We have an IP block of x.x.x.0 - x.x.x.15
PIX is set up with the x.x.x.14 address. Mail server set up as x.x.x.8 address. We have OWA, and the line in the PIX that allows this is
access-list acl_out permit tcp any host x.x.x.8 eq https
This also allows for our PocketPC phones to connect to Exchange ActiveSync.
The globals are set up as
global (outside) 1 x.x.x.9-x.x.x.13
global (outside) 1 x.x.x.14
We get errors when sending emails to servers that do not allow allow emails to be sent without a reverse DNS entry. When I look up the mail server, I get:
Answer:
x.x.x.8 PTR record: mail.company.com.
However, in the SMTP logs of people we can't send to we see this:
3264 00:03:33.748 Got: <EHLO mail.company.com>
3264 00:03:33.779 Event - No PTR record for <x.x.x.14>, rejecting
3264 00:03:33.779 message <554 No SMTP service here>
Now, my question is, do I need to fix something in our router, PIX, or ISP DNS server?
Here is my config, the reason x.x.x.7 is for SMTP is we run Mailfrontier on there, and all incoming mail goes to that server for spam/fraud/etc. management before forwarded to the mail server at x.x.x.8
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxx encrypted
passwd xxxxx encrypted
hostname xxx-pix
domain-name company.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_out deny ip 0.0.0.0 255.0.0.0 any
access-list acl_out deny ip 10.0.0.0 255.0.0.0 any
access-list acl_out deny ip 127.0.0.0 255.0.0.0 any
access-list acl_out deny ip 169.254.0.0 255.255.0.0 any
access-list acl_out deny ip 172.16.0.0 255.240.0.0 any
access-list acl_out deny ip 192.0.2.0 255.255.255.0 any
access-list acl_out deny ip 224.0.0.0 240.0.0.0 any
access-list acl_out deny ip 240.0.0.0 248.0.0.0 any
access-list acl_out deny ip 248.0.0.0 248.0.0.0 any
access-list acl_out deny ip host 255.255.255.255 any
access-list acl_out permit tcp any host x.x.x.5 eq www
access-list acl_out permit tcp any host x.x.x.5 eq citrix-ica
access-list acl_out deny ip host 207.218.200.172 any
access-list acl_out deny ip host 64.83.112.3 any
access-list acl_out permit tcp host 213.35.101.4 any range ftp-data ftp
access-list acl_out deny udp any any eq netbios-ns
access-list acl_out deny tcp any any eq 137
access-list acl_out deny udp any any eq netbios-dgm
access-list acl_out deny tcp any any eq 138
access-list acl_out deny udp any any eq 139
access-list acl_out deny tcp any any eq netbios-ssn
access-list acl_out permit tcp any host x.x.x.5 eq https
access-list acl_out permit tcp any host x.x.x.7 eq smtp
access-list acl_out permit tcp any host x.x.x.8 eq https
access-list acl_out permit tcp any host x.x.x.4 eq www
access-list acl_in deny tcp any any range 137 netbios-ssn
access-list acl_in deny udp any any range netbios-ns 139
access-list acl_in deny icmp any any
access-list acl_in permit ip any any
access-list acl_vpn-asi permit ip 192.168.1.128 255.255.255.128 192.168.11.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list acl_vpn-client permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list acl_in2 permit ip host 192.168.1.127 any
access-list acl_in2 deny tcp any any range 137 netbios-ssn
access-list acl_in2 deny udp any any range netbios-ns 139
access-list acl_in2 deny icmp any any
access-list acl_in2 permit ip any any
pager lines 24
logging on
logging trap warnings
logging host inside 192.168.1.240
logging host inside 192.168.1.248
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.2 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclient 192.168.2.1-192.168.2.10
ip local pool fmbclient 192.168.200.1-192.168.200.10
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.9-x.x.x.13
global (outside) 1 x.x.x.14
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.5 192.168.1.237 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.6 192.168.1.127 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.7 192.168.1.20 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.8 192.168.1.35 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.4 192.168.1.21 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 192.168.1.22 timeout 5 protocol TCP version 1
filter url http 192.168.1.0 255.255.255.0 0.0.0.0 0.0.0.0
http server enable
snmp-server host outside 12.154.98.144 poll
snmp-server host inside 12.154.98.144
snmp-server location xxxxxxxx
no snmp-server contact
snmp-server community xxx-300
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup VPNDialin address-pool xxxclient
vpngroup VPNDialin dns-server 192.168.1.20
vpngroup VPNDialin wins-server 192.168.1.20
vpngroup VPNDialin default-domain company.com
vpngroup VPNDialin split-tunnel acl_vpn-client
vpngroup VPNDialin idle-time 1800
vpngroup VPNDialin password ********
telnet 192.168.1.224 255.255.255.240 outside
telnet 10.1.120.0 255.255.255.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.1.224 255.255.255.240 inside
telnet timeout 5
ssh 12.30.175.0 255.255.255.0 outside
ssh timeout 60
console timeout 0
url-block url-mempool 1500
url-block url-size 4
terminal width 80
PIX is set up with the x.x.x.14 address. Mail server set up as x.x.x.8 address. We have OWA, and the line in the PIX that allows this is
access-list acl_out permit tcp any host x.x.x.8 eq https
This also allows for our PocketPC phones to connect to Exchange ActiveSync.
The globals are set up as
global (outside) 1 x.x.x.9-x.x.x.13
global (outside) 1 x.x.x.14
We get errors when sending emails to servers that do not allow allow emails to be sent without a reverse DNS entry. When I look up the mail server, I get:
Answer:
x.x.x.8 PTR record: mail.company.com.
However, in the SMTP logs of people we can't send to we see this:
3264 00:03:33.748 Got: <EHLO mail.company.com>
3264 00:03:33.779 Event - No PTR record for <x.x.x.14>, rejecting
3264 00:03:33.779 message <554 No SMTP service here>
Now, my question is, do I need to fix something in our router, PIX, or ISP DNS server?
Here is my config, the reason x.x.x.7 is for SMTP is we run Mailfrontier on there, and all incoming mail goes to that server for spam/fraud/etc. management before forwarded to the mail server at x.x.x.8
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxx encrypted
passwd xxxxx encrypted
hostname xxx-pix
domain-name company.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_out deny ip 0.0.0.0 255.0.0.0 any
access-list acl_out deny ip 10.0.0.0 255.0.0.0 any
access-list acl_out deny ip 127.0.0.0 255.0.0.0 any
access-list acl_out deny ip 169.254.0.0 255.255.0.0 any
access-list acl_out deny ip 172.16.0.0 255.240.0.0 any
access-list acl_out deny ip 192.0.2.0 255.255.255.0 any
access-list acl_out deny ip 224.0.0.0 240.0.0.0 any
access-list acl_out deny ip 240.0.0.0 248.0.0.0 any
access-list acl_out deny ip 248.0.0.0 248.0.0.0 any
access-list acl_out deny ip host 255.255.255.255 any
access-list acl_out permit tcp any host x.x.x.5 eq www
access-list acl_out permit tcp any host x.x.x.5 eq citrix-ica
access-list acl_out deny ip host 207.218.200.172 any
access-list acl_out deny ip host 64.83.112.3 any
access-list acl_out permit tcp host 213.35.101.4 any range ftp-data ftp
access-list acl_out deny udp any any eq netbios-ns
access-list acl_out deny tcp any any eq 137
access-list acl_out deny udp any any eq netbios-dgm
access-list acl_out deny tcp any any eq 138
access-list acl_out deny udp any any eq 139
access-list acl_out deny tcp any any eq netbios-ssn
access-list acl_out permit tcp any host x.x.x.5 eq https
access-list acl_out permit tcp any host x.x.x.7 eq smtp
access-list acl_out permit tcp any host x.x.x.8 eq https
access-list acl_out permit tcp any host x.x.x.4 eq www
access-list acl_in deny tcp any any range 137 netbios-ssn
access-list acl_in deny udp any any range netbios-ns 139
access-list acl_in deny icmp any any
access-list acl_in permit ip any any
access-list acl_vpn-asi permit ip 192.168.1.128 255.255.255.128 192.168.11.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list acl_vpn-client permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list acl_in2 permit ip host 192.168.1.127 any
access-list acl_in2 deny tcp any any range 137 netbios-ssn
access-list acl_in2 deny udp any any range netbios-ns 139
access-list acl_in2 deny icmp any any
access-list acl_in2 permit ip any any
pager lines 24
logging on
logging trap warnings
logging host inside 192.168.1.240
logging host inside 192.168.1.248
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.2 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclient 192.168.2.1-192.168.2.10
ip local pool fmbclient 192.168.200.1-192.168.200.10
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.9-x.x.x.13
global (outside) 1 x.x.x.14
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.5 192.168.1.237 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.6 192.168.1.127 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.7 192.168.1.20 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.8 192.168.1.35 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.4 192.168.1.21 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 192.168.1.22 timeout 5 protocol TCP version 1
filter url http 192.168.1.0 255.255.255.0 0.0.0.0 0.0.0.0
http server enable
snmp-server host outside 12.154.98.144 poll
snmp-server host inside 12.154.98.144
snmp-server location xxxxxxxx
no snmp-server contact
snmp-server community xxx-300
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup VPNDialin address-pool xxxclient
vpngroup VPNDialin dns-server 192.168.1.20
vpngroup VPNDialin wins-server 192.168.1.20
vpngroup VPNDialin default-domain company.com
vpngroup VPNDialin split-tunnel acl_vpn-client
vpngroup VPNDialin idle-time 1800
vpngroup VPNDialin password ********
telnet 192.168.1.224 255.255.255.240 outside
telnet 10.1.120.0 255.255.255.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.1.224 255.255.255.240 inside
telnet timeout 5
ssh 12.30.175.0 255.255.255.0 outside
ssh timeout 60
console timeout 0
url-block url-mempool 1500
url-block url-size 4
terminal width 80
