Home

Results 1 to 6 of 6

Thread: No incoming email when switching from BorderManager to PIX

  1. #1
    Join Date
    Mar 2008
    Posts
    42

    No incoming email when switching from BorderManager to PIX

    Ok help the community can help. Current working setup has 2 nics and uses BorderManager. Have put a PIX 501 in place. Internet is goind out PIX via tracert on client computers. When I go into inetcfg and change next hop to my router which then dumps stuff off to the PIX outgoing email still goes out through the GWIA. I never get incoming. It listens on the public IP. PIX points smtp to both public and private. Any ideas, I can give configs etc if needed. Funny thing is in one location I have an ASA one nic box and it works fine. I don't see any differences.

  2. #2
    Join Date
    Sep 2007
    Posts
    6,103

    Re: No incoming email when switching from BorderManager to PIX

    On Sat, 07 Feb 2009 21:46:01 +0000, BICOAKRON wrote:

    > Ok help the community can help. Current working setup has 2 nics and
    > uses BorderManager. Have put a PIX 501 in place. Internet is goind out
    > PIX via tracert on client computers. When I go into inetcfg and change
    > next hop to my router which then dumps stuff off to the PIX outgoing
    > email still goes out through the GWIA. I never get incoming. It
    > listens on the public IP. PIX points smtp to both public and private.
    > Any ideas, I can give configs etc if needed. Funny thing is in one
    > location I have an ASA one nic box and it works fine. I don't see any
    > differences.


    Sounds like a possible ACL issue in the PIX. Can you explain your setup
    with a few more details? I don't quite understand how you have things
    connected. Once you've done that we can give you a better idea as to
    where things might be breaking.



    --
    Joe Marton
    Novell Support Forum SysOp
    See what GroupWise 8 can do for you.
    http://www.novell.com/products/groupwise/

  3. #3
    Join Date
    Mar 2008
    Posts
    42

    Re: No incoming email when switching from BorderManager to P

    Joe on the current setup I have one public nic and one private, My mail filter company points to my public. Filters on the filtcfg side allow only the filter company ips to hit port 25. I took those out allowing all ips to send to port 25. GWIA listens on my private side. Works fine. On the PIX I gave it a new public ip from my pool from AT&T. Send all smtp to the private and public of the currebt setup. That is how the firm that sold my PIX set it up. Shouldn't it send to my private and the public of the PIX take over the public of the nic on the public side of bordermanager so I can get rod of Border?

  4. #4
    Join Date
    Sep 2007
    Posts
    6,103

    Re: No incoming email when switching from BorderManager to PIX

    On Sun, 08 Feb 2009 01:16:01 +0000, BICOAKRON wrote:

    > Joe on the current setup I have one public nic and one private, My mail
    > filter company points to my public. Filters on the filtcfg side allow
    > only the filter company ips to hit port 25. I took those out allowing
    > all ips to send to port 25. GWIA listens on my private side. Works
    > fine. On the PIX I gave it a new public ip from my pool from AT&T. Send
    > all smtp to the private and public of the currebt setup. That is how
    > the firm that sold my PIX set it up. Shouldn't it send to my private
    > and the public of the PIX take over the public of the nic on the public
    > side of bordermanager so I can get rod of Border?


    Ok let me make sure I understand your setup. You have a BorderManager
    server with two NICs, one public and private. That same server runs GWIA
    which is configured to bind exclusively to the private NIC. You've now
    disabled all filters on border as you switch to the PIX. Am I correct in
    understanding that the PIX's outside interface is the same external
    network as the public NIC in border while the inside interface is the
    same internal network as the private NIC in border? If that's the case
    then for this to work I'm fairly certain you're going to have to create a
    static NAT mapping on the PIX for GWIA or use port address translation.
    The BorderManager server could also act as a router but the PIX won't do
    this. That's the main difference here.

    If you do a static NAT mapping you'll have have to change your MX record
    to be the new external NATted IP address. If you do PAT your MX record
    will simply be the IP address of the external interface of the PIX.



    --
    Joe Marton
    Novell Support Forum SysOp
    See what GroupWise 8 can do for you.
    http://www.novell.com/products/groupwise/

  5. #5
    Join Date
    Mar 2008
    Posts
    42

    Re: No incoming email when switching from BorderManager to P

    Joe this is what i am trying to use. I have the public nic unplugged, filter support turned off, bordermanager stopped still no incoming email.
    .73 is what MX record points to, used to be ip of public board on netware box. the .78 is the ip of the dsl modem

    access-list in permit ip any any
    access-list in permit tcp host 172.16.112.2 any eq smtp
    access-list in permit tcp host xx.xxx.xxx.73 any eq smtp

    ip address outside xx.xxx.xxx.73 xxx.xxx.xxx.248
    ip address inside 172.16.112.3 255.255.252.0

    static (outside,inside) xx.xxx.xxx.73 172.16.112.2 netmask 255.255.255.255 0 0
    access-group in in interface outside
    route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.78 1

  6. #6
    Join Date
    Sep 2007
    Posts
    6,103

    Re: No incoming email when switching from BorderManager to PIX

    On Sun, 08 Feb 2009 12:36:01 +0000, BICOAKRON wrote:

    > Joe this is what i am trying to use. I have the public nic unplugged,
    > filter support turned off, bordermanager stopped still no incoming
    > email.
    > .73 is what MX record points to, used to be ip of public board on
    > netware box. the .78 is the ip of the dsl modem
    >
    > access-list in permit ip any any


    I hope you don't intend on keeping that line in there. :-) Ok to do while
    troubleshooting, though, as it basically disables the firewall.

    > access-list in permit tcp host 172.16.112.2 any eq smtp
    > access-list in permit tcp host xx.xxx.xxx.73 any eq smtp


    You don't need the first element there since this is the access list
    applied to the outside interface. It would only be needed to allow your
    SMTP server to send mail out if you were locking down outbound traffic,
    and in that case it would need to be applied to the inside interface.
    This is assuming that 172.16.112.2 is the internal IP of the server
    running GWIA.

    The second element is incorrect, though. You have the source/dest IPs
    flip-flopped. To allow inbound SMTP from the Internet, this needs to be
    in the ACL applied to the outside interface.

    access-list in permit tcp any host x.x.x.73 eq smtp

    > ip address outside xx.xxx.xxx.73 xxx.xxx.xxx.248


    Ok so you are using the x.x.x.72 subnet on the outside, broadcast is .79,
    and the PIX is assigned the first available IP in the subnet of .73.

    > ip address inside 172.16.112.3 255.255.252.0


    ok

    > static (outside,inside) xx.xxx.xxx.73 172.16.112.2 netmask 255.255.255.255 0 0


    I always get confused on the syntax for the static, but it looks to me
    like this may be wrong. I *think* it should be

    static (inside,outside) x.x.x.73 172.16.112.2 netmask 255.255.255.255

    > access-group in in interface outside


    Good, you are applying the ACL to the outside interface.

    > route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.78 1


    IP of the DSL modem, right? Sounds good.

    I think the static mapping may be incorrect and thus causing the
    problem. You'll ultimately need to change the ACL as well but as long as
    you have a permit ip any any that should be fine. Leave that in, change
    the static mapping, and see if that allows you to at least telnet to your
    GWIA on port 25 from the outside. Once that's working, make the changes
    I recommended to the ACL and of course remove the permit ip any any and
    you should be ok.



    --
    Joe Marton
    Novell Support Forum SysOp
    See what GroupWise 8 can do for you.
    http://www.novell.com/products/groupwise/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •