Lotus Notes sends but can't receive internet mail

pschneider · ‎05-07-2005

I have a Lotus Notes server that can send internet mail but cannot receive it. I have the correct ports open: 25, 80, 443, and 1352. My access list was reviewed by two Cisco engineers via Tac cases and they said they are correct:

access-list outin permit tcp any host xx.xx.xx.xx eq smtp where xx is the public address of our mail server. A static statement takes care of the NAT: static (inside,outside) privateip publicip (etc). When I had publicip privateip, the Notes server could not get out of the pix.

I have a "no fixup smtp" statement in there but it does not help. Any ideas?

james-nguyen · ‎05-08-2005

Your static statement looks incorrect, it should be:

static (inside, outside) publicIP privateIP

Not sure why you're Notes server would not get out. In theory if you've configured the PIX with a global statement, all hosts on the inside interface should be able to initiate connections out either by a PAT or a NAT pool.

Your access-list should looks correct. Ensure that you have in fact applied the access-list on the outside interface.

pschneider · ‎05-13-2005

Yes, I have the global statement. Clients get outside the pix but not the static defined servers. the non static servers get out also. So, when I reverse the static to privateip publicip, these static servers get out but still can't receive. I corrected the static statements and reduced the mtu size to 1400. I also added 3 more static statement for the same 3 servers but this time outside, inside. None of the above worked. I tried some test access lists to capture traffic inside and outside and those acls got hits but my normal acls which limit the ports to 25, 80, etc got no hits. Yes, Cisco says my acls are correct.

t-mcintyre · ‎05-11-2005

I don't know if this will help or not but I have run across a similar situation. It was a dsl connection and I needed to set the mtu size from 1500 to as low as 1400 and it has solved the issue.

pschneider · ‎05-13-2005

Thanks for the tip. I did change it to 1400 with no success. I may try 1200.

mostiguy · ‎05-14-2005

are the mx records pointing to a host record with the right ip address? can you telnet from outside the firewall to the smtp port?

pschneider · ‎05-15-2005

Yes, mx records are correct. I can telnet from outside the pix to the smtp port of the public address of the server. None of my 3 statics can access the lower security interface which I thought was implicitly possible with a global statement and no nat on inside. Non-static servers have no problem accessing the lower security interface. I'll post the config tomorrow am when i get back to the office.

a.alekseev · ‎05-14-2005

It would be better if you post the pix config.

pschneider · ‎05-17-2005

Here is my pix config. Any assistance would be greatly appreciated.

a.alekseev · ‎05-17-2005

> static (inside,outside) private_ip public_ip_Notes netmask 255.255.255.255 0 0

must be quite the contrary

static (inside,outside) public_ip_Notes private_ip netmask 255.255.255.255 0 0

pschneider · ‎05-18-2005

It is contrary but the only way I can get my static servers out of the pix. entering the static correctly, I cannot get out or in on the static servers.

Patrick Iseli · ‎05-18-2005

I think you have not done a " clear xlate " after chanching the access-list and the static. Thats why you did not have any connectivity. As all others mentioned before your static is not correct !

The static bellow is bi-directional and it should be possible to connect to the Internet.

Example config for the mail server:

access-list outin permit tcp any host public_ip_Notes eq smtp

access-group outin in interface outside

static (inside,outside) public_ip_Notes Private_ip_Notes netmask 255.255.255.255 0 0

# This will reset all connections, translation table. Do not do this in business hours !

clear xlate

References:

Configuring the PIX Firewall with Mail Server Access on Inside Network:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml

Have you tryed without the "fixup protocol smtp 25" ?

no fixup protocol smtp 25

sincerely

Patrick

pschneider · ‎05-18-2005

I make it a habit to clear xlate all the time when testing the pix. The pix is on my test network until I test it on our real network. When I move it to our real network, I do a clear xlate. I have also tried fixup and no fixup on smtp with no success either way. Protocol analysis from captures shows resets and no acks from the inside and outside addresses.

Patrick Iseli · ‎05-18-2005

What does a capture on the PIX show ?

example:

access-list smtp permit tcp any any eq 25

capture smtp access-list smtp interface ouside

show capture smtp de

# Then afyer vertfing the ACL on the ouside change it to the inside interface.

no capture smtp access-list smtp interface ouside

no capture smtp

# same thing on the inside interface

capture smtp access-list smtp interface inside

This way you can follow the stream and see if the packets comes from the outside in to the sever and the way back to the SRC.

Are you sure that your ISP permits SMTP traffic in the your network. This is because of SPAMMING often blocked this days.

sincerely

Patrick

pschneider · ‎05-19-2005

Here is a capture of traffic against the outside:

17:41:16.491536 67.38.103.136.2962 > 64.233.167.147.80: S 850178520:850178520(0) win 16384

17:41:19.501362 67.38.103.136.2962 > 64.233.167.147.80: S 850178520:850178520(0) win 16384

here is capture of traffic against inside (one of many but they all are the same ack0):

No. Time Source Destination Protocol Info

1 0.000000 xx.xxx.xx.36 206.165.246.47 SMTP Response: 22

Frame 1 (178 bytes on wire, 68 bytes captured)

Ethernet II, Src: 00:08:02:8a:8e:3e, Dst: 00:13:60:5a:c8:23

Internet Protocol, Src Addr: xx.xxx.xx.36 (xx.xxx.xx.36), Dst Addr: 206.165.246.47 (206.165.246.47)

Transmission Control Protocol, Src Port: smtp (25), Dst Port: 35872 (35872), Seq: 0, Ack: 0, Len: 112

Simple Mail Transfer Protocol