09-09-2004 07:37 AM - edited 03-09-2019 08:44 AM
We have recently started using a 3rd-Party mail filter service that requires us to isolate incoming SMTP to only them. I believe I've done that but when I turn on logging on the PIX I get errors like this:
%PIX-4-106023: Deny tcp src outside:XXX.XXX.XXX.XXX/43249 dst inside:XXX.XXX.XXX.XXX/25 by access-group "102"
This is SMTP traffic trying to come it but as you can see, it's coming in at port not related to SMTP. Here's the portion of my ACL that deals with this:
access-list 102 permit tcp host XXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX eq smtp
access-list 102 permit tcp host XXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX eq smtp
If I lock it down to eq SMTP from the host, that's when I start getting the Deny errors. It's only when I have it as this that I'm able to receive the mail. Any ideas?
09-09-2004 07:49 AM
You have your ACL but what about the static translation rule for your outside host i.e.
static (inside,outside) tcp
When changing either static's or ACLs remember to issue clear xlate and save with write mem.
Jay
09-09-2004 07:53 AM
Oh yeah. I forgot to put that in my original text. I have that line as well but not locked down to smtp as we also have web access to this server. Can I put that line in without hosing the www access?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide