253/1407)

Message 302014 shows that a connection is being built, so that's good. It does show 0 bytes though. Everything is working on the mail server right? Can you telnet to port 25 from the local LAN?

telnet 100.100.101.80 25 gives:-

220 mail.gymconference.org Microsoft ESMTP MAIL Service, Version: 6.0.3790.0 ready at Tue, 8 Sep 2009 21:44:03 +0100

helo

250 mail.gymconference.org Hello [100.100.100.11]

ehlo

250-mail.gymconference.org Hello [100.100.100.11]

250-TURN

250-SIZE

250-ETRN

250-PIPELINING

250-DSN

250-ENHANCEDSTATUSCODES

250-8bitmime

250-BINARYMIME

250-CHUNKING

250-VRFY

250-X-LINK2STATE

250-XEXCH50

250 OK

quit

221 2.0.0 mail.gymconference.org Service closing transmission channel

You mail server goes out this PIX to get to the outside correct? Typically when you see a connection and 0 bytes, the mail server can't respond. It's usually a service has stopped, asymmetric routing, etc.

So what do I do to solve the problem? I have even turned off fixup on smtp

You can enable packet capture on the PIX and make sure the packets come back. Do you have other routes out?

Nope. The route is just through the Cisco 3700 router out. I need to be sure which device is blocking/dropping the traffic. How can I test if port 25 is allowed on the router?

Create an ACL logging SMTP-

access-list 101 permit tcp any any eq 25 log

access-list 101 permit ip any any

Then apply to your interfaces. Make sure your logging is set appropriately too. Once you test with your port scanner, you should hit counts on the ACL and a message in the log.

From the hit count, there does not seem to be any activity through the smtp.

access-list out-in line 1 permit tcp any host 217.14.83.102 eq smtp (hitcnt=0)

access-list 101; 2 elements

access-list 101 line 1 permit tcp any any eq smtp log 6 interval 300 (hitcnt=0)

access-list 101 line 2 permit ip any any (hitcnt=14)

Review Cisco Networking for a $25 gift card