Firewall and Exchange Question

Posted on 2001-06-14
Medium Priority
Last Modified: 2013-11-16
We currently have a LAN connected to the internet through a Cisco Router running NAT.  One of our servers, basically the main one, is running Exchange as well as File and Print Services.

We have NO firewall and need one desparately.  Because our ISP has an MX record for our server it is wide open on the internet.  

We are interested in getting a firewall, any recommendations?  Good time to get a proxy server/firewall at this time?

The only thing coming inside would need to be email from the outside, how would we set this up on the firewall?  Just open a certain port?  Which one?
Question by:jbiggs19
  • 3
  • 2
  • 2
  • +9
LVL 11

Expert Comment

ID: 6191549
I like the Cisco PIX as a nice fast hardware solution.  If you want more features then Checkpoint FW-1 is a good firewall.  It sounds like you could get away with the lower end PIX and save yourself some money.  If all you need inbound is internet mail, the only port you need to open is 25(SMTP).  If you want people to be able to check their mail from the outside via POP3 or Outlook Web Access, you will need to open 110(POP3) and/or 80(HTTP).
LVL 79

Expert Comment

ID: 6191960
I agree with geoffryn and I like the PIX.
Depending on your budget, you may be able to upgrade your router with the Firewall IOS for less money and accomplish much the same thing.
However, if budget allows, there is an old saying -
"let routers route and firewalls be the firewall". putting too many tasks onto the router bogs it down, but for small offices it may be the perfect solution.


Just to re-state what geoffyn said about ports:

smtp - TCP port 25 - must be open both ways for the server to send and to receive.

If you have roving users that access their email from home or travel, open TCP port 110 for POP3, TCP port 443 for SSL, and if you use the web-based access, TCP port 80..

LVL 14

Expert Comment

ID: 6192518
Might also check out the low-end netscreen's.  They're pretty inexpensive, easy to configure, and fast.
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

LVL 12

Expert Comment

ID: 6193214
I agree with chris_calabrese, Netscreen is faster , much much easier to configure... All you'd need to do is setup inbound smtp... port 25. I suggest a NS-5 elite. (Elite meaning unlimitted users). There is no advantage & several disadvantages between Pix & netscreen..

Expert Comment

ID: 6196389
I've been working with the Cisco PIX 515-UR,520-UR, FO firewalls and there pretty easy to set up...CISCO has a low end unit 506(handles 5 VPN sessions) to a beefy 512MB PIX 535...

Expert Comment

ID: 6199751
well i didnt work with the PIX and i dont know how fast is it, but i am working with Biodata BIGfire+, real peace of cack with its management software, and no butel nick and you can connect your mail server to Admin port and control the trafic to it.
and the price is resnable.....

Author Comment

ID: 6203247
Currently we have an existing Cisco 2514 router performing NAT, we might just upgrade the IOS on this to the firewall version.
LVL 11

Expert Comment

ID: 6203278
Make sure that your have enough RAM on the router,  The IOS firewall can really bang on the CPU and memory.

Expert Comment

ID: 6204932
Yeah I would not recommend upgrading the Cisco 2514 to the IOS firewall version.  Unless you want to pay more in memory upgrades then it would cost to get a small simple firewall.  I would look into something like the Watchgaurd Firebox 50.  It's about $700 unless you have less then 25 or even 10 users,  Then the cost for a hardware based firewall would be either $500 or $300 dollars respectively.  In case you didn't guess the Firebox 50 allows for 50 users.

I like the PIX more but even the bottom of the line PIX is still 1500.00
LVL 24

Expert Comment

ID: 6287567
To round out choice_list, Microsoft for IIS now has this:

Microsoft Internet Security and Acceleration Server 2000 (ISA) Technical Overview

Ports as above, unless you want more like ftp, open as needed.

Expert Comment

ID: 6439842
Cisco PIX is good in your situation

Expert Comment

ID: 6443044
I recommend the PIX 516..
You set up a nat pool,let say 10.2.X.X/16 on your firewall.Then create a static entry to associate the real ip to IP internally. Finally open the ports required for pop and smtp by using access-list commands with pix 5.0 version or higher or conduit commands such as...
static (inside,outside) netmask 0 0
conduit permit tcp host eq smtp any
conduit permit tcp host eq pop3 any
LVL 79

Expert Comment

ID: 7708986
This question appears to be abandoned. I will allow one week before I close this

question with the following recommendation:

I recommend splitting  rejecting RUSTLER's proposed answer and awarding points to each
20 to geoffryn
20 to lrmoore
20 to jwalsh88
20 to sunbow
20 to alfaisal

if there is any objection to this recommendation then please post in here within

7 days.


EE Cleanup Volunteer
LVL 79

Expert Comment

ID: 7956726
That much point split not a good idea. PAQ.

Accepted Solution

Netminder earned 0 total points
ID: 7963226
Per recommendation, points NOT refunded and question closed.

EE Admin

Expert Comment

ID: 9706091
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts forfeited.
Please leave any comments here within the next seven days.


EE Page Editor

..................................again :)

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Feeling responsible for an unfortunate ransomware infection on my parent's network, persistence paid off as I was able to decrypt a strain of ransomware that was not previously (or at least publicly) cracked. I hope this helps others out there affec…
The Super Bowl is just days away. Millions of advertising dollars will be spent in just a few hours to drive people to websites around the globe. Optimizing your site in anticipation of a big event like this (and the traffic surges that follow) will…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question