Firewall and Exchange Question

Posted on 2001-06-14
Last Modified: 2013-11-16
We currently have a LAN connected to the internet through a Cisco Router running NAT.  One of our servers, basically the main one, is running Exchange as well as File and Print Services.

We have NO firewall and need one desparately.  Because our ISP has an MX record for our server it is wide open on the internet.  

We are interested in getting a firewall, any recommendations?  Good time to get a proxy server/firewall at this time?

The only thing coming inside would need to be email from the outside, how would we set this up on the firewall?  Just open a certain port?  Which one?
Question by:jbiggs19
  • 3
  • 2
  • 2
  • +9
LVL 11

Expert Comment

ID: 6191549
I like the Cisco PIX as a nice fast hardware solution.  If you want more features then Checkpoint FW-1 is a good firewall.  It sounds like you could get away with the lower end PIX and save yourself some money.  If all you need inbound is internet mail, the only port you need to open is 25(SMTP).  If you want people to be able to check their mail from the outside via POP3 or Outlook Web Access, you will need to open 110(POP3) and/or 80(HTTP).
LVL 79

Expert Comment

ID: 6191960
I agree with geoffryn and I like the PIX.
Depending on your budget, you may be able to upgrade your router with the Firewall IOS for less money and accomplish much the same thing.
However, if budget allows, there is an old saying -
"let routers route and firewalls be the firewall". putting too many tasks onto the router bogs it down, but for small offices it may be the perfect solution.

Just to re-state what geoffyn said about ports:

smtp - TCP port 25 - must be open both ways for the server to send and to receive.

If you have roving users that access their email from home or travel, open TCP port 110 for POP3, TCP port 443 for SSL, and if you use the web-based access, TCP port 80..

LVL 14

Expert Comment

ID: 6192518
Might also check out the low-end netscreen's.  They're pretty inexpensive, easy to configure, and fast.
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

LVL 12

Expert Comment

ID: 6193214
I agree with chris_calabrese, Netscreen is faster , much much easier to configure... All you'd need to do is setup inbound smtp... port 25. I suggest a NS-5 elite. (Elite meaning unlimitted users). There is no advantage & several disadvantages between Pix & netscreen..

Expert Comment

ID: 6196389
I've been working with the Cisco PIX 515-UR,520-UR, FO firewalls and there pretty easy to set up...CISCO has a low end unit 506(handles 5 VPN sessions) to a beefy 512MB PIX 535...

Expert Comment

ID: 6199751
well i didnt work with the PIX and i dont know how fast is it, but i am working with Biodata BIGfire+, real peace of cack with its management software, and no butel nick and you can connect your mail server to Admin port and control the trafic to it.
and the price is resnable.....

Author Comment

ID: 6203247
Currently we have an existing Cisco 2514 router performing NAT, we might just upgrade the IOS on this to the firewall version.
LVL 11

Expert Comment

ID: 6203278
Make sure that your have enough RAM on the router,  The IOS firewall can really bang on the CPU and memory.

Expert Comment

ID: 6204932
Yeah I would not recommend upgrading the Cisco 2514 to the IOS firewall version.  Unless you want to pay more in memory upgrades then it would cost to get a small simple firewall.  I would look into something like the Watchgaurd Firebox 50.  It's about $700 unless you have less then 25 or even 10 users,  Then the cost for a hardware based firewall would be either $500 or $300 dollars respectively.  In case you didn't guess the Firebox 50 allows for 50 users.

I like the PIX more but even the bottom of the line PIX is still 1500.00
LVL 24

Expert Comment

ID: 6287567
To round out choice_list, Microsoft for IIS now has this:

Microsoft Internet Security and Acceleration Server 2000 (ISA) Technical Overview

Ports as above, unless you want more like ftp, open as needed.

Expert Comment

ID: 6439842
Cisco PIX is good in your situation

Expert Comment

ID: 6443044
I recommend the PIX 516..
You set up a nat pool,let say 10.2.X.X/16 on your firewall.Then create a static entry to associate the real ip to IP internally. Finally open the ports required for pop and smtp by using access-list commands with pix 5.0 version or higher or conduit commands such as...
static (inside,outside) netmask 0 0
conduit permit tcp host eq smtp any
conduit permit tcp host eq pop3 any
LVL 79

Expert Comment

ID: 7708986
This question appears to be abandoned. I will allow one week before I close this

question with the following recommendation:

I recommend splitting  rejecting RUSTLER's proposed answer and awarding points to each
20 to geoffryn
20 to lrmoore
20 to jwalsh88
20 to sunbow
20 to alfaisal

if there is any objection to this recommendation then please post in here within

7 days.


EE Cleanup Volunteer
LVL 79

Expert Comment

ID: 7956726
That much point split not a good idea. PAQ.

Accepted Solution

Netminder earned 0 total points
ID: 7963226
Per recommendation, points NOT refunded and question closed.

EE Admin

Expert Comment

ID: 9706091
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts forfeited.
Please leave any comments here within the next seven days.


EE Page Editor

..................................again :)

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question