Two email servers can not communicate inside a PIX

Discussion in 'Cisco' started by bensonlei@yahoo.com.hk, Dec 14, 2011.

  1. Guest

    Hi,
    I am still using PIX firewall; please help to fix the following
    scenario:

    1. Two domains with two public IP addresess.
    2. Two email hardware hold each public domain and public DNS records,
    so they can communicate each other easily if nothing special.
    3. But for my case, these two email hardware are behind a PIX 506E, I
    have to NAT them
    for protection and for internal user.
    4. They can not communicate each other.

    From the log, I found from each server, my telnet session just goes
    out and no return, how can I configure the PIX506E in order to know to
    let them communicate each other ?

    THX a lot
    , Dec 14, 2011
    #1
    1. Advertising

  2. Scott Lowe Guest

    On 2011-12-14 04:20:04 -0700, said:

    > Hi,
    > I am still using PIX firewall; please help to fix the following
    > scenario:
    >
    > 1. Two domains with two public IP addresess.
    > 2. Two email hardware hold each public domain and public DNS records,
    > so they can communicate each other easily if nothing special.
    > 3. But for my case, these two email hardware are behind a PIX 506E, I
    > have to NAT them
    > for protection and for internal user.
    > 4. They can not communicate each other.
    >
    > From the log, I found from each server, my telnet session just goes
    > out and no return, how can I configure the PIX506E in order to know to
    > let them communicate each other ?
    >
    > THX a lot



    Just a guess here, but have you tried "no fixup smtp"?

    --
    Scott Lowe
    http://blog.scottlowe.org
    Replace fname and lname tokens to create valid e-mail address
    Scott Lowe, Dec 18, 2011
    #2
    1. Advertising

  3. Guest

    On 12¤ë19¤é, ¤W¤È4®É59¤À, Scott Lowe <> wrote:
    > On 2011-12-14 04:20:04 -0700, said:
    >
    >
    >
    >
    >
    > > Hi,
    > > I am still using PIX firewall; please help to fix the following
    > > scenario:

    >
    > > 1. Two domains with two public IP addresess.
    > > 2. Two email hardware hold each public domain and public DNS records,
    > > so they can communicate each other easily if nothing special.
    > > 3. But for my case, these two email hardware are behind a PIX 506E, I
    > > have to NAT them
    > > for protection and for internal user.
    > > 4. They can not communicate each other.

    >
    > > From the log, I found from each server, my telnet session just goes
    > > out and no return, how can I configure the PIX506E in order to know to
    > > let them communicate each other ?

    >
    > > THX a lot

    >
    > Just a guess here, but have you tried "no fixup smtp"?
    >
    > --
    > Scott Lowehttp://blog.scottlowe.org
    > Replace fname and lname tokens to create valid e-mail address- ÁôÂóQ¤Þ¥Î¤å¦r -
    >
    > - Åã¥Ü³Q¤Þ¥Î¤å¦r -


    the "no fixup smtp" is already there before the issue
    , Dec 31, 2011
    #3
  4. "" <> writes:
    >> > I am still using PIX firewall; please help to fix the following
    >> > scenario:

    >>
    >> > 1. Two domains with two public IP addresess.
    >> > 2. Two email hardware hold each public domain and public DNS records,
    >> > so they can communicate each other easily if nothing special.
    >> > 3. But for my case, these two email hardware are behind a PIX 506E, I
    >> > have to NAT them
    >> > for protection and for internal user.
    >> > 4. They can not communicate each other.



    You can't really do that with a PIX. (one of the things that makes me
    dislike them overall).


    If you have the two SMTP servers on different segments on different
    ports on the PIX (probably doubtful on a 506E?), you may be able to
    'alias' the addressing if your version of code supports it. But the
    traffic has to traverse two ports on the PIX. It can't hairpin back
    out the inside port.


    The suggested solution is to do this with DNS. You'd implement DNS
    views, such that when the query for the DNS hostname comes from an
    internal host on your network, your DNS server returns the internal IP
    address of the SMTP server that you want to communicate with, such
    that the workstation/server then doesn't have to traverse the
    firewall, it talks directly on the inside LAN to the server.

    I suspect now-a-days, the split view is done more with separate DNS
    servers, the internal one gets configured with local view addresses
    for your public zones, even if they aren't authoritative for the
    global internet. Then all your local hosts/servers point to the
    internal DNS server that answers with the local view of data.

    Then of course, leave the global view of the DNS to answer with the
    public IP address of the server, such that everybody else communicates
    normally like you are now.
    Doug McIntyre, Dec 31, 2011
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Guest
    Replies:
    5
    Views:
    1,760
    Romme
    Jun 15, 2004
  2. Dan Rice
    Replies:
    9
    Views:
    920
    Dan Rice
    Feb 4, 2005
  3. Replies:
    5
    Views:
    647
  4. Pichi_b
    Replies:
    1
    Views:
    799
    Pichi_b
    Mar 30, 2007
  5. rseier
    Replies:
    0
    Views:
    647
    rseier
    Jan 18, 2008
Loading...

Share This Page