07-02-2003 07:52 AM - edited 03-09-2019 03:54 AM
Hi,
I want to connect private network to Internet by PIX 515E.
I will use 2 interfaces, outside and inside. I will use NAT.
On Inside interface a have MS Exchange server.
What I need to configure on PIX to achieve working mail services without problems?
Can You show me example of configuration PIX?
Thanks
Peter
07-02-2003 09:27 AM
Hi Peter,
Sure, this have the answer for you -
http://www.cisco.com/warp/public/110/mailserver.html
Thanks,
Mynul
07-02-2003 09:30 AM
Also, please be aware of the EMSTP feature and the problem it creates thru the PIX -
Work-around
on the pix - no fixup smtp 25 or
on the exchange server turn off ESMTP -
Regards,
Mynul
07-04-2003 12:04 AM
Thanks,
but I have one question.
I want to permit from inside to outside only port HTTP, HTTPS, FTP ( FTP for few people), not all traffic. And I want to run mail services. I do not use command "conduit", but Access-List. What I need to write to Access-List ?
Ports 80,443, 20,21 and 25 ?
I apply access-list on inside interface ?
Regards,
Peter
07-04-2003 12:14 AM
Hi Peter --
As you say you have access-lists, so
Do the following, open a text-editor (note pad) and write your ACL's i.e.
>no access-list inside
>access-list inside permit tcp host
>access-list inside permit tcp host
>access-list inside permit tcp host
..and so on...
Now don't forget to apply this to the inside interface with a access-group command.
>access-group inside in interface inside
As soon as you are happy with your ACL's paste back onto PIX and make sure you save it i.e. pix# wr m (write memory)
And that should do it.
Hope this helps --
07-04-2003 12:23 AM
Peter --
Forgot to add - makesure you use static IP addresses for your internal clients rather then dynamic.
Jay.
07-04-2003 12:28 AM
Thanks,
but I read somewhere that for good working mail services must be in access-list some special ports.
Peter
07-04-2003 01:24 AM
Hi Peter -
For mail (smtp) THE port is 25 for mail, question to you Peter, I presume that you've got your mail servers on the inside, therefore you'll require a 'static translation' and a ACL to allow bi-directional communication for you smtp mail,
Let me know how you get on...
Jay.
07-04-2003 01:28 AM
I think ports 135.137 e.t.c.
Peter
07-04-2003 01:36 AM
Peter --
Port 137 is used by NETBIOS Datagram service TCP and UDP and post 135 is used by DCE endpoint resolution TCP and UDP.
Hope this helps --
07-11-2003 12:00 AM
and also for exchange protocol, see http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/msexchng.htm
and
http://www.brienposey.com/kb/connecting_to_Exchange_through_a_firewall.asp
and Microsoft says:
08-06-2003 03:56 PM
You only need those ports if you want outlook to work through the firewall, and that is a terrible idea. To use outlook remotely, a vpn should be in place.
08-06-2003 02:00 PM
First you need to create a static mapping to your Exchange Server.
static (inside,outside)
next you will need to create an access-list to allow SMTP traffic and possible POP3 traffic if you are using it.
access-list 100 permit tcp any
access-list 100 permit tcp any
If you run into problems with ESMTP (which the PIX does not support), you can disable it by using the following command
no fixup protocol smtp 25
I have not run into many problems where I had to disable the SMTP Fixup, but I know there are issues where that is the fix.
Hope that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide