Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access Exchange server from Outlook client

I have two LAN's on different subnets, corplan( and paylan( in the same building. Corplan is routed through Cisco 3640 and has the Exchange 5.5 server in it's domain. The paylan is connected to the corplan via a Cisco Pix 501.

The paylan can successfully connect the corplan, browse internet, and connect to network shares. However, the users on the paylan cannot connect to the exchange server on the corplan using Outlook. Although when I setup the mail account in control panel it finds the exchange server and authenticates the user account.

Here is a copy of my config:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password sX8K6xZ6Rfv3H.1q encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


access-list 100 permit icmp any any

access-list acl_in permit icmp any any

access-list acl_out permit icmp any any

pager lines 24

logging on

logging trap warnings

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm location inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 netmask

global (outside) 1 interface

nat (inside) 1 0 0

route outside 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http inside

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80


: end


New Member

Re: Access Exchange server from Outlook client


My knowledge of exchange is little, but as I understand it, an outlook client connects using rpc to the exchange server and negotiates (possibly?) some sort of random port, and i believe that the exchange server contacts the pc back on this port i.e. a completely different port to what the traffic went out from - and i think because this port is not established in a prior outbound communication that the pix won't let it in. I believe there is documentation on about this and I'm sure i read somewhere about a registry hack to fudge the port to a known value so it can be permitted inbound. This 'feature' also makes it difficult to define outlook-to-exchange traffic as 'interesting' on dialer-maps because you never know what port its going to be (unless you hack the reqistry on all your clients)

I expect it finds it in control panel ok because I imagine that would use a more normal tcp port to port connection rather than rpc



New Member

Re: Access Exchange server from Outlook client

What OS are the clients using and what version of Outlook are they using?

New Member

Re: Access Exchange server from Outlook client

THe clients are WIndows 2000 and Outlook 2000.

New Member

Re: Access Exchange server from Outlook client

Kev is correct in his assessment of how Exchange works. You might want to take a look at;EN-US;155831


they describe how to set the registry setting on your exchange server. After making the registry settings for the static ports to use, you should then be able to use the established command on your pix to allow the return connection from the exchange server to the client. For example:

established tcp 135 0 permitto 1024-65535 permitfrom

Hope that helps

New Member

Re: Access Exchange server from Outlook client

If you follow these documents, it should work. There was also an issue with Windows 9x clients and the pix proxy ARP feature, but it shouldn't effect Windows 2000 clients.

New Member

Re: Access Exchange server from Outlook client

Do let us know how it goes.

Thanks for finding and posting those links by the way - the person who explained this to me originally inferred that it was the outlook clients side that needed the registry hack, but from reading those articles it appears to be only the exchange server