Solved: Pix 501 problem, I cant receive smtp mail - Page 2

firebird9 · ‎02-21-2005

Currently I can send mail but cannot receive mail from the Internet, if I remove the Pix and connect directly to the Modem/Router then I can SMTP in on port 25 and SMTP mail works fine both in & out.

All we want this Pix to allow at present is:

a) Internet access to all internal network clients

b) Allow clients to pop mail from web mail accounts

c) We wish to use Exchange & Outlook and host our own e-mail using SMTP

Please find attached two documents: -

1. A current edited running config of my 501 Pix

2. A PowerPoint diagram of my network.

I very much appreciate any help.

Vinny.

firebird9 · ‎02-23-2005

Yes, the mail server is on 192.168.1.2 and it works fine on the internet, but mail still does not get in.

Plus, clients are not getting internet, it’s weird because if I ping www.yahoo.com it resolves the address & requests times out (which is what I would expect).

All clients lost internet when I changed the router internal address to 192.168.2.1 & Pix External address to be 192.168.2.2

Patrick, you did not suggest a line of code to assign my public fixed IP address (80.xxx.xxx.225) to a specific interface, I put in the following line of code but I am not sure if this is correct: -

static (inside,outside) 80.177.115.225 192.168.1.1 netmask 255.255.255.255 0 0

After changing the code, I performed a write m and then a clear xlate, in that order.

I will perform a test using a laptop to be certain.

Thanks again

Vinny

Patrick Iseli · ‎02-23-2005

No this line should not be there

no static (inside,outside) 80.177.115.225 192.168.1.1 netmask 255.255.255.255 0 0

and

clear xlate.

Have you tryed if the connection to the internet from the 192.168.1.x network works ?

sincerely

Patrick

Patrick Iseli · ‎02-23-2005

Have you changed the PAT and NAT settings on your ADSL Router ?

Other question what is the idea to connect your Mail clients behind another ethernet interface on the Mail server. This might be the problem. Connect them instead to the same network as the PIX inside interface.

sincerely

Patrick

Patrick Iseli · ‎02-23-2005

Lets change the config completly and disable NAT !

Note the only Public IP that is configured, received is on the Netgear ADSL router all other interfaces uses private IPs.

Resume of the networks and IPs:

80.x.y.z/255.255.255.x = Netgear outside IP

192.168.2.0/255.255.255.0 = Network between the Netgear internal and the PIX outside interface

192.168.1.0/255.255.255.0 = Network between the PIX inside and the Mail Server external interface

192.168.0.0/255.255.255.0 = Network between the Mail server internal interface and the Mail clients.

The netgear ADSL Router forwards all smtp, pop3 and http traffic to 192.168.1.2. Configure Port Address translation (masquerading) for 192.168.0.0 255.255.0.0 to your public IP 80.x.y.225 on the netgear Router.

example PIX without NAT:

access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list acl_out permit tcp any host 192.168.1.2 eq smtp

access-list acl_out permit tcp any host 192.168.1.2 eq www

access-list acl_out permit tcp any host 192.168.1.2 eq pop3

ip address outside 192.168.2.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

nat (inside) 0 access-list NONAT

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

route inside 192.168.0.0 255.255.255.0 192.168.1.2 1

dhcpd address 192.168.1.2-192.168.1.2 inside

dhcpd dns YourDNSIP-1 YourDNSIP-2

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

Mail Server setup:

The mail server has a default route to the PIX Firewall = 192.168.1.1. The Mail server should not do any NAT just forwarding the traffic. But I think the setup would be much easyer if you would remove that internal interface on the mail server an instead connect all clients on the PIX inside interface 192.168.1.0 and not 192.168.0.0.

good luck.

Might be also a good idea to sniff to anlyse that traffic is correctly forwarded. You could use Ethereal to check that or the PIX capture command.

sincerely

Patrick

firebird9 · ‎02-25-2005

Hi Patrick,

I have tried the above but still no joy with mail coming back in.

On the plus side we do have Internet back on all clients.

I have attached the latest config, if you could please have a look, in case I have done something wrong.

I am prepared to do away with 192.168.0.0 subnet and go with your suggestion of connecting all clients to the 192.168.1.0 subnet.

Is there anything I need to be careful of before I do this?

Kind Regards

Vinny.

Patrick Iseli · ‎02-25-2005

How do you NAT on the ADSL Router ?

Do you forward the smtp, pop ant http to 192.168.1.2 or to 192.168.2.2 ?

If you forward it to 192.168.1.2 then you do not need any more the STATICS ! You have diabled NAT on the PIX.

Remove them:

no static (inside,outside) tcp 192.168.2.2 www 192.168.1.2 www netmask 255.255.255.255 0 0

no static (inside,outside) tcp 192.168.2.2 pop3 192.168.1.2 pop3 netmask 255.255.255.255 0 0

no static (inside,outside) tcp 192.168.2.2 smtp 192.168.1.2 smtp netmask 255.255.255.255 0 0

clear xlate

If you still forward that traffic to 192.168.2.2 then let them as they are !

Before you move the client to 192.168.1.0 configure your DHCP Pool and test it from a Test PC. Check Internet connectivity. Reconfigure the mail clients to use 192.168.1.2 as Email Server ...

Patrick Iseli · ‎02-25-2005

If you forward it to 192.168.1.2 then you do not need any more the STATICS ! You have diabled NAT on the PIX.

Remove them:

no static (inside,outside) tcp 192.168.2.2 www 192.168.1.2 www netmask 255.255.255.255 0 0

no static (inside,outside) tcp 192.168.2.2 pop3 192.168.1.2 pop3 netmask 255.255.255.255 0 0

no static (inside,outside) tcp 192.168.2.2 smtp 192.168.1.2 smtp netmask 255.255.255.255 0 0

clear xlate

Add also a Route on the ADSL to the PIX:

route add 192.168.0.0 255.255.255.0 192.168.2.2

route add 192.168.1.0 255.255.255.0 192.168.2.2

firebird9 · ‎02-28-2005

Hi Patrick,

1. Pix

I have removed the statics,

write m & a clear xlate.

2. Router/Modem

I am port forwarding: - All smtp, pop3 & http traffic to 192.168.1.2

I have setup the two static routes as follows: -

Destination Subnet Gateway

(a) 192.168.0.0 255.255.255.0 192.168.2.2

(b) 192.168.1.0 255.255.255.0 192.168.2.2

Unfortunatly mail still does not come in!

Rgds Vinny.

Patrick Iseli · ‎02-28-2005

Have you checked with the CAPTURE FEATURE or a packet sniffer if the ADSL Router is really forwarding traffic to the PIX.

I think it is time to start sniffing and try to understand the traffic flow then configure the device to get it working.

You can also use Ethereal to sniff from the laptop but remember you need a Hub port to sniff not a switch port. See: http://www.ethereal.com/

capture example:

access-list smtpcap permit tcp any any eq smtp

capture cap1 access-list smtpcap interface outside

show cap1 access-list smtpcap details

sincerely

Patrick

firebird9 · ‎03-02-2005

Hi Patrick,

I get the following message when I enter the line of code: -

pixfirewall(config)# show cap1 access-list smtpcap details

Type help or '?' for a list of available commands.

pixfirewall(config)#

I have connected a laptop via a hub to the Pix and will use ethereal to analyse packet flow.

I just want to confirm if I install ethereal on the laptop will I still be able to see what’s going on between the router & Pix

I was going try and telnet in from outside the network to simulate mail coming into the laptop as my laptop does not have exchange, is this ok?

Thanks

Vinny

Patrick Iseli · ‎03-02-2005

Yes, Ethereal is an open source (free) packet sniffer and you will see that traffic flow between the router and the PIX Firewall.

Yes you should be able to:

telnet 192.168.1.2 25

if you got a connection than everything is fine otherwise there is a problem.

Check the PIX log: show logg

sincerely

Patrick

firebird9 · ‎03-02-2005

Hi Patrick,

I found the following when looking at inparsed commands on the PDM: -

The Cisci PDM did not understand the following commands while parsing the running configuration of your firewall. PDM does not support the complete firewall command set. PDM will ignore the command(s) which appear below. They will not be removed from or changed in the running firewall configuration.

access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list acl_out permit tcp any host 192.168.1.2 eq smtp

access-list acl_out permit tcp any host 192.168.1.2 eq www

access-list acl_out permit tcp any host 192.168.1.2 eq pop3

access-list smtpcap permit tcp any any eq smtp

p.s. Laptop connected via a hub to the pix I can only see 192.168.1.2(inside pix) or 192.168.1.3(laptop)

Any suggestions

Rgds Vinny.

firebird9 · ‎03-03-2005

Hi Patrick,

I have the following packet capture by connecting laptop to the router, whilst router was still connected to the rest of the network in the same way.

1. I first sent mail out to the internet

2 & 3. I sent mail back from the internet to the mail server.

Although I think we have captured packets coming in no mail actually arrived!

Thanks

Vinny

firebird9 · ‎03-03-2005

Sorry!

1. Sent e-mail out to internet here

No. Time Source Destination Protocol Info

1 0.000000 192.168.2.1 192.168.2.255 RIPv1 Response

Frame 1 (86 bytes on wire, 86 bytes captured)

Ethernet II, Src: 00:09:5b:3b:02:da, Dst: ff:ff:ff:ff:ff:ff

Internet Protocol, Src Addr: 192.168.2.1 (192.168.2.1), Dst Addr: 192.168.2.255 (192.168.2.255)

User Datagram Protocol, Src Port: router (520), Dst Port: router (520)

Routing Information Protocol

No. Time Source Destination Protocol Info

2 31.405111 192.168.2.1 192.168.2.255 RIPv1 Response

Frame 2 (86 bytes on wire, 86 bytes captured)

Ethernet II, Src: 00:09:5b:3b:02:da, Dst: ff:ff:ff:ff:ff:ff

Internet Protocol, Src Addr: 192.168.2.1 (192.168.2.1), Dst Addr: 192.168.2.255 (192.168.2.255)

User Datagram Protocol, Src Port: router (520), Dst Port: router (520)

Routing Information Protocol

2. Received e-mail back from internet here

No. Time Source Destination Protocol Info

3 62.910635 192.168.2.1 192.168.2.255 RIPv1 Response

Frame 3 (86 bytes on wire, 86 bytes captured)

Ethernet II, Src: 00:09:5b:3b:02:da, Dst: ff:ff:ff:ff:ff:ff

Internet Protocol, Src Addr: 192.168.2.1 (192.168.2.1), Dst Addr: 192.168.2.255 (192.168.2.255)

User Datagram Protocol, Src Port: router (520), Dst Port: router (520)

Routing Information Protocol

No. Time Source Destination Protocol Info

4 94.516015 192.168.2.1 192.168.2.255 RIPv1 Response

Frame 4 (86 bytes on wire, 86 bytes captured)

Ethernet II, Src: 00:09:5b:3b:02:da, Dst: ff:ff:ff:ff:ff:ff

Internet Protocol, Src Addr: 192.168.2.1 (192.168.2.1), Dst Addr: 192.168.2.255 (192.168.2.255)

User Datagram Protocol, Src Port: router (520), Dst Port: router (520)

Routing Information Protocol

3. Received e-mail back from internet here

No. Time Source Destination Protocol Info

5 126.221199 192.168.2.1 192.168.2.255 RIPv1 Response

Frame 5 (86 bytes on wire, 86 bytes captured)

Ethernet II, Src: 00:09:5b:3b:02:da, Dst: ff:ff:ff:ff:ff:ff

Internet Protocol, Src Addr: 192.168.2.1 (192.168.2.1), Dst Addr: 192.168.2.255 (192.168.2.255)

User Datagram Protocol, Src Port: router (520), Dst Port: router (520)

Routing Information Protocol

No. Time Source Destination Protocol Info

6 158.026310 192.168.2.1 192.168.2.255 RIPv1 Response

Frame 6 (86 bytes on wire, 86 bytes captured)

Ethernet II, Src: 00:09:5b:3b:02:da, Dst: ff:ff:ff:ff:ff:ff

Internet Protocol, Src Addr: 192.168.2.1 (192.168.2.1), Dst Addr: 192.168.2.255 (192.168.2.255)

User Datagram Protocol, Src Port: router (520), Dst Port: router (520)

Routing Information Protocol

Thanks

Patrick Iseli · ‎03-03-2005

1.) Please could you post your config again.

2.) The sniffer trace contains RIP traffic that has nothing to so with SMTP.

3.) Configure your PIX with the console instead of the PDM. Connect with hyper terminal 9600 8N1

4.) Can you explain me how you have configured the NAT on the ADSL Router and have you added the Routes that I posted ?

sincerely

Patrick