Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MS Exchange Server on inside interface

Hi,

I want to connect private network to Internet by PIX 515E.

I will use 2 interfaces, outside and inside. I will use NAT.

On Inside interface a have MS Exchange server.

What I need to configure on PIX to achieve working mail services without problems?

Can You show me example of configuration PIX?

Thanks

Peter

12 REPLIES
Silver

Re: MS Exchange Server on inside interface

Hi Peter,

Sure, this have the answer for you -

http://www.cisco.com/warp/public/110/mailserver.html

Thanks,

Mynul

Silver

Re: MS Exchange Server on inside interface

Also, please be aware of the EMSTP feature and the problem it creates thru the PIX -

Work-around

on the pix - no fixup smtp 25 or

on the exchange server turn off ESMTP -

http://www.microsoft.com/exchange/en/55/help/default.asp?url=/exchange/en/55/help/documents/server/xog05031.htm

Regards,

Mynul

New Member

Re: MS Exchange Server on inside interface

Thanks,

but I have one question.

I want to permit from inside to outside only port HTTP, HTTPS, FTP ( FTP for few people), not all traffic. And I want to run mail services. I do not use command "conduit", but Access-List. What I need to write to Access-List ?

Ports 80,443, 20,21 and 25 ?

I apply access-list on inside interface ?

Regards,

Peter

Gold

Re: MS Exchange Server on inside interface

Hi Peter --

As you say you have access-lists, so

Do the following, open a text-editor (note pad) and write your ACL's i.e.

>no access-list inside

>access-list inside permit tcp host any eq 80

>access-list inside permit tcp host any eq 443

>access-list inside permit tcp host any eq 25

..and so on...

Now don't forget to apply this to the inside interface with a access-group command.

>access-group inside in interface inside

As soon as you are happy with your ACL's paste back onto PIX and make sure you save it i.e. pix# wr m (write memory)

And that should do it.

Hope this helps --

Gold

Re: MS Exchange Server on inside interface

Peter --

Forgot to add - makesure you use static IP addresses for your internal clients rather then dynamic.

Jay.

New Member

Re: MS Exchange Server on inside interface

Thanks,

but I read somewhere that for good working mail services must be in access-list some special ports.

Peter

Gold

Re: MS Exchange Server on inside interface

Hi Peter -

For mail (smtp) THE port is 25 for mail, question to you Peter, I presume that you've got your mail servers on the inside, therefore you'll require a 'static translation' and a ACL to allow bi-directional communication for you smtp mail,

Let me know how you get on...

Jay.

New Member

Re: MS Exchange Server on inside interface

I think ports 135.137 e.t.c.

Peter

Gold

Re: MS Exchange Server on inside interface

Peter --

Port 137 is used by NETBIOS Datagram service TCP and UDP and post 135 is used by DCE endpoint resolution TCP and UDP.

Hope this helps --

New Member
Silver

Re: MS Exchange Server on inside interface

You only need those ports if you want outlook to work through the firewall, and that is a terrible idea. To use outlook remotely, a vpn should be in place.

New Member

Re: MS Exchange Server on inside interface

First you need to create a static mapping to your Exchange Server.

static (inside,outside)

next you will need to create an access-list to allow SMTP traffic and possible POP3 traffic if you are using it.

access-list 100 permit tcp any eq 25

access-list 100 permit tcp any eq 110

If you run into problems with ESMTP (which the PIX does not support), you can disable it by using the following command

no fixup protocol smtp 25

I have not run into many problems where I had to disable the SMTP Fixup, but I know there are issues where that is the fix.

Hope that helps.

151
Views
0
Helpful
12
Replies
CreatePlease login to create content