Solved: Enabling access to SMTP server from outside

HilarionLefuneste · ‎08-25-2011

I am having a Cisco Pix 501 and using it for Internet access. It is configured to use PPPoE and is linked to an ADSL line. This is working fine, however I am trying to configure it in order to enable access to my internal mailserver. I read this previous post:

https://supportforums.cisco.com/thread/72060

I did follow all the instructions in it, however it still doesn't work. What am I doing wrong?

Here is my configuration:

PIX Version 6.3(4)

interface ethernet0 10baset

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ************** encrypted

passwd *************** encrypted

hostname somehost

domain-name abcd.ef

clock timezone EDT 0

clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

fixup protocol dns maximum-length 1500

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

no fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol tftp 69

names

name 10.1.1.19 mailserver

access-list out2in permit tcp any interface outside eq smtp

pager lines 24

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 10.1.1.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp mailserver smtp netmask 255.255.255.255 0 0

access-group out2in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.1.1.17 255.255.255.255 inside

telnet timeout 5

ssh 10.1.1.17 255.255.255.255 inside

ssh timeout 5

management-access inside

console timeout 0

vpdn group mgrp request dialout pppoe

vpdn group mgrp localname buser@nopq.rstu.vw

vpdn group mgrp ppp authentication pap

vpdn username auser@fgh.ijk.lm password ********* store-local

dhcpd dns 10.1.1.18 10.1.1.8

dhcpd auto_config outside

username auser password ************ encrypted privilege 2

terminal width 80

Cryptochecksum:*****************************************

: end

Here are the lines of interest:

name 10.1.1.19 mailserver

access-list out2in permit tcp any interface outside eq smtp

static (inside,outside) tcp interface smtp mailserver smtp netmask 255.255.255.255 0 0

access-group out2in in interface outside

What am I doing wrong?

TIA

raga.fusionet · ‎08-25-2011

Daniel,

How are you testing the access to this server?

For example what happens if you just telnet from outside to your public IP on port 25? If you can telnet to it on port 25 then the PIX config is fine and you should start looking at the server config.

Now if that doesnt work what do you see if you do a "show xlate | inc 10.1.1.19"

Also, you can try enabling a capture and see if the packets are making it thru the PIX:

access-list 199 permit tcp any host 10.1.1.19 eq 25

access-list 199 permit tcp host 10.1.1.19 eq 25 any

capture emailserver access-list 199 interface inside packet-length 1300

Then try the connection again and check what the capture says:

show capture emailserver

Give it a try and let us know how it goes.

Raga

View solution in original post

raga.fusionet · ‎08-25-2011

Daniel,

How are you testing the access to this server?

For example what happens if you just telnet from outside to your public IP on port 25? If you can telnet to it on port 25 then the PIX config is fine and you should start looking at the server config.

Now if that doesnt work what do you see if you do a "show xlate | inc 10.1.1.19"

Also, you can try enabling a capture and see if the packets are making it thru the PIX:

access-list 199 permit tcp any host 10.1.1.19 eq 25

access-list 199 permit tcp host 10.1.1.19 eq 25 any

capture emailserver access-list 199 interface inside packet-length 1300

Then try the connection again and check what the capture says:

show capture emailserver

Give it a try and let us know how it goes.

Raga

raga.fusionet · ‎08-25-2011

Here is the syntax of the capture command in case you want to play around with it:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/c.html#wp1053548

HilarionLefuneste · ‎08-26-2011

Luis,

seems my configuration was right, the problem is my ISP is blocking port 25 which I discovered after trying to capture incoming connections at the PIX. Thanks for your help debugging this problem. I was trying to install my own email server just to move away from this ISP and remove dependencies on its mailserver before moving.

Regards,

Daniel

raga.fusionet · ‎08-26-2011

Hey Daniel. Good to hear that you got it working .

Have fun!