Advertisement

05.02.2008 at 10:53AM PDT, ID: 23372433
[x]
Attachment Details

Cisco ASA configuration example for Exchange 2007 Edge setup

Asked by sjiinfosys in Cisco PIX Firewall, Exchange Email Server, Networking Hardware Firewalls

Tags: , , ,

I recently installed a ASA5520 (replaced a PIX 515) and Exchange 2007 on our network.  For Exchange, I have two servers.  One is in our network and host the Hub/CA/Mailbox roles, and the other hosting the Edge Trasport role is in the DMZ.  Everything is working, but I'm not quite cofortable with my current ASA configuration.  I was hoping someone could provide me with a sample configuration that I can use to compare mine to.  I will also provide the lines I added to the ASA configuration to get Exchange to work.

I currently have a Cisco ASA5520 with 3 interfaces configured.
Interface 0 outside sec 0(connected directly to my ISP)
Interface 1 inside 192.168.120.1 sec 100 (connected to my internal network which has my Exchange 2007 Hub/CA/Mailbox server)
Interface 2 dmz 192.168.126.1 sec 80 (currently connected directly to my Exchange 2007 Edge server)

My Edge server has an IP of 192.168.126.10.  I have a static nat to a public address.
static (dmz,outside) 2xx.x.x.123 192.168.126.10 netmask 255.255.255.255

My Hub/CA/Mailbox server has an IP of 192.168.120.12.  I have this static nat:
static (inside,dmz) 192.168.120.12 192.168.120.12 netmask 255.255.255.255

For access list I have:  (The 64.x.x.x address is for my SPAM filter provider)
access-list outside_in extended permit tcp 64.x.x.x 255.255.240.0 host 2xx.x.x.123 eq smtp
access-group outside_in in interface outside

access-list dmz_in extended permit tcp any host 192.168.120.12 eq smtp
access-list dmz_in extended permit tcp any host 192.168.120.12 eq 50389
access-list dmz_in extended permit tcp any host 192.168.120.12 eq 50636
access-list dmz_in extended permit ip any any
access-group dmz_in in interface dmz

The following lines were copied over from our old PIX, but I assume they have something to do with things working.
access-list outbound extended permit ip any any
access-group outbound in interface inside

I watch the AL counters, and things just don't seem right.  I never see a hit on 50636 or 50389.  Also, I can remote desktop from my Edge server to the Mailbox server, but not from the Mailbox to the Edge.  This should be reversed.

Mark

Start Free Trial
[+][-]05.02.2008 at 11:40AM PDT, ID: 21489032

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Cisco PIX Firewall, Exchange Email Server, Networking Hardware Firewalls
Tags: Cisco, ASA5520, 7.2(2), Exchange 2007
Sign Up Now!
Solution Provided By: Nothing_Changed
Participating Experts: 1
Solution Grade: A
 
 
[+][-]05.02.2008 at 02:28PM PDT, ID: 21490157

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.02.2008 at 02:40PM PDT, ID: 21490206

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628