Firewall problem with mail servers, PIX515E

S

Stinn

[H]ard|Gawd
Joined
Jul 13, 2001
Messages
1,796
Hey everyone this one is really throwing me for a loop, I can't understand what the problem is. Here's the interface's on the pix:
Code: 
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
!
interface Ethernet2
 speed 100
 duplex full
 nameif neworg
 security-level 99
 ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2 
!
So the org I work for is in an amalgamation and the new org will be going live on jan 1. So we are making the new organization network off of another interface on the PIX firewall. This way we can build all the servers in a new network without bumping heads with current servers.
So anyway we have a mail server on the inside for our current org and a mail server on the interface neworg(eth2). Now our the inside mail server can send to the neworg mail server because of lower security levels and I have natting setup. You can send mail to the neworg from anywhere actually, I've tested gmail and other outside sources.
The problem is sending email to the inside mail server from the neworg mailserver. It just doesn't work. I have no static routes or access-lists for it to get through the firewall to the inside but I don't think I should need any as the dns resolves the external ip of the mail server(1.1.1.5). So it should send the mail which will go through the pix out the external interface and then hit the router the router should send it right back to the pix which should then let it through into the inside interface. When I send mail I dont get anything in the logs about it being denied.
Any help would be greatly appreciated.
 
so the router has a route to send anything destined for 1.1.1.x back to the pix Ethernet0 int??
 
It's the telco's router, I suppose it must as the inside mail server receives mail just fine from every other domain in the world.
 
Can you put a switch between the router and the firewalls and treat them as separate networks? You might have to play with the IP ranges on the "old" firewall so they don't overlap with the "new" one; this assumes you've got multiple outside IPs. . .I don't know. . .do you have more information on your config? Can you post the firewall configs?
 
Here's the full config:
Code: 
: Saved
: Written by enable_15 at 14:32:22.120 UTC Mon Dec 12 2005
!
PIX Version 7.0(4) 
!
hostname fire1
domain-name mydomain.ca
enable password ################# encrypted
names
name 10.10.10.4 webserver
name 10.10.10.5 news
name 10.10.10.3 asp
name 10.10.10.6 asp1_mail
name 10.10.15.10 location_1
name 10.10.10.30 new_webserver
name 192.168.0.4 new_hr
name 192.168.0.5 new_hr_back
name 192.168.0.50 new_mail
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 1.1.1.157 255.255.255.224 standby 1.1.1.156
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.10.10.254 255.255.248.0 standby 10.10.10.253
!
interface Ethernet2
 speed 100
 duplex full
 nameif neworg
 security-level 99
 ip address 192.168.3.254 255.255.252.0 standby 192.168.3.253
!
interface Ethernet3
 shutdown
 nameif intf3
 security-level 6
 no ip address
!
interface Ethernet4
 shutdown
 nameif intf4
 security-level 8
 no ip address
!
interface Ethernet5
 description STATE Failover Interface
!
passwd ############## encrypted
boot system flash:/pix704.bin
ftp mode passive

object-group service badtcp tcp
 port-object eq 135
 port-object eq netbios-ssn
 port-object eq 445
 port-object eq 4444
 port-object eq 593
 port-object eq 1214
 port-object eq 1285
 port-object eq 1299
 port-object eq 1331
 port-object eq 1337
 port-object eq 3135
 port-object eq 6346
 port-object eq 6347
 port-object eq 6699
 port-object eq 8875
 port-object eq 8888
 port-object eq 5050
object-group service badudp udp
 port-object eq ntp
 port-object eq 995
 port-object eq 996
 port-object eq 997
 port-object eq 998
 port-object eq 999
 port-object eq 8998
object-group service webserverports_tcp tcp
 port-object eq imap4
 port-object eq pop3
 port-object eq smtp
 port-object eq www
 port-object eq ldap
 port-object eq 800
 port-object eq 9010
 port-object eq https
 port-object eq ftp
object-group service webserverports_udp udp
object-group service aspports_tcp tcp
 port-object eq citrix-ica
 port-object eq 3389
 port-object eq www
 port-object eq 800
 port-object eq pptp
 port-object eq https
object-group service aspports_udp udp
 port-object eq 1604
 port-object eq isakmp
object-group service mailports_tcp tcp
 port-object eq www
 port-object eq imap4
 port-object eq pop3
 port-object eq smtp
 port-object eq https
object-group service mailports_udp udp
 port-object eq 443
object-group service newsports_tcp tcp
 port-object eq www
 port-object eq https
 port-object eq ftp
object-group service asp1ports_tcp tcp
 port-object eq www
 port-object eq pptp
object-group service location_1ports_tcp tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq pop3
 port-object eq imap4
 port-object eq ftp
object-group service new_webserver_ports tcp
 port-object eq www
 port-object eq https
 port-object eq ftp
object-group service hr_ports tcp
 port-object eq 3389
object-group service new_mail_ports tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
access-list exttraffic extended permit tcp any host 1.1.1.129 object-group webserverports_tcp 
access-list exttraffic extended permit tcp any host 1.1.1.130 object-group aspports_tcp 
access-list exttraffic extended permit udp any host 1.1.1.130 object-group aspports_udp 
access-list exttraffic extended permit tcp any host 1.1.1.134 object-group mailports_tcp 
access-list exttraffic extended permit udp any host 1.1.1.134 object-group mailports_udp 
access-list exttraffic extended permit tcp any host 1.1.1.136 object-group newsports_tcp 
access-list exttraffic extended permit tcp any host 1.1.1.131 object-group asp1ports_tcp 
access-list exttraffic extended permit tcp any host 1.1.1.138 object-group location_1ports_tcp 
access-list exttraffic extended permit ip any host 1.1.1.130 
access-list exttraffic extended permit gre any host 1.1.1.130 
access-list exttraffic extended permit gre any host 1.1.1.131 
access-list exttraffic extended permit udp any any eq ntp 
access-list exttraffic extended permit tcp any host 1.1.1.137 object-group new_webserver_ports
access-list exttraffic extended permit tcp any host 1.1.1.142 object-group hr_ports
access-list exttraffic extended permit tcp any host 1.1.1.140 object-group new_mail_ports 
access-list badports extended deny tcp any any object-group badtcp 
access-list badports extended deny udp any any object-group badudp 
access-list badports extended permit tcp any any 
access-list badports extended permit udp any any 
access-list badports extended permit gre any any 
pager lines 24
logging enable
logging timestamp
logging trap informational
logging asdm warnings
logging facility 22
logging host inside news
mtu outside 1500
mtu inside 1500
mtu neworg 1500
mtu intf3 1500
mtu intf4 1500
failover
failover link state Ethernet5
failover interface ip state 192.168.50.1 255.255.255.0 standby 192.168.50.2
asdm image flash:/asdm-504.bin
asdm location 10.10.10.222 255.255.255.255 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (neworg) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (neworg) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.1.1.129 webserver netmask 255.255.255.255 
static (inside,outside) 1.1.1.130 asp netmask 255.255.255.255 
static (inside,outside) 1.1.1.136 news netmask 255.255.255.255 
static (inside,outside) 1.1.1.138 location_1 netmask 255.255.255.255 
static (inside,outside) 1.1.1.137 new_webserver netmask 255.255.255.255 dns 
static (inside,outside) 1.1.1.134 asp1_mail netmask 255.255.255.255 
static (neworg,outside) 1.1.1.142 new_hr netmask 255.255.255.255 dns 
static (neworg,outside) 1.1.1.140 new_mail netmask 255.255.255.255 dns 
access-group exttraffic in interface outside
access-group badports in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.158 1
route inside 10.10.10.0 255.255.248.0 10.10.104.13 1
route inside 10.10.96.0 255.255.248.0 10.10.104.12 1
route inside 10.10.88.0 255.255.248.0 10.10.104.11 1
route inside 10.10.80.0 255.255.248.0 10.10.104.10 1
route inside 10.10.72.0 255.255.248.0 10.10.104.9 1
route inside 10.10.64.0 255.255.248.0 10.10.104.8 1
route inside 10.10.56.0 255.255.248.0 10.10.104.7 1
route inside 10.10.48.0 255.255.248.0 10.10.104.6 1
route inside 10.10.40.0 255.255.248.0 10.10.104.5 1
route inside 10.10.32.0 255.255.248.0 10.10.104.4 1
route inside 10.10.24.0 255.255.248.0 10.10.104.3 1
route inside 10.10.16.0 255.255.248.0 10.10.104.2 1
route inside 10.10.8.0 255.255.248.0 10.10.104.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy test internal
group-policy test attributes
 dns-server value 10.10.10.6 10.10.80.6
 default-domain value mydomain.ca
http server enable
http 10.10.10.222 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect http 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
  inspect pptp 
!
service-policy global_policy global
Cryptochecksum:598bcaf4067a0a46e7a30e020991c4e9
: end

it's pretty long and i pulled alot of object groups out that just wouldn't matter. I'm sure it's a piss poor config but I can't really start it over from scratch just yet...soon though. Then I can get rid of all the junk that's been sitting aroudn too long.

Axman: I'm not really sure what you mean by but a switch between the router and the firewall. We don't have old or new firewalls just one set of pix in failover. We have alot of outside ip's as well.
 
Code: 
fire1# show route

S    0.0.0.0 0.0.0.0 [1/0] via 1.1.1.158, outside
C    1.1.1.128 255.255.255.224 is directly connected, outside
S    10.10.8.0 255.255.248.0 [1/0] via 10.10.104.1, inside
S    10.10.16.0 255.255.248.0 [1/0] via 10.10.104.2, inside
S    10.10.24.0 255.255.248.0 [1/0] via 10.10.104.3, inside
S    10.10.32.0 255.255.248.0 [1/0] via 10.10.104.4, inside
S    10.10.40.0 255.255.248.0 [1/0] via 10.10.104.5, inside
S    10.10.48.0 255.255.248.0 [1/0] via 10.10.104.6, inside
S    10.10.56.0 255.255.248.0 [1/0] via 10.10.104.7, inside
S    10.10.64.0 255.255.248.0 [1/0] via 10.10.104.8, inside
S    10.10.72.0 255.255.248.0 [1/0] via 10.10.104.9, inside
S    10.10.80.0 255.255.248.0 [1/0] via 10.10.104.10, inside
S    10.10.88.0 255.255.248.0 [1/0] via 10.10.104.11, inside
S    10.10.96.0 255.255.248.0 [1/0] via 10.10.104.12, inside
C    10.10.104.0 255.255.248.0 is directly connected, inside
S    10.10.10.0 255.255.248.0 [1/0] via 10.10.104.13, inside
C    192.168.0.0 255.255.252.0 is directly connected, neworg
C    192.168.50.0 255.255.255.0 is directly connected, state
 
so it looks like any packet that is destined for 1.1.1.129-159 is not routed to the default gateway(1.1.1.158) as it is considered directly connected.

So a packet coming from neworg destined for 1.1.1.129-159 isn't geting routed outside of the pix. It is considered directly connected on the external interface. The the source should be coming from the 192.168.0.x (new org subnet) going to the mail server on the inside. I don't think packets going from the neworg to another interface on the pix are going to be NATed.

Have you tried sending something from the neworg to the inside mail server by using the private ip vs. public. Setup a basic smtp transfer from the neworg mail to the inside mail server. Setup the smtp server for the mail client to the private ip address of the inside mail vs. the public ip.
 
UnrealRage said:
so it looks like any packet that is destined for 1.1.1.129-159 is not routed to the default gateway(1.1.1.158) as it is considered directly connected.
Click to expand...
That does sound logical.
So a packet coming from neworg destined for 1.1.1.129-159 isn't geting routed outside of the pix. It is considered directly connected on the external interface. The the source should be coming from the 192.168.0.x (new org subnet) going to the mail server on the inside. I don't think packets going from the neworg to another interface on the pix are going to be NATed.
Click to expand...
As far as I understand they would be natted when exitting the outside interface, as that's where they are heading.
Have you tried sending something from the neworg to the inside mail server by using the private ip vs. public. Setup a basic smtp transfer from the neworg mail to the inside mail server. Setup the smtp server for the mail client to the private ip address of the inside mail vs. the public ip.
Click to expand...
The neworg interface has no access to the inside interface because it is a lower security level. To do this I would need to setup some access-lists and some static routes. I tried that already where I staticed 192.168.3.6 to 10.10.10.6 and setup an access list to allow smtp traffic through. At that point I could telnet to port 25 of 192.168.3.6 and get a response however I still could not send mail to it. I think I need to explore this path again.
 
Do you have anything configured on your mail server that only accepts smtp from certain ip addresses?
 
UnrealRage said:
Do you have anything configured on your mail server that only accepts smtp from certain ip addresses?
Click to expand...
nothing that i know of, i don't administrate the windows servers and the guy I talked to who does didn't indicate anything like that.
 
You must log in or register to reply here.
Back
Top