Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
394
Views
0
Helpful
2
Replies

Trouble with incoming PAT

OverSeer
Level 1
Level 1

‎09-09-2004 07:37 AM - edited ‎03-09-2019 08:44 AM

We have recently started using a 3rd-Party mail filter service that requires us to isolate incoming SMTP to only them. I believe I've done that but when I turn on logging on the PIX I get errors like this:

%PIX-4-106023: Deny tcp src outside:XXX.XXX.XXX.XXX/43249 dst inside:XXX.XXX.XXX.XXX/25 by access-group "102"

This is SMTP traffic trying to come it but as you can see, it's coming in at port not related to SMTP. Here's the portion of my ACL that deals with this:

access-list 102 permit tcp host XXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX eq smtp

access-list 102 permit tcp host XXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX eq smtp

If I lock it down to eq SMTP from the host, that's when I start getting the Deny errors. It's only when I have it as this that I'm able to receive the mail. Any ideas?

Labels:
0 Helpful
2 Replies 2

jmia
Level 7
Level 7

‎09-09-2004 07:49 AM

You have your ACL but what about the static translation rule for your outside host i.e.

static (inside,outside) tcp smtp smtp netmask 255.255.255.255 0 0

When changing either static's or ACLs remember to issue clear xlate and save with write mem.

Jay

0 Helpful

OverSeer
Level 1
Level 1
In response to jmia

‎09-09-2004 07:53 AM

Oh yeah. I forgot to put that in my original text. I have that line as well but not locked down to smtp as we also have web access to this server. Can I put that line in without hosing the www access?

0 Helpful
Customers Also Viewed These Support Documents