Sign in with
Sign up | Sign in
Your question

PIX 6.3, SMTP issue. Please help, emergency

Last response: in Networking
Share
November 18, 2009 2:42:04 AM

Was just thrown a new client with a weird setup:

Verizon DSL
|
Westell Router/Switch (set to "bridge" mode), 192.168.1.2
|
PIX (inside: 192.168.1.1 --- outside: pppoe setroute)
|
Switch
|
Windows2k3 Server / Exchange 2003 & Client computers

Clients can browse web fine. Server can browse fine.
Server (Exchange) is receiving email, but unable to send (SMTP queues building up)
They are convinced it's the PIX. Big reason they think it's the PIX is because you can't "telnet mail.testserver.com 25"
You also can't "ping www.google.com" from the inside.

My experience with PIX devices is that they block inbound ICMP unless specifically permitted.
I have the "no fixup protocol smtp 25" configured, so I would think I *should* be able to do the telnet test to other SMTP servers.
I've tried numerous "telnet" mail servers that I know work (works from other sites). They appear to connect, but I just get a blank CMD box, no welcome text or anything. This makes me think it could be something with the PIX.

The PIX has only 1 ACL and it's very basic. SMTP, RDP, POP, etc. Only applied outbound. NO inbound ACL.

Anyone have any ideas? Please help me out if you have any ideas. In a crunch here.

Thanks!




November 18, 2009 3:52:38 AM

armegeden said:

My experience with PIX devices is that they block inbound ICMP unless specifically permitted.
I have the "no fixup protocol smtp 25" configured, so I would think I *should* be able to do the telnet test to other SMTP servers.
I've tried numerous "telnet" mail servers that I know work (works from other sites). They appear to connect, but I just get a blank CMD box, no welcome text or anything. This makes me think it could be something with the PIX.



Update:

Just added the following and am now able to PING from the server to internet and get replies.

Also, I *cannot* "telnet mail.testserver.com 25".. just says timed out.
And I am able to telnet to this server from any other computer.


access-list inbound permit icmp any interface outside echo-reply
access-list inbound permit icmp any interface outside source-quench
access-list inbound permit icmp any interface outside unreachable
access-list inbound permit icmp any interface outside time-exceeded
m
0
l
November 18, 2009 2:15:59 PM

I've been at this forever now. This is what I see:

PIX/SITE THAT DOESN'T WORK:
pixfirewall# sh log | grep 1.X.X.X
302013: Built outbound TCP connection 41755 for outside:1.X.X.X/25 (X.X.X.X/25) to inside:192.168.1.20/22241 (162.83.131.158/29705)
302014: Teardown TCP connection 41724 for outside:1.X.X.X/25 to inside:192.168.1.20/22217 duration 0:02:01 bytes 0 SYN Timeout

PIX/SITE THAT DOES WORK:
PFW(config)# sh logg | grep 1.X.X.X
302013: Built outbound TCP connection 46835 for outside:1.X.X.X/25 (X.X.X.X/25) to inside:192.168.1.11/64494 (12.135.43.83/64494)
302014: Teardown TCP connection 46835 for outside:1.X.X.X/25 to inside:192.168.1.11/64494 duration 0:00:03 bytes 126 TCP FINs


So the "302014" entry is my problem. SYN Timeout. Looks like something is preventing the handshake from happening, yet there is nothing in my PIX config that would do that. It's a very basic config. I even have "permit tcp any any eq smtp" in there.

Again, ACL for inbound, no ACL for outbound on the PIX




Please help!

m
0
l
!