Tom's Hardware > Forum > General Networking > Firewall > Boarderware Mail Firewall and PIX configuration

Boarderware Mail Firewall and PIX configuration

Forum General Networking : Firewall - Boarderware Mail Firewall and PIX configuration

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
zillah   02-21-2007 at 05:21:57 AM

We have got two Cisco PIXes 525 (PIXA, PIXB (failover) ) connected to another two PIXes (PIX1, and PIX2),,,,we have got no administrative control over other two PIXes (i.e. PIX1, PIX2).

The outside address for us (our company) is ip address between (PIXA,PIXB) and (PIX1, PIX2) which is: 10.1.1.0/24,,,and in turns PIX1, PIX2 connect to outside world (public ip addresses)

I have got two mail firewall devices within our dmz area (PIXA, PIXB)

First mail firewall (mfa)192.168.101.3, and Second mail firewall (mfb)192.168.101.5

Our two clustered Exchange mail servers in inside area (not DMZ), with Clustered ip address is 192.168.2.23

Function of the mail firewall (Boarderware MX200) is : receives emails from outside and delivers them to exchange and other way around receives emails from exchange and delivers them to outside.

Note: We used to use format 192.168.101.x for any ip addresses within DMZ region

The configuration with our firewall (PIXA,PIXB) are :

static (inside,dmz) 192.168.101.253 192.168.2.23 255.255.255.255 0 0
static (dmz,outside) 10.1.1.132 192.168.101.3 netmask 255.255.255.255 0 0
access-list dmz permit tcp host 192.168.101.3 host 192.168.101.253 eq smtp
access-list outside permit tcp any host 10.1.1.132 eq smtp
access-list outside permit tcp host 10.1.1.132 host 192.168.2.23 eq smtp,,,,I do not why this was there,,,,I guess it is wrong!!!!

access-group outside in interface outside
access-group dmz in interface dmz

We used second mail firewall (mfb), we have created cluster for the load balancing with the first one mail firewall.

We have created same rules as first mail firewall (mfa) ,,i.e like below:
static (inside,dmz) 192.168.101.253 192.168.2.23 255.255.255.255 0 0,,,this is already there
static (dmz,outside) 10.1.1.202 192.168.101.5 netmask 255.255.255.255 0 0
access-list dmz permit tcp host 192.168.101.5 host 192.168.101.253 eq smtp
access-list outside permit tcp any host 10.1.1.202 eq smtp

In order to eliminate the resources of the the problem , what test should I do ?

Add a reply
Sponsored Links
Register or log in to remove.
zillah   02-21-2007 at 05:23:15 AM
- 0 +

From outside (through net),,,I did this test to the First Mail Firewall (mfa),,,which is on production line

telnet 213.178.101.3 25,,,,,,,,,,,,,,,,fake public ip address, which is natted to first mail firewall
220 mfa.exfw.in ESMTP
helo mfa
250 mfa.exfw.in
mail from: nicename@us.com
250 Ok
rcpt to: a.peter@exfw.in
250 Ok
data
354 End data with .
test message
.
Quit
.
Quit250 Ok: queued as 86946A7AMD

but I failed when I tried to do same test on Second Mail firewall (mfb) ?

Reply to zillah
zillah   02-21-2007 at 08:43:09 PM
- 0 +

For more clarification, please see this diagram from BoarderWare Mail Firewall Documentation
http://img402.imageshack.us/img402 [...] reazm7.jpg

Reply to zillah
Zakkas   02-21-2007 at 09:35:26 PM
- 0 +

Does your MXtreme mail firewall have a static NAT in your PIX firewall? And if so does the PIX allow SMTP traffic to the MXtreme Mail Firewall?


To me it sounds like an access-list issue or NAT issue. If only one of your servers works when testing smtp via telnet then most likely you have something blocking it (probably access-list related).

Reply to Zakkas
zillah   02-22-2007 at 04:32:11 AM
- 0 +

Quote :

Does your MXtreme mail firewall have a static NAT in your PIX firewall?


Yes, as it can bee seen in the configuration that I have posted
static (dmz,outside) 10.1.1.132 192.168.101.3 netmask 255.255.255.255 0 0

Quote :

And if so does the PIX allow SMTP traffic to the MXtreme Mail Firewall?


Yes, as it can bee seen in the configuration that I have posted
access-list outside permit tcp any host 10.1.1.132 eq smtp

Quote :

To me it sounds like an access-list issue or NAT issue.


As you have see both of them are there.

Quote :

If only one of your servers works


You meant to say MXtreme Mail Firewall instead of servers ,,,didn't you ?

Reply to zillah
Zakkas   02-23-2007 at 05:25:17 AM
- 0 +

If you issue "show access-list outside" after trying to telnet to the second mail firewall (to the public IP) do you see any hits taken on the statement permitting anything to 10.1.1.202 for smtp traffic?

Also you need to permit the smtp traffic on the PIX to the public IP address of the second mail firewall.

Reply to Zakkas
Ask the community Add a reply
Tom's Hardware > Forum > General Networking > Firewall > Boarderware Mail Firewall and PIX configuration
Go to:

There are 1137 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 0.182 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Sponsored links
  • Ask the community now
  • Publish
Ad
Related Topics
See all relatives topics
They won a badge
Join us in greeting them
How do I win badges?