PIX firewall 6.3 and SMTP

Hi all,

We just switch to Cisco pix firewall 6.3(5), and we cannot rev/send email through our ISP mail server. I already add this :

access-list acl_grp permit tcp any any access-group acl_grp in interface outside.

to the configuration. In addition, I open 113 and do "no fixup protocol smtp

25 "as well. However, it does not works. We still cannot check mail with a mail client. The ftp and http are working. Any suggestions would be greatly appreciated.

cheers, RL

Reply to
Egghead
Loading thread data ...

Mail clients don't use 113 (ident) or 25 (smtp) to check mail. They use things like 110 (pop3) or 143 (imap4).

But if you are permiting in all tcp and you still cannot get through with a client, then that sounds like a problem with the static translations. Try pushing your logging level up to 6 and seeing exactly what the log messages say.

If the problem were with receiving mail from outside systems, then according to Cisco, that can be caused by not having a working reverse DNS record for the IP. That explanation has never made sense to me -- the PIX doesn't do reverse DNS.

Reply to
Walter Roberson

Hi here,

You are right; it is the pop3 for checking. Sorry, I mean we can not check or send email from within the inside. hmmmm, we are using dynmaic translation for normal users. Does it mean that we need to have static translations for all of them? That is weird.

Reply to
Egghead

No.

What I believe that Walter means here it that to receive mail from an untrusted source (i.e. outside interface) to a trusted source (e.g inside interface) you will need to have a static translation and a relevant access-list entry.

For example, something akin to:

static (inside, outside) mapped_address real_address netmask 255.255.255.255

mapped_address = public ip of your e-mail box real_address = the private IP of the same box

The access-list entry you have is generic. You should be much more specific when allowing access to your e-mail server.

access-list acl_grp permit tcp any host mapped_address eq 25

and so on allowing only the relevant protocols in to the box concerned from the hosts that you want.

Also DNS still could be an issue - NB I am not expert here. For outbound access does your e-mail box have valid DNS servers. Can you do an nslookup from this machine. If you can't work out the destination IP the e-mail won't go out onto the Internet.

Inbound access - does your machine do reverse DNS ? you can set this option I believe on a number of mail servers and mail filters. If you are receiving e-mail but your machine is trying to validate the sender, it may not accept the e-mail if it can't resolve in the other direction this dropping inbound e-mail.

Regards

Darren

Reply to
Darren Green

Does your normal internet access work okay from the LAN? If so can you connect to the ISP's mail servers from a machine that has working internet access?

telnet pop.server.isp 110

telnet smtp.server.isp 25

Chris

Reply to
chris

Hi all,

Thanks for all that reply.

After checked the monitor log, we found out that the pix denies the traffic from the ISP server to the dynamic translation IP (PAT). We still cannot fix this one yet. However, we find out there is another weird BIG problem with the pix. Will try to fix this one later.

Reply to
Egghead

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.