Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
551
Views
0
Helpful
3
Replies

SMTP through PIX Firewall

jeffatkuvera
Level 1
Level 1

‎03-05-2005 12:34 PM - edited ‎02-20-2020 11:59 PM

I am firewall challenged and am hopefull someone can help with my issue.

I have a PIX 501 firewall configured and am trying to send email through SMTP from an application sitting on a server behind my firewall. I have opened port 25 for TCP traffic (don't know if that is necessary for outgoing mail) and am using NAT so the internal IP address of my server differs from its external IP address.

I am able to send email from my application inside my firewall through a machine external to my network by specifying an IP address of an external SMPT server, but I cannot send email from the machine I am running my program on (the one behind my firewall)by specifying it's external IP address.

A related issue may be that when trying to ping my servers external IP address from itself (inside my firewall) the ping times out. However, I can ping that same IP address from another machine outside of my network so I know ping is enabled.

Any thoughts would be GREATLY appreciated!

Regards,

Jeff

0 Helpful
3 Replies 3

johutchins
Level 1
Level 1

‎03-05-2005 05:25 PM

Jeff,

Typically, Pixs allow all traffic out by default. You might have to do a "no fixup protocol smtp 25". Is it possible you have DNS problem on your SMTP host?

Can you post the nat/global and ACLs?

--Jon

0 Helpful

jeffatkuvera
Level 1
Level 1
In response to johutchins

‎03-05-2005 07:30 PM

Jon,

Thanks for your help. Is this what you are looking for (I have changed my actual IP address in case I have done something stupid and have opened up something that is a security risk - as mentioned earlier, I'm not really sure of what I am doing with configuring the firewall):

Result of firewall command: "show nat"

nat (inside) 2 192.168.1.0 255.255.255.0 0 0

Result of firewall command: "show global"

global (outside) 2 interface

Result of firewall command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

access-list inside_access_in; 3 elements

access-list inside_access_in line 1 permit tcp any any (hitcnt=2361)

access-list inside_access_in line 2 permit ip any any (hitcnt=16530)

access-list inside_access_in line 3 permit tcp any host 123.45.678.136 eq 2401 (hitcnt=0)

access-list outside_access_in; 21 elements

access-list outside_access_in line 1 permit icmp any any (hitcnt=20540)

access-list outside_access_in line 2 permit icmp any any echo-reply (hitcnt=0)

access-list outside_access_in line 3 permit tcp any host 123.45.678.134 eq www (hitcnt=5072)

access-list outside_access_in line 4 permit tcp any host 123.45.678.134 eq https (hitcnt=103)

access-list outside_access_in line 5 permit tcp any host 123.45.678.132 eq https (hitcnt=1544)

access-list outside_access_in line 6 permit tcp any host 123.45.678.132 eq www (hitcnt=19881)

access-list outside_access_in line 7 permit icmp any any time-exceeded (hitcnt=0)

access-list outside_access_in line 8 permit gre any host 123.45.678.132 (hitcnt=0)

access-list outside_access_in line 9 permit esp any host 123.45.678.132 (hitcnt=0)

access-list outside_access_in line 10 permit udp any host 123.45.678.132 eq isakmp (hitcnt=0)

access-list outside_access_in line 11 permit tcp any host 123.45.678.132 eq pptp (hitcnt=0)

access-list outside_access_in line 12 permit tcp any host 123.45.678.132 eq 5900 (hitcnt=967)

access-list outside_access_in line 13 permit tcp any host 123.45.678.134 eq 5900 (hitcnt=973)

access-list outside_access_in line 14 permit tcp any host 123.45.678.136 eq 2401 (hitcnt=342)

access-list outside_access_in line 15 permit tcp any host 123.45.678.136 eq 5900 (hitcnt=866)

access-list outside_access_in line 16 permit tcp any host 123.45.678.134 eq pop3 (hitcnt=1)

access-list outside_access_in line 17 remark SMTP on eRecording02

access-list outside_access_in line 18 permit tcp any host 123.45.678.134 eq smtp (hitcnt=5)

access-list outside_access_in line 19 remark SMTP on eRecording02

access-list outside_access_in line 20 permit udp any host 123.45.678.134 eq 25 (hitcnt=0)

access-list outside_access_in line 21 remark Remote desktop access on 02

access-list outside_access_in line 22 permit tcp any host 123.45.678.134 eq 3459 (hitcnt=64)

access-list outside_access_in line 23 remark Remote desktop access on 01

access-list outside_access_in line 24 permit tcp any host 123.45.678.132 eq 3459 (hitcnt=45)

access-list outside_access_in line 25 remark FTP on eRecording03

access-list outside_access_in line 26 permit tcp any host 123.45.678.136 eq ftp (hitcnt=880)

access-list inside_access_out; 3 elements

access-list inside_access_out line 1 permit tcp any any (hitcnt=0)

access-list inside_access_out line 2 permit ip any any (hitcnt=0)

access-list inside_access_out line 3 permit tcp any host 123.45.678.132 eq pptp (hitcnt=0)

Again, thanks for any help you can offer!

Regards,

Jeff

0 Helpful

johutchins
Level 1
Level 1
In response to jeffatkuvera

‎03-05-2005 07:47 PM

Looks good.

I may have missed this before, but you can send from you mail server ok, but you cannot send mail from another internal host by using the Public address... right?

The Pix will not reroute on the same interface (take a packet in on the inside and route it back out the inside interface). I would suggest running an internal DNS server to resolve the inside IP.

Also check out the alias command. I have had people tell me it does what your looking for, but I think your mileage may vary.

Hope that helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card