Solved: pix firewalls and microsoft exchange

melvynbrown · ‎06-19-2006

help required

i have set up a test network for practice sending email messages between

email servers in different windows 2000 domains

(for the network layout see attachment) what i am trying to acheive is

to send messages from a user in the cyote.com domain

(fred@cyote.com) who resides behind a pix 501 firewall to a user

in the acme.com domain (barney@acme.com) who resides behind a pix 515

firewall the network has been set up so that freds messages to barney

are sent to a dmz based front end email server in the acme.com domain

and are then proxied to the backend email server where barney's mailbox is

situated which resides off the inside interface of the 515 firewall.

the frontend and backend servers are members of the same active directory

domain and therefore there should be no problems of messages received at the

frontend server being relayed to the backend server.

but the problem i've have got is that it does not work when i send a message

from fred to barney outlook on freds computer (xp-1) tells me that the message

has been sent but it never arrives at barneys mailbox there are no error messages

anywhere relating to the sending of messages so i am not sure wether the problem

lies with the 501 firewall not allowing the messages through or at the 515 firewall

not allowing the messages through.

now i have just read that there are issues using microsoft exchange

(in this case exchange 2000 with service pack 3 applied) in conjunction

with cisco firewalls but my study guide is not very forthcoming about

how to resolve them.

so this a cry for help i have been working on this for 2 weeks and have not been

able to resolve this problem does anybody know what i have to do to the firewalls

to get this to work any help will be greatly appreciated.

ps

outlook web access through the front end server to barneys mailbox works

fine (if a little slow)

the pix 501 is running ios 6.3(4) and the 515 is running ios 7.0(4)

regards

melvyn brown

NetTech21 · ‎06-20-2006

A simple test to perform would be to telnet from fred's PC to the IP address of the intermediate box "telnet x.x.x.x 25' if that allows you through this portion is good. Move to the next peice of the puzzle.

As previously stated enter 'no fixup protocol smtp 25' at the pix.

View solution in original post

mike.butorac · ‎06-19-2006

Hello,

I have faced this problem long time ago. It is due to PIX 515 inspecting the SMTP messages between the exchange servers. Try disabling the SMTP fixup on the PIX firewall and this should solve the problem.

Let me know if this works,

Regards,

melvynbrown · ‎06-28-2006

Hi

yes it works fine there were a few problems along the way (faulty network card in one of the computers) and the biggest one which was that the 501 firewall will not for some reason pass

smtp traffic even when you disable the smtp fixup protocol so I had to use a dual Ethernet router in its place when I did that everything was fine.

A couple of questions I would like to ask is according to my exchange course instructor what he does when installing exchange in this configuration is to apply two addresses to the network card in the dmz based front end server one of which is dynamically assigned to the dns server for the domain you wish the front end server to join and an static entry in a publicly available dns server with the other one.It did not seem to make any difference if I applied two addresses or just used one he could not tell me why he just said that was what his instructor told him to do can you think of any reason why I would need to use two addresses.

And the other thing is that I was unsure when opening ports between the dmz and inside interfaces what parts of the access-list should point to what servers so what I did was to place a domain controller (192.168.1.2) & the backend exchange server (192.168.1.3) on the same subnet and point the access-list to the subnet instead of the individual servers.

i.e.

access-list 102 permit udp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 53

access-list 102 permit udp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 88

access-list 102 permit udp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 389

access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 53

access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 88

access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 135

access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 389

access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 445

access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 143

access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 80

access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 25

access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 110

access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 eq 691

access-list 102 permit tcp host 192.168.2.2 192.168.1.0 255.255.255.0 range 1024 65535

access-group 102 in interface dmz

This works but I am not sure if it is the way it should be done.

Anyway job done and thanks for your help.

Regards

Melvyn

NetTech21 · ‎06-20-2006

A simple test to perform would be to telnet from fred's PC to the IP address of the intermediate box "telnet x.x.x.x 25' if that allows you through this portion is good. Move to the next peice of the puzzle.

As previously stated enter 'no fixup protocol smtp 25' at the pix.