Re: PIX Firewall with Exchange server 2000

richard.huhman · ‎03-11-2003

I have an exchange server 2000 setting behing a three interface PIX 515E. I am unable to telnet to port 25 through the PIX from the internet and reach the Exchange server. I do see port translation from the PIX logs but the connection times out with no sign of connnectivity. I can telnet to my SMTP from inside the network but not from the outside. I do have the FIX UP SMTP protocol disabled. Is there anything that can look at to help me solve this problem. I am attempting to place the exchange server on the network for Internet e-mail with outlook web access.

Thanks for the help!

Richard R. Huhman

System Engineer.

brent.smith · ‎03-11-2003

How do you have the "static" and conduit or acl cmds configured on your outside interface??

bbowers · ‎03-12-2003

I am running 6.2 on my pix and am using pat for my static.

static tcp interface smtp host smtp 255.255.255.255 0 0

when I telnet to my outside interface I see in the sho xlate command where I am getting a translation form outside to my exchange server.

access list reads as follows

permit tcp any host outside interface eq smtp.

I am able to send smtp mail but not receive it.

Thanks for your help.

wolfrikk · ‎03-12-2003

Can you send and receive email through the PIX? With the SMTP fixup protocol enabled, you won't be able to telnet to the Exchange server from the outside, but you can usually send and receive SMTP Mail through the PIX. If you have your SMTP server setup to only accept ESMTP, you will have to disable the SMTP Fixup rule, since the PIX does not understand ESMTP.

OWA should work as long as port 80 is open for the Exchange server.

bbowers · ‎03-12-2003

I am sending but not receiving smtp mail. I wanted to try and use telnet to port 25 on the pix to see if my problem was on the pix or on my exchange server. My sense is that this could be a routing issue on my pix. Any thoughts on how to test and verify that?

Thanks for the help

wolfrikk · ‎03-12-2003

It is hard to test an Exchange Server behind a PIX. I have never been able to telnet to an Exchange Server behind a PIX, even when it is sending and receiving mail. What does a show ip route generate. PIX's usually only have entries for each interface, and the default route (if set). Can you ping the Exchange Server from the PIX? If you can paste your config file, we may be able to see something from it.

shannong · ‎03-12-2003

Try telnetting to port 25 from the outside. Three clues to look for:

1. You receive a garbled banner with alot of ******. This is the fixup functionality of the Pix obfuscating the banner for security reasons. You've connected to the mail server!

2. You're reading this because you didn't connect. Show access-list. Is the outside access-list hit counter increasing?

3. Do the pix logs show the inbound connection built?

I doubt it's a routing problem or else outbound sessions wouldn't work either.

bbowers · ‎03-13-2003

My problem is fixed, I basically did 2 things. I issued no fixup portocol 25, and I found in my default route on the pix I had a typo in the address. I changed those 2 things, rebooted the pix and it began to work. Prior to these 2 changes I was seeing a translation slot to port 25 when I telnetted to my mail server so I was pretty sure that was working. I captured some packetts at my exchange server and that proved to me that the traffic was getting to my server, and being routed back through the pix because of the icmp redirects from in the capture. So that made me think to look at routing on my pix. I am also puzzled by the fact that out bound was working. The tough part of this problem was figuring out how to trouble shoot it to see where it was dying. Anyway thankyou so much for the help.

Brad Bowers