Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Silver

MS Exchange access using established command

Hi there,

I am having a problem using the established command on a PIX 525 when trying to authenticate against an Exchange server.

Cisco PIX Firewall Version 6.3(1)

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

I am using a firewall in our test LAN to try this out, the Exchange server sits on our live LAN. From the documentation, it looks like the established command should support the use of MS-RPCs, which means the Exchange server listens on port tcp 135, when a client connects to this port, the exchange server supplies the client two random high ports which the client then uses to talk to the information store and the directory.

I can see this happening in my first debug using an access list on the PIX that allows unfiltered access to our Exchange server and Domain Controller. In this set up the client (10.19.99.249) is sitting on the outside network 10.19.99.248 / 29 and the Exchange server (10.19.25.133) and Domain Controller (10.19.25.1) are sitting on the inside of the firewall

Unrestricted access list

access-list Wan_in line 1 permit icmp any any (hitcnt=16)

access-list Wan_in line 2 permit ip any object-group mags_dc

access-list Wan_in line 2 permit ip any host 10.19.25.1 (hitcnt=15)

access-list Wan_in line 2 permit ip any host 10.19.25.2 (hitcnt=11)

access-list Wan_in line 3 permit ip any object-group exchange_servers

access-list Wan_in line 3 permit ip any host wwlxu1003 (hitcnt=0)

access-list Wan_in line 3 permit ip any host wwlxu1004 (hitcnt=14)

debug

302013: Built inbound TCP connection 11581 for outside:10.19.99.249/1154 (10.19.99.249/1154) to inside:10.19.25.1/135 (10.19.25.1/13

5)

302014: Teardown TCP connection 11581 for outside:10.19.99.249/1154 to inside:10.19.25.1/135 duration 0:00:01 bytes 440 TCP FINs

302013: Built inbound TCP connection 11582 for outside:10.19.99.249/1155 (10.19.99.249/1155) to inside:10.19.25.1/1026 (10.19.25.1/1

026)

302013: Built inbound TCP connection 11583 for outside:10.19.99.249/1156 (10.19.99.249/1156) to inside:10.19.25.1/1026 (10.19.25.1/1

026)

302013: Built inbound TCP connection 11584 for outside:10.19.99.249/1157 (10.19.99.249/1157) to inside:10.19.25.133/135 (10.19.25.13

3/135)

302014: Teardown TCP connection 11584 for outside:10.19.99.249/1157 to inside:10.19.25.133/135 duration 0:00:01 bytes 704 TCP FINs

302013: Built inbound TCP connection 11585 for outside:10.19.99.249/1158 (10.19.99.249/1158) to inside:10.19.25.133/1360 (10.19.25.1

33/1360)

302013: Built inbound TCP connection 11586 for outside:10.19.99.249/1159 (10.19.99.249/1159) to inside:10.19.25.1/135 (10.19.25.1/135)

302014: Teardown TCP connection 11586 for outside:10.19.99.249/1159 to inside:10.19.25.1/135 duration 0:00:01 bytes 440 TCP FINs

302013: Built inbound TCP connection 11587 for outside:10.19.99.249/1160 (10.19.99.249/1160) to inside:10.19.25.133/135 (10.19.25.13

3/135)

302014: Teardown TCP connection 11587 for outside:10.19.99.249/1160 to inside:10.19.25.133/135 duration 0:00:01 bytes 704 TCP FINs

Here i have restricted the access list so that any client on the outside network can talk to our Exchange servers on port 135 only, and i have added the established command to what i think should then allow any client with an established connection on port 135 to talk back to the exchange server on any port between 1024-65534. I realise there are other servces that are required when talking to an Exchange server, however when i clear the xlate table before connecting, the client always talks to the active directory on our DC using port tcp 135 first, then it attempt to talk to the exchange server also using tcp 135 so i think this is a valid test.

I can see from the log files that the connections on the high port that has been assigned by the Exchange server are being dropped

Restricted access list with established command

access-list Mags_out; 1 elements

access-list Mags_out line 1 permit icmp any any (hitcnt=30)

access-list Wan_in; 5 elements

access-list Wan_in line 1 permit icmp any any (hitcnt=29)

access-list Wan_in line 2 permit ip any object-group mags_dc

access-list Wan_in line 2 permit ip any host 10.19.25.1 (hitcnt=25)

access-list Wan_in line 2 permit ip any host 10.19.25.2 (hitcnt=17)

access-list Wan_in line 3 permit tcp any object-group exchange_servers eq 135

access-list Wan_in line 3 permit tcp any host wwlxu1003 eq 135 (hitcnt=0)

access-list Wan_in line 3 permit tcp any host wwlxu1004 eq 135 (hitcnt=2)

established command

established tcp 135 0 permitto tcp 1024-65534 permitfrom tcp 0

debug

302015: Built inbound UDP connection 11603 for outside:10.19.99.249/1179 (10.19.99.249/1179) to inside:10.19.25.1/53 (10.19.25.1/53)

302016: Teardown UDP connection 11603 for outside:10.19.99.249/1179 to inside:10.19.25.1/53 duration 0:00:01 bytes 126

302013: Built inbound TCP connection 11604 for outside:10.19.99.249/1180 (10.19.99.249/1180) to inside:10.19.25.1/135 (10.19.25.1/13

5)

302014: Teardown TCP connection 11604 for outside:10.19.99.249/1180 to inside:10.19.25.1/135 duration 0:00:01 bytes 440 TCP FINs

302013: Built inbound TCP connection 11605 for outside:10.19.99.249/1181 (10.19.99.249/1181) to inside:10.19.25.1/1026 (10.19.25.1/1026)

302013: Built inbound TCP connection 11606 for outside:10.19.99.249/1182 (10.19.99.249/1182) to inside:10.19.25.1/1026 (10.19.25.1/1

026)

302013: Built inbound TCP connection 11607 for outside:10.19.99.249/1183 (10.19.99.249/1183) to inside:10.19.25.133/135 (10.19.25.13

3/135)

302014: Teardown TCP connection 11607 for outside:10.19.99.249/1183 to inside:10.19.25.133/135 duration 0:00:01 bytes 704 TCP FINs

106023: Deny tcp src outside:10.19.99.249/1184 dst inside:wwlxu1004/1360 by access-group "Wan_in"

.106023: Deny tcp src outside:10.19.99.249/1184 dst inside:wwlxu1004/1360 by access-group "Wan_in"

709004: (Primary) End Configuration Replication (ACT)

106023: Deny tcp src outside:10.19.99.249/1184 dst inside:wwlxu1004/1360 by access-group "Wan_in"

Any help would be appreciated.

Thanks, Paddy

3 REPLIES
New Member

Re: MS Exchange access using established command

Hi Paddy,

It looks that "established" can be use only when the initial connection is coming from inside to outside. Your case is just the reverse of this.

Here is an extract of "established" usage guideline:

«The established command allows outbound connections return access through the PIX Firewall. This command works with two connections, an original connection outbound from a network protected by the PIX Firewall and a return connection inbound between the same two devices on an external host.

The first protocol, destination port, and optional source port specified are for the initial outbound connection. The permitto and permitfrom options refine the return inbound connection.»

Another way to give complete access for your external users to inside Exchange server is to use MS-Proxy in reverse proxy manner. Then, you only have to open the needed port that i think is UDP 1745. This permit also to authenticate users against proxy->DC. But you have to protect carefully the proxy.

Regards

Ben

New Member

Re: MS Exchange access using established command

Paddy,

Ben is right:

'

established tcp 6060 0 permitto tcp 6061 permitfrom tcp 6059

In this case, if a connection is started by an internal host to an external host using TCP source port 6060 and any destination port, the PIX Firewall permits return traffic between the hosts via TCP destination port 6061 and TCP source port 6059.

'

So, the initial connection has to be permitted from the inside.

You will have to look for a proxied method as suggested or use a real mail server :)) Just kidding.

S

Silver

Re: MS Exchange access using established command

Thanks for all your replies

307
Views
0
Helpful
3
Replies
CreatePlease login to create content