Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX with Exchange

Hi,

Would anyone be able to confirm or give me some hints for what I need to do to get an exchange server functioning ok through a pix (I have a 506 but I assume its same for all).

Is it just a case of allowing it access out through nat/global and then having an access-list that allows port 25 traffic to the global ip address the server is using?

Or will I need a nat with a static and the access-list?

Many thanks for your time.

cheers

Andy

6 REPLIES
New Member

Re: PIX with Exchange

1. static nat Global address to the internal address of the exchange server .

2. Have a access-list allowing port 25 to the global address of the server.

3.disable smtp fixup protocol if running into trouble.

New Member

Re: PIX with Exchange

Andy,

Three things:

Create a static mapping between the private Ip of the Exchange server and the public Ip that is associated with your MX record:

static (inside,outside) [pubIP] [privIP] netmask [subnetmask] 0 0

Create an access-list to allow port 25 traffic in:

access-list acl_out permit tcp any host [pubIPofMXrecord] eq smtp

Apply the access list to an access-group

access-group acl_out in interface outside

Make sure to disable the fixup protocol for smtp because it does not work with Exchange:

no fixup protocol smtp 25

Do a write mem to save to memory.

Sincerely,

Alex Zaltsman

create an access-list

New Member

Re: PIX with Exchange

I'm running exchange 5.5 and actually looking to switch to a Cisco firewall. I know that when I setup my firewall to allow exchange, I checked the microsoft knowledge base and used the following article to force certain ports for client access. You may want to read:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q148732

-JDN

New Member

Re: PIX with Exchange

Fyi...This article is referring to making Exchange available to the internet in the context of Outlook access, not transporting e-mail. To send and receive e-mail you only need port 25 open and mapped to the correct private IP address. I don't recommend anyone to allow direct access to Exchange services from the Internet. Instead, a VPN is a better solution.

New Member

Re: PIX with Exchange

Thanks very much for you time at the moment everything looks like its working a treat.

cheers

Andy

New Member

Re: PIX with Exchange

Here is a list of wee-known ports used by Windows and Exchange. Hope it helps.

Browsing UDP:137,138

DHCP Lease UDP:67,68

DHCP Manager TCP:135

Directory Replication UDP:138 TCP:139

DNS Administration TCP:135

DNS Resolution UDP:53

Event Viewer TCP:139

File Sharing TCP:139

Logon Sequence UDP:137,138 TCP:139

NetLogon UDP:138

Pass Through Validation UDP:137,138 TCP:139

Performance Monitor TCP:139

PPTP TCP:1723 IP Protocol:47 (GRE)

Printing UDP:137,138 TCP:139

Registry Editor TCP:139

Server Manager TCP:139

Trusts UDP:137,138 TCP:139

User Manager TCP:139

WinNT Diagnostics TCP:139

WinNT Secure Channel UDP:137,138 TCP:139

WINS Replication TCP:42

WINS Manager TCP:135

WINS Registration TCP:137

List of Ports Used by WLBS and Convoy for Cluster Control:

Function Static ports

-------- ------------

Convoy UDP:1717

WLBS UDP:2504

List of Ports Used by Microsoft Exchange Server version 5.0:

Function Static ports

-------- ------------

Client/Server Comm. TCP:135

Exchange Administrator TCP:135

IMAP TCP:143

IMAP (SSL) TCP:993

LDAP TCP:389

LDAP (SSL) TCP:636

MTA - X.400 over TCP/IP TCP:102

POP3 TCP:110

POP3 (SSL) TCP:995

RPC TCP:135

SMTP TCP:25

NNTP TCP:119

NNTP (SSL) TCP:563

115
Views
0
Helpful
6
Replies