Pix wont pass SMTP traffic

[WhippingBoy]

I have a pix firewall which passes all traffic except SMTP. I believe I have it configured correctly.
Below is my config file.

hostname pix
domain-name protectedvehicles.local
enable password SiMRN9isDr6SJA.Y encrypted
names
name 199.72.176.49 Mail description Mail
name 204.116.77.211 Mail_T1 description Mail T1
name 192.168.100.1 SBS1 description Small Bus Server
name 192.168.100.9 SIPX description Inside SIPX
name 204.116.77.212 SIPX_OUTSIDE description Outside SIPX server
name 192.168.100.5 SRV2 description Server 2
name 192.168.100.0 Inside description PVI LAN
name 207.59.183.220 Outside description Outside World
name 204.116.77.208 Bellsouth_Outside description Bellsouth
name 192.168.120.0 WiFi_LAN description Wireless Network
!
interface Ethernet0
nameif outside
security-level 0
ip address 207.59.183.222 255.255.255.252
!
interface Ethernet0.100
description Bellsouth LAN
vlan 100
nameif Outside_Mail
security-level 0
ip address Mail 255.255.255.240
!
interface Ethernet0.200
vlan 200
nameif Outside204
security-level 0
ip address 204.116.77.210 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.100.254 255.255.252.0
!
interface Ethernet1.1
description Wireless Lan gateway
vlan 20
nameif Wifi_LAN
security-level 100
ip address 192.168.120.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name protectedvehicles.local
same-security-traffic permit inter-interface
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any host SRV2 eq smtp
access-list inside_access_in extended permit tcp any host Mail eq smtp
access-list Outside_Mail_access_in extended permit tcp any host Mail eq smtp
pager lines 24
mtu outside 1500
mtu Outside_Mail 1500
mtu inside 1500
mtu Wifi_LAN 1500
mtu Outside204 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp Mail smtp SRV2 smtp netmask 255.255.255.255
static (inside,Outside_Mail) tcp Mail smtp SRV2 smtp netmask 255.255.255.255
static (inside,outside) tcp SRV2 smtp Mail smtp netmask 255.255.255.255
static (outside,inside) tcp SRV2 smtp Mail smtp netmask 255.255.255.255
access-group Outside_Mail_access_in in interface Outside_Mail
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 207.59.183.221 1
route outside 64.104.200.112 255.255.255.255 207.59.183.221 1
route outside 192.168.116.0 255.255.255.128 207.59.183.221 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fcf4d666ca826e2021c64330bc03c4b4
: end
asdm image flash:/asdm-603.bin
asdm location SBS1 255.255.255.255 inside
asdm location SRV2 255.255.255.255 inside
asdm location SIPX 255.255.255.255 inside
asdm location Mail 255.255.255.255 inside
asdm location Mail_T1 255.255.255.255 inside
asdm location SIPX_OUTSIDE 255.255.255.255 inside
no asdm history enable

Thanks in Advance

 

[NetworkGhost]

What is the IP address of your mail server? you have these static statements pointing to the host you setup as mail:

static (inside,outside) tcp Mail smtp SRV2 smtp netmask 255.255.255.255
static (inside,Outside_Mail) tcp Mail smtp SRV2 smtp netmask 255.255.255.255
static (inside,outside) tcp SRV2 smtp Mail smtp netmask 255.255.255.255
static (outside,inside) tcp SRV2 smtp Mail smtp netmask 255.255.255.255


But you also have a interface setup as that IP address

interface Ethernet0.100
description Bellsouth LAN
vlan 100
nameif Outside_Mail
security-level 0
ip address Mail 255.255.255.240

Can you tell us the IP of the mail server (Internal) what it should be nat'd to if needed?

http://www.wr-mem.com

 

[WhippingBoy]

Sorry about the confusion.

The internal mail server is 192.168.100.5

The external address should be 199.72.176.49

 

[Extor]

Hi guys, didn't want to start a new thread as I have similar issue with SMTP traffic. Currently I'm working on SMTP flow from DMZ to inside. My shortened config is below. With this config it flows fine from 10.10.10.58 (Edge) to 192.168.1.130 (Hubmail). As soon as I enable nat-control it stops. Nat-control is requirement, it must be enabled. So far I can't figure out how I'm supposed to setup NAT section to allow SMTP flow again between these 2 hosts.
Thanks in advance.

: Saved
:
PIX Version 8.0(3)
!
hostname FIRE2
names
name 10.10.10.1 fire2-dmz
name 192.168.1.1 fire2-in
name 99.99.99.99 fire2-out
name 10.10.10.58 Edge
name 192.168.1.130 HubMailbox
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address fire2-out 255.255.255.224
!
interface Ethernet1
nameif inside
security-level 100
ip address fire2-in 255.255.255.0
!
interface Ethernet2
nameif DMZ
security-level 50
ip address fire2-dmz 255.255.255.0


!
access-list dmz-in extended permit icmp any any
access-list dmz-in extended permit tcp host Edge host HubMailbox eq smtp
access-list inside_access_in extended permit ip any any


access-group inside_access_in in interface inside control-plane
access-group dmz-in in interface DMZ


timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
console timeout 10
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
i
!
service-policy global_policy global
prompt hostname context

 

[NetworkGhost]

Did you currently have any nat statements that you didnt include?

I suggest you take a look at this example for NAT/PAT

http://www.cisco.com/en/US/products...s_configuration_example09186a008046f31a.shtml

If nat control is enabled and you want traffic to flow from a lower security interface (DMZ) to a higher security interface (inside) than you would either want to use policy nat with nat 0 or a static. The static is much easier to implement.


static (inside, DMZ) 192.168.1.130 192.168.1.130

http://www.wr-mem.com