Problem with Exchange server behind PIX firewall

Discussion in 'Cisco' started by Exclusive, Apr 7, 2006.

  1. Exclusive

    Exclusive Guest

    Can anyone help me with my PiX firewall. There is an Exchange server
    192.168.2.11 inside. The outbound emails are blocked and can not reach
    outside! Can anyone figure out where is my mistake in the configuration
    file. I will appreciate any help!

    There is the configuration:
    PIX Version 6.1(1)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password /JFKHFKFK encrypted
    passwd GLggGLGLlkJHG encrypted
    hostname NRP-PIX
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    access-list inside_access_out permit tcp any any eq smtp
    access-list inside_access_out permit tcp any any eq www
    access-list inside_access_out permit tcp any any eq 443
    access-list inside_access_out permit tcp any any eq 3389
    access-list inside_access_out permit tcp any any eq domain
    access-list inside_access_out permit udp any any eq domain
    access-list inside_access_out permit tcp any any eq 1776
    access-list inside_access_out permit tcp any any eq ftp
    access-list inside_access_out permit icmp any any echo
    access-list inside_access_out permit tcp any any eq 8080
    access-list inside_access_out permit tcp any any eq 2443
    access-list vpnacl permit ip 192.168.2.0 255.255.255.0 10.1.1.0
    255.255.255.0
    pager lines 24
    logging on
    logging trap notifications
    logging history notifications
    logging facility 0
    logging host inside 192.168.2.12
    interface ethernet0 auto
    interface ethernet1 auto
    mtu outside 1500
    mtu inside 1500
    ip address outside 206.158.XYZ.69 255.255.252.0
    ip address inside 192.168.2.2 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool clientpool 10.1.1.10-10.1.1.36
    pdm history enable
    arp timeout 14400
    global (outside) 1 206.158.XYZ.105 netmask 255.255.252.0
    global (outside) 1 206.158.XYZ.104 netmask 255.255.252.0
    nat (inside) 0 access-list vpnacl
    nat (inside) 1 192.168.2.0 255.255.255.0 0 0
    static (inside,outside) 206.158.XYZ.99 192.168.2.11 netmask
    255.255.255.255 0 0
    access-group inside_access_out in interface inside
    conduit deny ip any host 81.48.75.223
    conduit permit ip any 141.152.97.32 255.255.255.224
    conduit permit tcp host 206.158.107.99 eq smtp any
    conduit permit tcp host 206.158.107.99 eq www any
    conduit permit tcp host 206.158.107.99 eq domain any
    conduit permit ip host 206.158.107.99 host 141.152.97.35
    route outside 0.0.0.0 0.0.0.0 206.158.XYZ.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 si
    p 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ (inside) host 192.168.2.10 secretkey timeout 5
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol tacacs+
    aaa-server mytacacs protocol radius
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside 192.168.2.10 tftp
    floodguard enable
    sysopt connection permit-ipsec
    no sysopt route dnat
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 20 set transform-set myset
    crypto map newmap 20 ipsec-isakmp dynamic dynmap
    crypto map newmap interface outside
    crypto map vpngroup client authentication TACACS+
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup Isis address-pool clientpool
    vpngroup Isis dns-server 192.168.2.10
    vpngroup Isis wins-server 192.168.2.10
    vpngroup Isis default-domain nrpharma.com
    vpngroup Isis split-tunnel vpnacl
    vpngroup Isis idle-time 1800
    vpngroup Isis password ********
    vpngroup svinzant address-pool clientpool
    vpngroup svinzant dns-server 192.168.2.10
    vpngroup svinzant wins-server 192.168.2.10
    vpngroup svinzant default-domain nrpharma.com
    vpngroup svinzant split-tunnel vpnacl
    vpngroup svinzant idle-time 1800
    vpngroup svinzant password ********
    telnet 192.168.2.0 255.255.255.0 inside
    telnet timeout 10
    ssh timeout 5
     
    Exclusive, Apr 7, 2006
    #1
    1. Advertising

  2. Exclusive

    Guest

    in my experience, "fixup protocol 25" is really buggy & tends to screw
    up email.

    try:

    no fixup protocol smtp 25

    and see how exchange behaves.
     
    , Apr 7, 2006
    #2
    1. Advertising

  3. Exclusive

    chris Guest

    "Exclusive" <> wrote in message
    news:...
    > Can anyone help me with my PiX firewall. There is an Exchange server
    > 192.168.2.11 inside. The outbound emails are blocked and can not reach
    > outside! Can anyone figure out where is my mistake in the configuration
    > file. I will appreciate any help!
    >


    Are you seeing this dropped in the Pix logs? Are there any hits against the
    outbound acl? Is the server trying to use a smart host to relay through or
    is it resolving via DNS?

    Chris.
     
    chris, Apr 7, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. User
    Replies:
    4
    Views:
    3,124
  2. Corbin O'Reilly
    Replies:
    2
    Views:
    3,227
    Corbin O'Reilly
    May 26, 2004
  3. Gianlu
    Replies:
    0
    Views:
    649
    Gianlu
    Jul 2, 2004
  4. DarkoN
    Replies:
    0
    Views:
    721
    DarkoN
    Oct 10, 2006
  5. Replies:
    1
    Views:
    658
    Brian V
    Sep 22, 2007
Loading...

Share This Page