Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 515 and Exchange 2000

I currently use a very antiquated email system called Interchange/Expressit. The PIX is configured to allow SMTP traffic through and the Interchange server grabs it and routes the mail to the mailboxes. The PIX is the default gateway on my system and I am running NAT. It is a relatively simple configuration.

I am finally moving into the real world and we are adding Windows 2000, Active Directory and Exchange 2000 to our network infrastructure.

I am trying to figure out the PIX and Exchange server configurations for email traffic on the Internet. The only thing I have found on Cisco's Web site is telling me I need two Exchange servers; one inside and one in the DMZ. My environment is just not that big (I have 85 users) and I really don't want to add another server.

Is two servers really my only option or can I use a simpler configuration?


New Member

Re: PIX 515 and Exchange 2000

If you simply want to be able to have external mail sent to your server, setup a static mapping for your exchange server and allow SMTP inbound. Make sure to lock down the relay feature or you could be used as a spam relay and get blacklisted.

If you need Outlook connectivity from the internet read below. This is the method we use for connecting to Exchange 5.5. Not sure if Exchange 2000 still uses the random port assignment for client connections. And you may need to open a port other than 135 for connectivity to active directory login. But the general idea is the same. Keep in mind that the Cisco method you describe above is MUCH more secure.

What we did -

First, follow this link for instructions on assigning static ports to Exchange for use with client connections;en-us;155831

Then, obviously, setup a static mapping from the high security interface to the low security interface for the Exchange server.

Setup ACLs for port 135, and the two ports you assign via the registry per the above link

Finally, and this is very important, make sure your clients have a means for resolving the Exchange servers host name to an ip address. With Outlook, even if you first enter the IP address into the configuration it automatically converts this to the Hostname upon first connection. You can either use lmhosts files, hosts files, or make sure your mail server has a DNS entry in your clients dns server and the client is properly configured for appending the domain suffix to DNS queries for your domain.

Hope this helps.


New Member

Re: PIX 515 and Exchange 2000


> Is two servers really my only option or can I use a simpler configuration?

No. You can work with a single server as done currently with the existing one.

The article you have read is about a different scenario .

However, it is a good idea to use DMZ for mail relay server and for other servers published to the Internet like FTP if needed.

You should avoid openning port 80 or 110 to your internal server, as these allow attackers to authenticate to your network and manipulate your sensitive data, if not worth (like Code Red).

Openning port 25 for inbound SMTP traffic should be fine, as long as you don't configure you server as an open relay. However as I mentioned above, best practice is to place a mail server in DMZ for incoming mail (does not have to be Exchange, a common solution is to place a linux box for that).

The mail relay server can also be a content filter that will filter virusses and dangerous attachments even before they get to your Exchange server.


Re: PIX 515 and Exchange 2000


you don't need two servers to accomplish this, although it is more secure.

Just put you Exchange server on the inside and make a static translation for the server on port 25 for smtp (or port 110 for POP3). Also create an access-list and bind it to the external interface of the PIX (acces-group command). Make sure you mailserver is well-configured (eg disable relaying).

Sometime disabling the 'smtp fixup protocol' resolves certain problems with exchange. But when you do this, once again make sure that the exchange server is well-configure and acceps only secure smtp commands.

Kind Regards,



Re: PIX 515 and Exchange 2000

I would recommend keeping the exchange server on the inside, opening ports only as needed and maintain a vigorous patching regiment. To put an exchange server in the dmz requires soooo many open ports between it and the AD/domain controller that it just about clobbers the whole point of the DMZ theory (and BTW, exchange 2000 is probably worse the 5.5 in this regard). Also, the costs ($, time, resources, etc) are very prohibitive as well.

To receive email, you only need to allow inbound access to smtp, port 25. Disabling fixup protocol smtp 25 is almost a guaranteed must - Microsoft's ESMTP implementation does not work well with it. Make sure that you have all of your patches up to date for it - investigate using Microsoft's MBSA to scan your server.

I would never allow direct outlook access to an exchange box, period. I require vpn connectivity for it. If you want outlook web access, I would strongly investigate getting SSL set up, and only allowing encrypted https session to it.


CreatePlease to create content