Re: MS Exchange Server on inside interface

pslavkovsky · ‎07-02-2003

Hi,

I want to connect private network to Internet by PIX 515E.

I will use 2 interfaces, outside and inside. I will use NAT.

On Inside interface a have MS Exchange server.

What I need to configure on PIX to achieve working mail services without problems?

Can You show me example of configuration PIX?

Thanks

Peter

mhoda · ‎07-02-2003

Hi Peter,

Sure, this have the answer for you -

http://www.cisco.com/warp/public/110/mailserver.html

Thanks,

Mynul

mhoda · ‎07-02-2003

Also, please be aware of the EMSTP feature and the problem it creates thru the PIX -

Work-around

on the pix - no fixup smtp 25 or

on the exchange server turn off ESMTP -

http://www.microsoft.com/exchange/en/55/help/default.asp?url=/exchange/en/55/help/documents/server/xog05031.htm

Regards,

Mynul

pslavkovsky · ‎07-04-2003

Thanks,

but I have one question.

I want to permit from inside to outside only port HTTP, HTTPS, FTP ( FTP for few people), not all traffic. And I want to run mail services. I do not use command "conduit", but Access-List. What I need to write to Access-List ?

Ports 80,443, 20,21 and 25 ?

I apply access-list on inside interface ?

Regards,

Peter

jmia · ‎07-04-2003

Hi Peter --

As you say you have access-lists, so

Do the following, open a text-editor (note pad) and write your ACL's i.e.

>no access-list inside

>access-list inside permit tcp host any eq 80

>access-list inside permit tcp host any eq 443

>access-list inside permit tcp host any eq 25

..and so on...

Now don't forget to apply this to the inside interface with a access-group command.

>access-group inside in interface inside

As soon as you are happy with your ACL's paste back onto PIX and make sure you save it i.e. pix# wr m (write memory)

And that should do it.

Hope this helps --

jmia · ‎07-04-2003

Peter --

Forgot to add - makesure you use static IP addresses for your internal clients rather then dynamic.

Jay.

pslavkovsky · ‎07-04-2003

Thanks,

but I read somewhere that for good working mail services must be in access-list some special ports.

Peter

jmia · ‎07-04-2003

Hi Peter -

For mail (smtp) THE port is 25 for mail, question to you Peter, I presume that you've got your mail servers on the inside, therefore you'll require a 'static translation' and a ACL to allow bi-directional communication for you smtp mail,

Let me know how you get on...

Jay.

pslavkovsky · ‎07-04-2003

I think ports 135.137 e.t.c.

Peter

jmia · ‎07-04-2003

Peter --

Port 137 is used by NETBIOS Datagram service TCP and UDP and post 135 is used by DCE endpoint resolution TCP and UDP.

Hope this helps --

ruzickaj · ‎07-11-2003

and also for exchange protocol, see http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/msexchng.htm

and

http://www.brienposey.com/kb/connecting_to_Exchange_through_a_firewall.asp

and Microsoft says:

http://support.microsoft.com/default.aspx?scid=kb;en;155831

mostiguy · ‎08-06-2003

You only need those ports if you want outlook to work through the firewall, and that is a terrible idea. To use outlook remotely, a vpn should be in place.

wolfrikk · ‎08-06-2003

First you need to create a static mapping to your Exchange Server.

static (inside,outside)

next you will need to create an access-list to allow SMTP traffic and possible POP3 traffic if you are using it.

access-list 100 permit tcp any eq 25

access-list 100 permit tcp any eq 110

If you run into problems with ESMTP (which the PIX does not support), you can disable it by using the following command

no fixup protocol smtp 25

I have not run into many problems where I had to disable the SMTP Fixup, but I know there are issues where that is the fix.

Hope that helps.