I am new to the PIX and need to allow a satellite office to access an inside exchange server via Outlook. E2k is currently sitting on my DC, which is on the internet. I want to pull the DC off of the internet, firewall it, and still provide email access to the satellite office.
What does the satellite office have for a firewall? Can we set up a vpn tunnel between the two? This would be the most secure solution to the problem at hand. You can also set up the pix as a remote access vpn, and deploy the cisco vpn client software. - this would be more work that a point to point vpn tunnel.
Both of the above solutions are much preferrable than opening ports to allow anyone on the internet to connect to your exchange server.
The satellite office is also using a PIX 501 for its firewall. I think that the original ideal was to set up a vpn tunnel between the two offices. What are the steps involved in setting up the point to point tunnel and allowing the satellite outlook clients to reach their email? Thanks
In a point to point vpn tunnel, *everything* (all ip network protocols) can go back and forth between the two networks, just as if there were a physical data circuit between them. Do you know if you have the 3des license key?
"sh ver" should tell you what license key you have , look for the vpn-3des line. You will need to have at least the des key installed. the des key is free from cisco. The 3des key for a 501 should be about $100US for each unit.
You will need to be able to administrate the remote pix by its outside interface, can you do this? You might need to have ssh setup to do so.
I don't believe that I have the 3des key, but I will get the des key installed. I have the ip address of the remote pix and the enable password. I'm sorry, I'm really new to this, but what is ssh setup?
SSH is an encrypted telnet replacement. You cannot use unencrypted telnet to admin a pix through its outside interface.
After the (3)des key is installed, you will need to login to the pix,
ca generate rsa key
ca save all
(Those commands generate your rsa encryption key pair, and saves them)
Add ssh lines for as many netblocks as you need.
ssh 220.127.116.11 255.255.255.255 outside means that the host 18.104.22.168 outside the firewall can admin the pix via ssh.
when you are done, write memory will save the config.
Putty is a free windows ssh/telnet client. Download it, put the ip address in, check ssh, and you should be good to go. You might get a pop up about using only single des, but you should still be able to login. The user name through ssh is "pix"
Thanks for all of the help so far.
Is this procedure just for accessing the PIX from the outside interface, or will it have anything to do with setting up the site to site vpn? Will I need the generated encryption keys from the remote PIX in order to access it via ssh? I am not able to physically access the remote site, so I assume the only way to set up the ssh there is to walk someone on site through the procedure, correct?
Yeah, this is all for remote admin of the remote pix. You only need to generate the RSA keys for SSH, and for IPSec scenarios where you use a certificate authority.
because of the way ipsec tunnels work, you really want to be able to admin the remote pix from the outside ip address/interface. Any solution of controlling the remote pix by the internal interface will not be reliable during ipsec setup and testing (imaging a windows server with terminal services, at your remote site, from which you could telnet to the pix - setting up /testing the tunnel may break the terminal services session, etc).
Thanks for the info. I will get remote admin. setup and get back to you for the next steps. Is there an overview of the steps necessary to implement this available?
One other question. If my exchange server is behind the firewall, will it be able to receive email from the public internet?
You will want to have an access-list attached to the outside interface in the in direction, or use a conduit command to open tcp port 25, smtp, to everyone. This is the only port you need to receive internet email (in the default pix config, all connections outbound are permitted, so your email server originate smtp connections from its high numbered ports to other people's mail servers on port 25)
Is a good link for simple site to site IPSec vpn configuration. I would recommend using ISAKMP with preshared keys.
I've got the remote pix configured so that I can access it via ssh. What are the next steps for setting up the site to site vpn? Thanks
Did you check the link I posted in the post above? That should get you going. Start working with that, and report back if you cannot make it work
Thanks, I'll try and work with the link and get back if I have problems. I plan on attempting it this fri night.
I think that I will be able to set up the site to site, but I have 3 more questions for you if you don't mind.
1. After the VPN is set up, how does the remote office configure Eudora to pull email off of the local Exchange server? Is it by IP address of the exchange server or DNS name?
2. The local Exchange server is currently sitting on the internet @ x.x.x.x (mail.domain.com) which is our only registered IP address. After moving x.x.x.x to the outside interface of the PIX 501, how are mail requests from the remote office routed to the exchange server/domain controller. This box has 2 NICs, 1 internal and 1 external that currently has the IP address that will be moved to the outside interface of the PIX.
3. After firewalling the network, including the Exchanger server/Domain Controller, how does email cross the PIX to get to the server? I know that I need to open port 25 through the pix, but how do I route it to the server.
Thanks for all of your help!
Be very careful from now, since you are attempting to do two things: set up site-to-site VPN and move the Exchange server.
I suggest de-link the two. First finish your VPN connectivity and test for functionality, since this is the easier of the two tasks.
2 and 3. If you are moving the mail server to the outside of the PIX interface, then that has nothing to do with VPN. Also, there is nothing you need to do on the PIX to allow the requests, again, if the server is going to be on the same subnet as that of the outside interface of the PIX; of-course you need to permit 'smtp' on any router that is on the 'outside' interface of the firewall.
If you are moving mail servers, be sure to follow the best-practices methodology in terms of creating one more MX entry with a higher priority, let it propagate, and then remove the old server etc.,etc.
Hope this is helpful.
Best rgds / Sampath.
1. It depends. It ultimately needs to talk to the internal (behind the firewall) ip address of the exchange server. If you are running WINS and or DNS *internally*, then the hostname of the machine should work.
2&3. You move the exchange box in, you set up a static statement that forwards port 25 from that old, external ip, to the new internal ip. You allow access from everyone to that ip address via an ACL or conduit list, and you should be all set. All inbound internet email connections should travel via the static, and thru the whole from the ACL/conduit, and into the exchange server's smtp service.
Pix outside: 22.214.171.124
Pix inside: 192.168.0.1
Move exchange inside. make its ip address 192.168.0.254.
On the pix
static (inside, outside) 126.96.36.199 192.168.0.154
conduit permit tcp host 188.8.131.52 eq 25 any
access-list XXX permit tcp any host 184.108.40.206 eq 25
25 is all you need to receive email. All outbound email goes out via PIX's stateful feature set that allows all tcp and udp outbound connections by default.
If you have users outside of the firewall (meaning not at either site connected via the IPSec tunnel) that need to access email, it depends on how they access it. POP3 is tcp port 110. Imap is rcp 143. If they want to use Outlook in corporate mode, you need to open tons of ports and that is bad - my recommendation is to set them up with the cisco vpn client software and allow them access to outlook that way.
Since I can't see the full thread in this reply window, I am assuming that the exchange and domain controller are the same box, or that you are moving them at the same time.
Yeah, the exchange and domain controller are on the same box as part of SBS2K..
I understand the access-list is prefered over conduit commands these days. Can I number the access-list (xxx) arbitrarily, or should it be a specific number? Also, the access-list you defined is already bound to the outside interface, correct?
Thanks for all of the help, I think I'm about ready to try this.
Now the remote office tech's don't want to create a site to site VPN because of the assoc. overhead, speed and complication. They suggest that I just open up ports 25 and 110 and static them to the new address of the exchange server so that they continue to recieve their email off of the internet.
DC/Exchange external 220.127.116.11
DC/Exchange internal 10.0.0.1
PIX External 18.104.22.168
PIX Internal 10.0.0.2
DC/Exchange external 10.0.0.3
DC/Exchange internal 10.0.0.1
Would this work? And what are the commands to open ports 25 and 110 and route them to the DC/Exchange box?
Tell them to get lost.
using pop3 means that your nt domain usernames and passwords go across the internet in unencrypted clear text.
using pop3 means that all email is kept locally, and not on the server.
As such, I find pop3 inconsistent with a decently secured setup, especially when the user name/passwords being used are nt credentials being passed in clear text.