I've just switched from a normal router (with port forwarding) to the Cisco PIX 506E. Everything is configured and working, except sending emails with IMAP. I'm able to receive Emails via IMAP but if I want to send an email to an external address (not within our domain - we are using Exchange Server
2003) I'll get an error message "550 5.7.1 Unable to relay for snipped-for-privacy@bbbb.cc". If I then disconnect the PIX and connect the router to our LAN everything works perfect again and I'm able to send emails to external addresses again. So it doesn't seem to be a problem with Exchange Server (permissions or any other configuration) because it was working the last year with our old router. I configured the same ports to the same computers in the PIX firewall as I did with the router but something must be wrong or missing so that it doesn't work completely. Anyone any suggestion? I'm new to Cisco and PIX so maybe I've just done something wrong or missed something.
It's a SMTP problem, not IMAP. do You use the Exchange SMTP to send mail ? I think not because you have a response from a server (enable to relay), and exchange must accept to send mail from the LAN (to anywhere).
You just need to configure NAT on the router and a static on the pix.
Else, what is your configuration ? (Nat & static ? )
I forgot to mention that it only happens if I'll try to send from outside. Sure, while I'm within the LAN it works fine via IMAP. But the problem is from outside... and it worked with the normal router. Therefore it has something to do with the PIX.
I did configure NAT and static routes.
Configuration as below.
Peter
CONFIG:PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxxxxxxxxxxx encrypted passwd xxxxxxxxxx encrypted hostname pix domain-name lan.xxxxxxxx.xxx clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names name x.x.x.106 COMPUTER06 name x.x.x.111 COMPUTER11 name x.x.x.112 COMPUTER12 name x.x.x.101 COMPUTER01 name x.x.x.107 COMPUTER07 name x.x.x.103 COMPUTER03 object-group service SMTP tcp port-object eq smtp object-group network SMTPMAIL network-object host COMPUTER12 network-object host COMPUTER11 network-object host COMPUTER01 network-object host COMPUTER06 object-group service CITRIX tcp port-object eq citrix-ica port-object eq 2598 object-group service CITRIX-UDP udp port-object eq 1604 object-group service EXCHANGE tcp port-object eq imap4 port-object eq pop3 port-object eq www port-object eq ident access-list inside_out permit ip any any access-list outside_in permit icmp any any echo-reply access-list outside_in permit tcp any any object-group SMTP access-list outside_in permit tcp any any object-group CITRIX access-list outside_in permit udp any any object-group CITRIX-UDP access-list outside_in permit tcp any any object-group EXCHANGE pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside AAA.BBB.CCC.DDD 255.255.255.248 ip address inside x.x.x.222 255.255.0.0 ip audit info action alarm ip audit attack action alarm pdm location COMPUTER11 255.255.255.255 inside pdm location COMPUTER06 255.255.255.255 inside pdm location COMPUTER12 255.255.255.255 inside pdm location COMPUTER01 255.255.255.255 inside pdm location COMPUTER03 255.255.255.255 inside pdm location COMPUTER07 255.255.255.255 inside pdm location x.x.x.0 255.255.255.255 inside pdm location AAA.BBB.CCC.DDD 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface pop3 COMPUTER01 pop3 netmask
If i have understand, from outside (from your home for example), you can connect to your imap server, so you can read your mail (Nat on router & static on pix seems good) but when you want to send a mail, it refuse (unable to relay)
If that is correct, it's normal because : You exchange server refuse to send mail from outside (anti relay).
From outside, you MUST use FAI's SMTP to send mail. Else you can make a VPN for use exchange's SMTP.
I don't understand why with the router it work ... if everybody can connect to your exchange to send mail, it's a relay :/
We definitely don't have an open relay. I myself did connect via my mobile phone which doesn't support VPN but it has an email client built-in which uses IMAP. I had to configure the login information for our network so that I'm able to connect to it, to identify myself and to read my mail. Maybe once I should try to open all ports to the Exchange Server (inside and outside) and see if that works. Because I don't want to renounce this feature (sending mail).
no problem. The reason why I won't use it is because I have a flat rate (without any extra costs) for mail (receiving and sending) while connected to our LAN. If I would send an email through the FAI/ISP I would have to pay everything. Since I'm already connected to our Exchange Server while I'm reading my mail it would be perfect also to sent emails through it.
....which is already configured because othervise I wouldn't had the possibility to send in the period our old router was installed. Maybe I'm misunderstanding something.
Okay. I'll leave it this way.
Just another short question: how can I update the PIX vom 6.3.1 to the latest version? Do I need to pay for it since I don't have any Cisco account?
Thank you for your suggestions and your time spended to help me!
You must have a cisco account ... If you have a smartnet, i think you can contact cisco to download the last IOS. Be careful, the lastest IOS is v7, I'm not sure that pix 506 support the version 7 ....
In article , Peter Schulz wrote: :Just another short question: how can I update the PIX vom 6.3.1 to the :latest version? Do I need to pay for it since I don't have any Cisco :account?
You would have to pay if you wanted the absolute latest version that runs on your 506E, namely 6.3(5), which was released 2 weeks ago. However, if 6.3(4) is good enough for your purposes, then search Cisco's site for "pix security advisories", and you will find one that says there are security bugs in previous versions and offers free upgrades.
The quick summary of the free upgrade procedure is: if you bought through a VAR, then ask them for the binary; if they cannot or will not provide it, or if you bought directly from Cisco, then you can contact Cisco and they will make it available to you (you'll need a free CCO login to retrieve it.)
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.