1. Home
  2. Networking Firewalls
  3. PIX / SMTP question - Help?

PIX / SMTP question - Help?

I recently installed a PIX 506 on our network. Previously had a 3620

+FW IOS doing the firewalling.

Network: Two companies share the same internet conn., but with two different domains - two DC's and multiple clients on each domain. Both servers are SBS and act as mail servers (Exchange) for their respective domains.

I am currently sending and receiving email on both domains from all outside domains, and each sends inside emails fine (client to client within the domain). The problem I have is that I routinely need to forward mail from one of our domains to the other. Since the addition of the PIX I can't do this.

So to beat this dead horse: Company A and Company B use the same firewall. Company A and Company B can both send and receive email from every domain except Company B (for A) and Company A (for B), and it all started with the addition of the PIX.

Any ideas?

Thanks,

Danny

Reply to
Dblood
Loading thread data ...

Originally intended to put this in comp.dcom.sys.cisco, so I did. Please forgive the cross-post.

Reply to
Dblood

Dblood wrote on 5 Jan 2006 07:00:32 -0800:

Are both DCs on the same interface on the 506, or separate? I'm a 515 admin myself, I'm not familiar with the 506 variances, but I'll take a stab at this. It sounds like the firewall is blocking connections from one interface to the other. Look at the ACLs and see if you've missed something.

Also check into the "alias" command, in case the issue is to do with IP address resolution - for instance, mail server at A sends to B, which resolves to mail.b.com and is an IP on the outside interface of the PIX (as you're listing the public IP for the mail server in your DNS for lookups). The PIX sees the IP on the outside interface, and drop the packets as this would mean routing back into the PIX - it's a security feature to prevent spoofing. Using the "alias" command you can get the PIX to send the packets to the correct interface an internal IP without having to mess with your DNS server. Alternatively, you could set up DNS records to point to the appropriate internal IPs for each mail host if the DNS servers are being used internally only.

Dan

Reply to
Spack

Dan,

First, the DC's are on the same interface. Second, I'll take a look at the alias command. I'm not familiar with it at this point. The explanation you gave is what I suspected, but wasn't sure how to fix it within the PIX. I had thought of creating entries in DNS to route the traffic internally to the mail.b.com domains and vice versa for the mail.a.com domain.

Thanks for taking the time to respond. I'll post back the results when I have done my due dilligence with the alias command.

Danny

Reply to
Dblood

OK, so I added the alias commands to the PIX.

Here's the results: When I do an nslookup from either server (or any device on my network) I get the proper inside IP's for mail.a.com and mail.b.com. When I do an nslookup from an outside machine (not on my network) I get the proper outside IP's for mail.a.com and mail.b.com.

Sounds great, but I still am not getting the email to go through as mentioned in my original post. Still get everything but A to B and B to A.

What'd I miss?

Thanks in advance for any help.

Danny

Reply to
Dblood

Nevermind. A little patience was all it took. They flooded in soon after the previous post.

Thanks, Dan, for your help.

Danny

Reply to
Dblood
0Dblood wrote on 5 Jan 2006 09:54:19 -0800:

Glad to hear you got it working.

Dan

Reply to
Spack

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.