Help needed with another smtp issue

subnet__zero · ‎09-21-2006

Here is my previous topology which worked good. Mail was coming in good.

CableModem -> PIX -> Switch

Had to switch to this because of VOIP box.

CableModem -> ATA (phone adapter) -> PIX -> Switch

ATA has the public address on the outside and inside = 192.168.0.1

PIX E0 = 192.168.0.2

PIX E1 = 10.10.1.1

Exchange Server is : 10.10.1.10

I can't seem to get mail in now even though the new public address is replicated in the public domain. Any help is appreciated. Here's my config.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

names

access-list out_in permit tcp any host 192.168.0.2 eq smtp

pager lines 24

logging on

logging buffered errors

logging history errors

interface ethernet0 10full

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 192.168.0.2 255.255.255.0

ip address inside 10.10.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp 10.10.1.10 smtp netmask 255.255.255.2

55 0 0

access-group out_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 10.10.1.150 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

terminal width 80

mmorris11 · ‎09-22-2006

Looks good to me. I assume that the 192.168.0.x addresses are placeholders for real internet addresses?

subnet__zero · ‎09-22-2006

The only public address is on the internet port of the ATA (phone adapter) the 192.168.0.x addresses are private addresses. The 10.10.1.x addresses are on E1 of the PIX and back into the hosts on the network. HTTP traffic is coming and going fine. The only issue is with SMTP. I can send (of course) but not receive. When I do a "sh xlate" I see the 10.10.1.x traffic being translated to the 192.168.0.x range.

jmia · ‎09-23-2006

Franco,

Looking at your configuration, I presume that the IP address 192.168.0.0 /24 you have posted is so to hide your real internet routable IP address as you are posting on a open forum?

You need to use an internet routable IP address on your PIX outside interface i.e.

As an example:

ip address outside 212.205.xxx.101 255.255.255.248

ip address inside 10.10.1.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 212.205.111.102

The 212.205.xxx.102 is the internet facing router Ethernet address.

Now if you only have one public IP address available to you (212.205.111.101) and this address is being also used on the outside interface - as above, then yes you can use the keyword 'interface' on your static statement i.e.

access-list smtp_in permit tcp any host 212.205.xxx.101 eq 25

access-group smtp_in in interface outside

Static (inside,outside) tcp interface smtp 10.10.1.10 smtp netmask 255.255.255.255 0 0

You need to make sure that your MX record for smtp is also pointing to IP 212.205.111.101, i.e.

xyz.com MX preference = 5, mail exchanger = smtp.xyz.com

smtp.xyz.com internet address = 212.205.111.101

Of course when you have made the appropriate changes on your PIX and saved with: write mem - you need also to issue - clear xlate

Now if you telnet to IP 212.205.xxx.101 on port 25 from an external network you should get a response from your internal smtp exchange server.

If you have a spare public IP address available on the same IP range then use the spare IP for your smtp service and make the appropriate changes to your outside ACL and static statement, also to hide your PIX from any internet based scanners you can apply on your PIX:

In config mode

icmp deny any outside

Only issue deny icmp after your satisfied that all your internet-based services are working correctly.

You can test your PIX for any open 'holes' by going to http://www.grc.com and use the 'shields up' application to scan your network. One thing to take note here, is that if you are using the outside interface IP address for your smtp service then when you scan your network using the 'shields up' application it will show up as open for port 25 and hence may give any internet scanners information that your smtp port is open for abuse!

This is why I suggest that you use a different IP address for your smtp service and apply on the outside interface: icmp deny any outside, so that the PIX does not respond to any internet scanners.

You could also use the mail guard feature of the PIX but as you probably know, MS ESMTP servers have difficulty communicating if you use the mail guard feature!

I hope the above helps and let me know if you need any further help/assistance. Please rate posts - by rating posts will give an indication to the responder to your question that the information provided is correct and may help others who may be looking for similar answers!

Jay

subnet__zero · ‎09-26-2006

Jay,

What I'm saying is that the "Linksys" phone adapter is working as the perimeter router. It has the ONLY public ip address on it's internet port and is 68.36.x.x It's ethernet port is PRIVATE and is 192.168.0.1

The PIX E0 is PRIVATE and is 192.168.0.2 and the PIX E1 is also PRIVATE 10.10.1.x I was wanting to get smtp through the "Linksys" and the PIX and to the smtp server on the 10.10.1.0 network. Since other services, ie: http, are coming through I'm looking for the right config to get the smtp to pass the PIX.

Thanks