06-19-2006 01:33 PM - edited 02-21-2020 12:58 AM
help required
i have set up a test network for practice sending email messages between
email servers in different windows 2000 domains
(for the network layout see attachment) what i am trying to acheive is
to send messages from a user in the cyote.com domain
(fred@cyote.com) who resides behind a pix 501 firewall to a user
in the acme.com domain (barney@acme.com) who resides behind a pix 515
firewall the network has been set up so that freds messages to barney
are sent to a dmz based front end email server in the acme.com domain
and are then proxied to the backend email server where barney's mailbox is
situated which resides off the inside interface of the 515 firewall.
the frontend and backend servers are members of the same active directory
domain and therefore there should be no problems of messages received at the
frontend server being relayed to the backend server.
but the problem i've have got is that it does not work when i send a message
from fred to barney outlook on freds computer (xp-1) tells me that the message
has been sent but it never arrives at barneys mailbox there are no error messages
anywhere relating to the sending of messages so i am not sure wether the problem
lies with the 501 firewall not allowing the messages through or at the 515 firewall
not allowing the messages through.
now i have just read that there are issues using microsoft exchange
(in this case exchange 2000 with service pack 3 applied) in conjunction
with cisco firewalls but my study guide is not very forthcoming about
how to resolve them.
so this a cry for help i have been working on this for 2 weeks and have not been
able to resolve this problem does anybody know what i have to do to the firewalls
to get this to work any help will be greatly appreciated.
ps
outlook web access through the front end server to barneys mailbox works
fine (if a little slow)
the pix 501 is running ios 6.3(4) and the 515 is running ios 7.0(4)
regards
melvyn brown
Solved! Go to Solution.
06-20-2006 11:39 AM
A simple test to perform would be to telnet from fred's PC to the IP address of the intermediate box "telnet x.x.x.x 25' if that allows you through this portion is good. Move to the next peice of the puzzle.
As previously stated enter 'no fixup protocol smtp 25' at the pix.
06-19-2006 03:05 PM
Hello,
I have faced this problem long time ago. It is due to PIX 515 inspecting the SMTP messages between the exchange servers. Try disabling the SMTP fixup on the PIX firewall and this should solve the problem.
Let me know if this works,
Regards,
06-28-2006 01:11 PM
Hi
yes it works fine there were a few problems along the way (faulty network card in one of the computers) and the biggest one which was that the 501 firewall will not for some reason pass
smtp traffic even when you disable the smtp fixup protocol so I had to use a dual Ethernet router in its place when I did that everything was fine.
A couple of questions I would like to ask is according to my exchange course instructor what he does when installing exchange in this configuration is to apply two addresses to the network card in the dmz based front end server one of which is dynamically assigned to the dns server for the domain you wish the front end server to join and an static entry in a publicly available dns server with the other one.It did not seem to make any difference if I applied two addresses or just used one he could not tell me why he just said that was what his instructor told him to do can you think of any reason why I would need to use two addresses.
And the other thing is that I was unsure when opening ports between the dmz and inside interfaces what parts of the access-list should point to what servers so what I did was to place a domain controller (192.168.1.2) & the backend exchange server (192.168.1.3) on the same subnet and point the access-list to the subnet instead of the individual servers.
i.e.
access-list 102 permit udp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 53
access-list 102 permit udp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 88
access-list 102 permit udp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 389
access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 53
access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 88
access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 135
access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 389
access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 445
access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 143
access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 80
access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 25
access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 110
access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 691
access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 range 1024 65535
access-group 102 in interface dmz
This works but I am not sure if it is the way it should be done.
Anyway job done and thanks for your help.
Regards
Melvyn
06-20-2006 11:39 AM
A simple test to perform would be to telnet from fred's PC to the IP address of the intermediate box "telnet x.x.x.x 25' if that allows you through this portion is good. Move to the next peice of the puzzle.
As previously stated enter 'no fixup protocol smtp 25' at the pix.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide