Firewall and Exchange Question

Posted on 2001-06-14
Last Modified: 2013-11-16
We currently have a LAN connected to the internet through a Cisco Router running NAT.  One of our servers, basically the main one, is running Exchange as well as File and Print Services.

We have NO firewall and need one desparately.  Because our ISP has an MX record for our server it is wide open on the internet.  

We are interested in getting a firewall, any recommendations?  Good time to get a proxy server/firewall at this time?

The only thing coming inside would need to be email from the outside, how would we set this up on the firewall?  Just open a certain port?  Which one?
Question by:jbiggs19
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +9
LVL 11

Expert Comment

ID: 6191549
I like the Cisco PIX as a nice fast hardware solution.  If you want more features then Checkpoint FW-1 is a good firewall.  It sounds like you could get away with the lower end PIX and save yourself some money.  If all you need inbound is internet mail, the only port you need to open is 25(SMTP).  If you want people to be able to check their mail from the outside via POP3 or Outlook Web Access, you will need to open 110(POP3) and/or 80(HTTP).
LVL 79

Expert Comment

ID: 6191960
I agree with geoffryn and I like the PIX.
Depending on your budget, you may be able to upgrade your router with the Firewall IOS for less money and accomplish much the same thing.
However, if budget allows, there is an old saying -
"let routers route and firewalls be the firewall". putting too many tasks onto the router bogs it down, but for small offices it may be the perfect solution.

Just to re-state what geoffyn said about ports:

smtp - TCP port 25 - must be open both ways for the server to send and to receive.

If you have roving users that access their email from home or travel, open TCP port 110 for POP3, TCP port 443 for SSL, and if you use the web-based access, TCP port 80..

LVL 14

Expert Comment

ID: 6192518
Might also check out the low-end netscreen's.  They're pretty inexpensive, easy to configure, and fast.
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

LVL 12

Expert Comment

ID: 6193214
I agree with chris_calabrese, Netscreen is faster , much much easier to configure... All you'd need to do is setup inbound smtp... port 25. I suggest a NS-5 elite. (Elite meaning unlimitted users). There is no advantage & several disadvantages between Pix & netscreen..

Expert Comment

ID: 6196389
I've been working with the Cisco PIX 515-UR,520-UR, FO firewalls and there pretty easy to set up...CISCO has a low end unit 506(handles 5 VPN sessions) to a beefy 512MB PIX 535...

Expert Comment

ID: 6199751
well i didnt work with the PIX and i dont know how fast is it, but i am working with Biodata BIGfire+, real peace of cack with its management software, and no butel nick and you can connect your mail server to Admin port and control the trafic to it.
and the price is resnable.....

Author Comment

ID: 6203247
Currently we have an existing Cisco 2514 router performing NAT, we might just upgrade the IOS on this to the firewall version.
LVL 11

Expert Comment

ID: 6203278
Make sure that your have enough RAM on the router,  The IOS firewall can really bang on the CPU and memory.

Expert Comment

ID: 6204932
Yeah I would not recommend upgrading the Cisco 2514 to the IOS firewall version.  Unless you want to pay more in memory upgrades then it would cost to get a small simple firewall.  I would look into something like the Watchgaurd Firebox 50.  It's about $700 unless you have less then 25 or even 10 users,  Then the cost for a hardware based firewall would be either $500 or $300 dollars respectively.  In case you didn't guess the Firebox 50 allows for 50 users.

I like the PIX more but even the bottom of the line PIX is still 1500.00
LVL 24

Expert Comment

ID: 6287567
To round out choice_list, Microsoft for IIS now has this:

Microsoft Internet Security and Acceleration Server 2000 (ISA) Technical Overview

Ports as above, unless you want more like ftp, open as needed.

Expert Comment

ID: 6439842
Cisco PIX is good in your situation

Expert Comment

ID: 6443044
I recommend the PIX 516..
You set up a nat pool,let say 10.2.X.X/16 on your firewall.Then create a static entry to associate the real ip to IP internally. Finally open the ports required for pop and smtp by using access-list commands with pix 5.0 version or higher or conduit commands such as...
static (inside,outside) netmask 0 0
conduit permit tcp host eq smtp any
conduit permit tcp host eq pop3 any
LVL 79

Expert Comment

ID: 7708986
This question appears to be abandoned. I will allow one week before I close this

question with the following recommendation:

I recommend splitting  rejecting RUSTLER's proposed answer and awarding points to each
20 to geoffryn
20 to lrmoore
20 to jwalsh88
20 to sunbow
20 to alfaisal

if there is any objection to this recommendation then please post in here within

7 days.


EE Cleanup Volunteer
LVL 79

Expert Comment

ID: 7956726
That much point split not a good idea. PAQ.

Accepted Solution

Netminder earned 0 total points
ID: 7963226
Per recommendation, points NOT refunded and question closed.

EE Admin

Expert Comment

ID: 9706091
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts forfeited.
Please leave any comments here within the next seven days.


EE Page Editor

..................................again :)

Featured Post

Webinar May 25: Cloud Security Strategies for SMBs

Small and mid-sized businesses are a driving force behind cloud adoption, and it’s no wonder: cloud benefits are BIG.  But for all the convenience that moving to the cloud provides, where does security come into play?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A hard and fast method for reducing Active Directory Administrators members.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question