Announcement

Collapse
No announcement yet.

not able to send mail through pix 506e firewall

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • not able to send mail through pix 506e firewall

    Hi
    I am Hemant, We have pix 506e firewall, D-link ADSL dsl-502t and my IBM xseries 236 server.
    I have fix static live ip 59.181.103.220 which i have got from ISP.
    loyalindia.co.in is My domain, the MX record for it is mail.loyalindia.co.in which points to 59.181.103.220

    My network design is as fallows:-
    ADSL (WAN)59.181.103.220
    ADSL (LAN)59.181.103.221
    Pix 506e (out) 59.181.103.222
    Pix 506e (in) 192.168.1.1
    My domain mail server loyalindia.co.in (Exchange server) ip 192.168.1.2

    My problem is i am not able to send mail (with Exhange server, loyalindia.co.in) through pix 506e firewall, but i am receiving mails from any server.

    I have tried with (ADSL) natting and without natting but the problem is same.
    If i am removing the pix 506e and directly connecting the server to adsl i am able to receive and send mails properly

    My config as fallows:-
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password oH2xz4N6pxtBHe8N encrypted
    passwd 2KFQnbNIdI encrypted
    hostname loyal
    domain-name loyalfire.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 59.181.103.221 adsl
    name 192.168.1.2 mail
    access-list smtp_in permit tcp any interface outside eq smtp
    access-list smtp_in permit tcp any host 59.181.103.222 eq smtp
    access-list out_in permit tcp any interface outside eq smtp
    pager lines 24
    logging on
    logging timestamp
    logging monitor warnings
    logging buffered warnings
    logging trap warnings
    mtu outside 1500
    mtu inside 1500
    ip address outside 59.181.103.222 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location mail 255.255.255.255 inside
    pdm location adsl 255.255.255.255 outside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface smtp mail smtp netmask 255.255.255.255 0 0
    access-group out_in in interface outside
    route outside 0.0.0.0 0.0.0.0 adsl 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http mail 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:496f7c38801fe5cffecbc0ba6381a49d
    : end

    support me?.
    Last edited by hemanttandel; 13th March 2007, 14:16.

  • #2
    Re: not able to send mail through pix 506e firewall

    Hi hemanttandel,

    Thanks for your question.

    I moved it to its own topic because it was posted on another thread that was unrelated.

    So you have a single ACL in the INbound direction-
    access-list out_in permit tcp any interface outside eq smtp

    This allows your mail to come in.

    What about an OUTbound ACL? It isn't enough to have a NAT only. You also need an ACL outbound.

    Perhaps something like this would do it:

    access-list OUTBOUND permit tcp any any eq smtp
    access-group OUTBOUND out interface outside

    Let me know if that helps. Do you use this connection for other types of traffic besides email? Was that traffic working?

    Thanks,
    David Davis - Petri Forums Moderator & Video Training Author
    Train Signal - The Global Leader in IT Video Training
    TrainSignalTraining.com - Free IT Training Products
    Personal Websites: HappyRouter.com & VMwareVideos.com

    Comment

    Working...
    X