Solved: Pix 501 problem, I cant receive smtp mail

firebird9 · ‎02-21-2005

Currently I can send mail but cannot receive mail from the Internet, if I remove the Pix and connect directly to the Modem/Router then I can SMTP in on port 25 and SMTP mail works fine both in & out.

All we want this Pix to allow at present is:

a) Internet access to all internal network clients

b) Allow clients to pop mail from web mail accounts

c) We wish to use Exchange & Outlook and host our own e-mail using SMTP

Please find attached two documents: -

1. A current edited running config of my 501 Pix

2. A PowerPoint diagram of my network.

I very much appreciate any help.

Vinny.

Patrick Iseli · ‎02-23-2005

I finaly found the problem.

On the ADSL Router you have configured the same Network 192.168.0.0/24 as you use behind the Mail

Server. This setup will not work because this leads into a duplicated IP range and you will have routing

problems.

Change the setup for another IP range between the ADSL router and the PIX Firewall and everthing will

work.

Note the only Public IP that is configured, received is on the Netgear ADSL router all other interfaces uses

public IPs.

Resume of the networks and IPs:

80.x.y.z/255.255.255.x = Netgear outside IP

192.168.2.0/255.255.255.0 = Network between the Netgear internal and the PIX outside interface

192.168.1.0/255.255.255.0 = Network between the PIX inside and the Mail Server external interface

192.168.0.0/255.255.255.0 = Network between the Mail server internal interface and the Mail clients.

Use 192.168.2.0 255.255.255.0 for this network, then configure 192.168.2.1 for your ADSL Router inside

interface, use a static IP 192.168.2.2 255.255.255.0 on the PIX Firewall outside interface.

ADSL Setup:

You can choose on the Netgear between forwarding all traffic from the public IP 80.x.y.z to 192.168.2.2 which is NAT or

you can port forward the http, pop3 and smtp, it does not really matter, it is just important that you NAT or PAT it

to the PIX Firewall.

PIX setup example:

All traffic received on the PIX outside interface for http, pop3 and smtp is then forwarded from 192.168.2.2 to the mail

server 192.168.1.2 external IP.

ip address outside 192.168.2.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

access-list acl_out permit tcp any host 192.168.2.2 eq http

access-list acl_out permit tcp any host 192.168.2.2 eq pop

access-list acl_out permit tcp any host 192.168.2.2 eq smtp

access-group acl_out in interface outside

static (inside,outside) tcp 192.168.2.2 80 192.168.1.2 80 netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.2.2 110 192.168.1.2 110 netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.2.2 25 192.168.1.2 25 netmask 255.255.255.255 0 0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.2.1

Mail Server setup:

The mail server has a default route to the PIX Firewall.

Default gateway on Mail server = 192.168.1.1

Do you NAt or PAT the internal clients on the Mail server to go to the Internet in direction of the PIX? If no then you have to add another route on the PIX, so that the PIX know that the network 192.168.0.0/24 is behind the Mail Server as this device is doing the routing for this network.

Add a route on the PIX inside interface:

route inside 192.168.0.0 255.255.255.0 192.168.1.2

Mail clients:

All mail clients have the Mail Server internal IP as default gateway.

Default gateway = 192.168.0.3

This setup will work at 100%

Sorry if I confused you.

sincerely

Patrick

View solution in original post

nefkensp · ‎02-21-2005

Hello Vinny,

I've looked at your network setup, but it states that the NetGear modem is forwarding port 25 to 192.168.1.1. It should actually forward to either the interface or a static ip-address in the 192.168.0.x range.

Is there a reason why you want to have your clients go through the server, then through the pix and then through the netgear on the Internet?

Below is an example how it could work:

Internet <--> 80.x.x.225 Netgear 192.168.1.1 <-> 192.168.1.2 (outside) PIX (inside) 192.168.0.1

The PIX would become the default gateway for the clients and the server. A static translation can be set for 192.168.1.3 to the internal ipaddress of the server:

static (inside,outside) 192.168.1.3 192.168.0.y

access-list acl_out permit tcp any host 192.168.1.3 eq smtp

and configure the netgear router to forward smtp to 192.168.1.3

then the network configuration is much easier and the clients will connect through the PIX.

Look at the following url for more information:

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml

Hope this helps,

Pieter-Jan

Patrick Iseli · ‎02-21-2005

You mixed some IPs the smtp, www and pop3 traffic should go 192.168.1.2 which is your internal IP address and not the inside IP of your PIX !!!

ip address inside 192.168.1.1 255.255.255.0

static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.25

5 0 0

static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.

255 0 0

static (inside,outside) tcp interface pop3 192.168.1.2 pop3 netmask 255.255.255.

255 0 0

sincerely

Patrick

firebird9 · ‎02-22-2005

Hi Patrick,

Thanks for you input.

If I understand you correctly I should use 192.168.1.2 which is the external interface of my mail server, for the static commands that relate to (www, smtp & pop3).

What about my last static command? do I leave this as 192.168.1.1?

static (inside,outside) 80.x.x.168.1.1 netmask 255.x.x.255 0 0

I currently have the Router/modem port forwarding to 192.168.0.2 which is the External interface of the Pix, is this still OK?

I have made the changes as I understood them and I still do not get mail back in, please let me know if I have done something wrong.

Thanks again, Vinny.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

names

access-list acl_out permit tcp any host 80.xxx.xxx.225 eq smtp

access-list acl_out permit tcp any host 80.xxx.xxx.225 eq pop3

access-list acl_out permit tcp any host 80.xxx.xxx.225 eq www

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.x.x.x.0.0 0 0

static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.25

5 0 0

static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.

255 0 0

static (inside,outside) tcp interface pop3 192.168.1.2 pop3 netmask 255.255.255.

255 0 0

static (inside,outside) 80.xxx.xxx.225 192.168.1.1 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.2 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxx

: end

[OK]

pixfirewall(config)#

Patrick Iseli · ‎02-22-2005

Yes this should be fine.

Have you done a:

"clear xlate" on the PIX Firewall after you have changed the static configuration?

Basicly all smtp, pop and www should be forwarded on the public IP that you defined, which is your router outside IP. Then you forward this trafic to the PIX outside IP and finaly you Port forwarding this three protocols on the Mail Servers internal IP.

This is the way how it works.

To test that traffic:

On an externel connection on the internet do a

telnet YourMailServerPublicIP 25

You should get a mail server banner !

You can also use the capture command (PIX sniffer) to check if you see the packets comming on the outside PIX interface.

example:

access-list smtp permit tcp any any eq 25

capture smtpcap access-list smtp interface outside

show capture smtpcap access-list smtp detail

to remove the capture:

no capture smtpcap

#Do this twice to remove the data from the capture on the PIX

no capture smtpcap

no access-list smtp

sincerely

Patrick

firebird9 · ‎02-22-2005

Hi Patrick,

I have done a clear xlate but still no joy getting mail back.

mail bounces with the following message: -

Sorry, I wasn't able to establish an SMTP connection. (#4.4.1)

I'm not going to try again; this message has been in the queue too long.

can't telnet in as connection is refused.

But if I remove Pix both the above work fine!

Any help would much appreciated

Regards

Vinny.

jmia · ‎02-22-2005

Vinny,

Can you enable logging on the pix, this way we should be able to see what the pix is doing when trying to send/receive SMTP mail.

(in config mode)

logging on

logging buffer debug

sho log

[to disable logging do: no logging on]

post the results here, taking out any sensitive info.

Jay

firebird9 · ‎02-22-2005

Hi Jay,

Thanks for you help.

Please find attached the sho log you requested.

Rgds

Vinny.

Patrick Iseli · ‎02-22-2005

I have seen that your outside interface has a Dynamic IP. How did you setup the network between the router and PIX. It is better to use a static IP on the PIX outside interface !!!

What is the outside IP ?

You configured that access-list:

access-list acl_out permit tcp any host 80.xxx.xxx.225 eq smtp

access-list acl_out permit tcp any host 80.xxx.xxx.225 eq pop3

access-list acl_out permit tcp any host 80.xxx.xxx.225 eq www

The 80.xxx.xxx.225 should be the IP address of the PIX outside interface !!

You also coould configure that the access-list use the DHCP outside IP with:

access-list acl_out permit tcp any interface outside eq smtp

access-list acl_out permit tcp any interface outside eq pop3

access-list acl_out permit tcp any interface outside eq www

sincerely

Patrick

firebird9 · ‎02-22-2005

Patrick,

My outside interface receives DHCP from the Router/Modem but I have limited the range of IP addresses to only one, so the outside interface of the Pix can only ever be 192.168.0.2.

The Router is 192.168.0.1.

You said: -

'The 80.xxx.xxx.225 should be the IP address of the PIX outside interface'

I'm sorry but I don't understand, I only have one static IP address from my ISP, you suggest this static IP address should be assigned to the outside interface of the Pix, so what IP address would the Router be?

I am sorry if these questions sound dumb but I am a little confused.

Thanks once again for your help.

Vinny.

Patrick Iseli · ‎02-23-2005

I finaly found the problem.

On the ADSL Router you have configured the same Network 192.168.0.0/24 as you use behind the Mail

Server. This setup will not work because this leads into a duplicated IP range and you will have routing

problems.

Change the setup for another IP range between the ADSL router and the PIX Firewall and everthing will

work.

Note the only Public IP that is configured, received is on the Netgear ADSL router all other interfaces uses

public IPs.

Resume of the networks and IPs:

80.x.y.z/255.255.255.x = Netgear outside IP

192.168.2.0/255.255.255.0 = Network between the Netgear internal and the PIX outside interface

192.168.1.0/255.255.255.0 = Network between the PIX inside and the Mail Server external interface

192.168.0.0/255.255.255.0 = Network between the Mail server internal interface and the Mail clients.

Use 192.168.2.0 255.255.255.0 for this network, then configure 192.168.2.1 for your ADSL Router inside

interface, use a static IP 192.168.2.2 255.255.255.0 on the PIX Firewall outside interface.

ADSL Setup:

You can choose on the Netgear between forwarding all traffic from the public IP 80.x.y.z to 192.168.2.2 which is NAT or

you can port forward the http, pop3 and smtp, it does not really matter, it is just important that you NAT or PAT it

to the PIX Firewall.

PIX setup example:

All traffic received on the PIX outside interface for http, pop3 and smtp is then forwarded from 192.168.2.2 to the mail

server 192.168.1.2 external IP.

ip address outside 192.168.2.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

access-list acl_out permit tcp any host 192.168.2.2 eq http

access-list acl_out permit tcp any host 192.168.2.2 eq pop

access-list acl_out permit tcp any host 192.168.2.2 eq smtp

access-group acl_out in interface outside

static (inside,outside) tcp 192.168.2.2 80 192.168.1.2 80 netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.2.2 110 192.168.1.2 110 netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.2.2 25 192.168.1.2 25 netmask 255.255.255.255 0 0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.2.1

Mail Server setup:

The mail server has a default route to the PIX Firewall.

Default gateway on Mail server = 192.168.1.1

Do you NAt or PAT the internal clients on the Mail server to go to the Internet in direction of the PIX? If no then you have to add another route on the PIX, so that the PIX know that the network 192.168.0.0/24 is behind the Mail Server as this device is doing the routing for this network.

Add a route on the PIX inside interface:

route inside 192.168.0.0 255.255.255.0 192.168.1.2

Mail clients:

All mail clients have the Mail Server internal IP as default gateway.

Default gateway = 192.168.0.3

This setup will work at 100%

Sorry if I confused you.

sincerely

Patrick

Patrick Iseli · ‎02-23-2005

Another way could be to NAT on the PIX so that all traffic from 192.168.1.0 is forwarded one to one to 192.168.2.0 instead of NATing, port forwarding the traffic. This would increase the performance but I don't think that performance is an issue on the PIX.

Please let me know if this setup is more interesting for you.

Good luck

Patrick

firebird9 · ‎02-23-2005

Hi Patrick,

Thanks very much I understand this much better now.

I would still be very interested to learn the NAT method with the Router port forwarding all traffic to the extrenal interface of the Pix.

Thanks

Vinny

firebird9 · ‎02-23-2005

Hi Patrick,

I have implemented your suggestion but still no cigar!

I unfortunately have another problem, since trying this our clients no longer get out on the Internet, but dns is working.

The server on the other hand still has Internet access as per usual.

Mail still gets out but mail can’t get back in.

Please have a look at the latest attached config & sho log.

Thank you for your patients & hanging in there with me.

Rgds

Vinny

Patrick Iseli · ‎02-23-2005

If you connect a Notebook directly on the PIX network 192.168.1.0 and you connect to the internet then it works ?

Have you done a clear xlate on the PIX ?