BICOAKRON Absent Member.
Absent Member.
2727 views

No incoming email when switching from BorderManager to PIX

Ok help the community can help. Current working setup has 2 nics and uses BorderManager. Have put a PIX 501 in place. Internet is goind out PIX via tracert on client computers. When I go into inetcfg and change next hop to my router which then dumps stuff off to the PIX outgoing email still goes out through the GWIA. I never get incoming. It listens on the public IP. PIX points smtp to both public and private. Any ideas, I can give configs etc if needed. Funny thing is in one location I have an ASA one nic box and it works fine. I don't see any differences.
Labels (2)
0 Likes
5 Replies
jmarton2 Absent Member.
Absent Member.

Re: No incoming email when switching from BorderManager to PIX

On Sat, 07 Feb 2009 21:46:01 +0000, BICOAKRON wrote:

> Ok help the community can help. Current working setup has 2 nics and
> uses BorderManager. Have put a PIX 501 in place. Internet is goind out
> PIX via tracert on client computers. When I go into inetcfg and change
> next hop to my router which then dumps stuff off to the PIX outgoing
> email still goes out through the GWIA. I never get incoming. It
> listens on the public IP. PIX points smtp to both public and private.
> Any ideas, I can give configs etc if needed. Funny thing is in one
> location I have an ASA one nic box and it works fine. I don't see any
> differences.


Sounds like a possible ACL issue in the PIX. Can you explain your setup
with a few more details? I don't quite understand how you have things
connected. Once you've done that we can give you a better idea as to
where things might be breaking.



--
Joe Marton
Novell Support Forum SysOp
See what GroupWise 8 can do for you.
http://www.novell.com/products/groupwise/

Joe Marton Emeritus Knowledge Partner
0 Likes
BICOAKRON Absent Member.
Absent Member.

Re: No incoming email when switching from BorderManager to P

Joe on the current setup I have one public nic and one private, My mail filter company points to my public. Filters on the filtcfg side allow only the filter company ips to hit port 25. I took those out allowing all ips to send to port 25. GWIA listens on my private side. Works fine. On the PIX I gave it a new public ip from my pool from AT&T. Send all smtp to the private and public of the currebt setup. That is how the firm that sold my PIX set it up. Shouldn't it send to my private and the public of the PIX take over the public of the nic on the public side of bordermanager so I can get rod of Border?
0 Likes
jmarton2 Absent Member.
Absent Member.

Re: No incoming email when switching from BorderManager to PIX

On Sun, 08 Feb 2009 01:16:01 +0000, BICOAKRON wrote:

> Joe on the current setup I have one public nic and one private, My mail
> filter company points to my public. Filters on the filtcfg side allow
> only the filter company ips to hit port 25. I took those out allowing
> all ips to send to port 25. GWIA listens on my private side. Works
> fine. On the PIX I gave it a new public ip from my pool from AT&T. Send
> all smtp to the private and public of the currebt setup. That is how
> the firm that sold my PIX set it up. Shouldn't it send to my private
> and the public of the PIX take over the public of the nic on the public
> side of bordermanager so I can get rod of Border?


Ok let me make sure I understand your setup. You have a BorderManager
server with two NICs, one public and private. That same server runs GWIA
which is configured to bind exclusively to the private NIC. You've now
disabled all filters on border as you switch to the PIX. Am I correct in
understanding that the PIX's outside interface is the same external
network as the public NIC in border while the inside interface is the
same internal network as the private NIC in border? If that's the case
then for this to work I'm fairly certain you're going to have to create a
static NAT mapping on the PIX for GWIA or use port address translation.
The BorderManager server could also act as a router but the PIX won't do
this. That's the main difference here.

If you do a static NAT mapping you'll have have to change your MX record
to be the new external NATted IP address. If you do PAT your MX record
will simply be the IP address of the external interface of the PIX.



--
Joe Marton
Novell Support Forum SysOp
See what GroupWise 8 can do for you.
http://www.novell.com/products/groupwise/

Joe Marton Emeritus Knowledge Partner
0 Likes
BICOAKRON Absent Member.
Absent Member.

Re: No incoming email when switching from BorderManager to P

Joe this is what i am trying to use. I have the public nic unplugged, filter support turned off, bordermanager stopped still no incoming email.
.73 is what MX record points to, used to be ip of public board on netware box. the .78 is the ip of the dsl modem

access-list in permit ip any any
access-list in permit tcp host 172.16.112.2 any eq smtp
access-list in permit tcp host xx.xxx.xxx.73 any eq smtp

ip address outside xx.xxx.xxx.73 xxx.xxx.xxx.248
ip address inside 172.16.112.3 255.255.252.0

static (outside,inside) xx.xxx.xxx.73 172.16.112.2 netmask 255.255.255.255 0 0
access-group in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.78 1
0 Likes
jmarton2 Absent Member.
Absent Member.

Re: No incoming email when switching from BorderManager to PIX

On Sun, 08 Feb 2009 12:36:01 +0000, BICOAKRON wrote:

> Joe this is what i am trying to use. I have the public nic unplugged,
> filter support turned off, bordermanager stopped still no incoming
> email.
> .73 is what MX record points to, used to be ip of public board on
> netware box. the .78 is the ip of the dsl modem
>
> access-list in permit ip any any


I hope you don't intend on keeping that line in there. 🙂 Ok to do while
troubleshooting, though, as it basically disables the firewall.

> access-list in permit tcp host 172.16.112.2 any eq smtp
> access-list in permit tcp host xx.xxx.xxx.73 any eq smtp


You don't need the first element there since this is the access list
applied to the outside interface. It would only be needed to allow your
SMTP server to send mail out if you were locking down outbound traffic,
and in that case it would need to be applied to the inside interface.
This is assuming that 172.16.112.2 is the internal IP of the server
running GWIA.

The second element is incorrect, though. You have the source/dest IPs
flip-flopped. To allow inbound SMTP from the Internet, this needs to be
in the ACL applied to the outside interface.

access-list in permit tcp any host x.x.x.73 eq smtp

> ip address outside xx.xxx.xxx.73 xxx.xxx.xxx.248


Ok so you are using the x.x.x.72 subnet on the outside, broadcast is .79,
and the PIX is assigned the first available IP in the subnet of .73.

> ip address inside 172.16.112.3 255.255.252.0


ok

> static (outside,inside) xx.xxx.xxx.73 172.16.112.2 netmask 255.255.255.255 0 0


I always get confused on the syntax for the static, but it looks to me
like this may be wrong. I *think* it should be

static (inside,outside) x.x.x.73 172.16.112.2 netmask 255.255.255.255

> access-group in in interface outside


Good, you are applying the ACL to the outside interface.

> route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.78 1


IP of the DSL modem, right? Sounds good.

I think the static mapping may be incorrect and thus causing the
problem. You'll ultimately need to change the ACL as well but as long as
you have a permit ip any any that should be fine. Leave that in, change
the static mapping, and see if that allows you to at least telnet to your
GWIA on port 25 from the outside. Once that's working, make the changes
I recommended to the ACL and of course remove the permit ip any any and
you should be ok.



--
Joe Marton
Novell Support Forum SysOp
See what GroupWise 8 can do for you.
http://www.novell.com/products/groupwise/

Joe Marton Emeritus Knowledge Partner
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.