cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1311
Views
8
Helpful
11
Replies

Problem with emails through PIX

techtips03
Level 1
Level 1

I have a Linksys router and replaced with a pix unit. Since I replaced it I have some problem with emails through outlook. We use Mdaemon for emails and it is configured on the server 10.1.1.10. Here is what I observed with emails and the problem is

10.1.1.10 - Mdaemon software is installed on this mail server

11.12.13.14 is pointed to mail.testclient.com

Can see incoming/outgoing emails on mdaemon server in user queues

Webmail works internally http://10.1.1.10:3000 and externally http://11.12.13.14:3000 and emails are successful

Webmail externally http://mail.testclient.com:3000 - accessible

Problem

Outlook internally when configured to mail.testclient.com - mails don't work. When configured to 10.1.1.10, mails work.

Outlook externally when configured to mail.testclient.com or 11.12.13.14 - mails don't work.

So for some reason I cannot access mail.testclient.com internally. Telnet to mail.testclient.com on port 25 and 110 are unsuccessful. However telnet to mail.testclient.com and 11.12.13.14 on port 25 and 110 are successful.

I ran some debugs and the output as below. 10.1.1.80 is one of the systems on the network

debug packet outside src 11.12.13.14 dst 10.1.1.10 proto tcp both

debug packet inside src 10.1.1.80 dst 11.12.13.14 proto tcp both

-- IP --

10.1.1.80 ==> 11.12.13.14

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x30

id = 0xb8bd flags = 0x40 frag off=0x0

ttl = 0x80 proto=0x6 chksum = 0x1d16

-- TCP --

source port = 0xe95 dest port = 0x19syn

seq = 0x5709743a

ack = 0x0

hlen = 0x7 window = 0x7fff

checksum = 0x43a urg = 0x0

tcp options:

0x2 0x4 0x5 0xb4 0x1 0x1 0x4

0x2

--------- END OF PACKET ---------

I ran packet capture but nothing captured

capture TEST access-list tac

access-list tac extended permit ip any host 10.1.1.10

access-list tac extended permit ip host 10.1.1.10 any

access-list tac extended permit ip any host 10.1.1.80

access-list tac extended permit ip host 10.1.1.80 any

But I can see the translation happening in xlate.

PAT Global 74.94.207.69(25) Local 10.1.1.10(25)

Can someone please suggest on this?

Thanks

11 Replies 11

r.sneekes
Level 1
Level 1

so mail.testclient.com is pointing to 11.12.13.14 which is the external (nat) adres on the Pix firewall.

Assume when u say internal u mean behind the inside of the pix firewall the problem is inside users can't connect to the 11.12.13.14. thats the ip they are connecting to, when connecting to http://mail.testclient.com.

Since this is an (nat) ip adres on the outside interface on the pix its only accessible then the trafic is coming from the outside.

A solution is to use an diffrent URL for internal users and point that to the internal adres.

What kind of nat configuration are u using?

Btw i don't follow u here?

So for some reason I cannot access mail.testclient.com internally. Telnet to mail.testclient.com on port 25 and 110 are unsuccessful. However telnet to mail.testclient.com and 11.12.13.14 on port 25 and 110 are successful.

Do u mean its not working internaly but it is when ur connecting from the outside?

nigelb
Level 1
Level 1