Posted on 2003-02-20
Medium Priority
Last Modified: 2013-11-16
Hi ,

I'm trying to setup access to our internal email server through a Pix VPn tunnel for remote users. Our VPN is configured for Radius authentication and also downloadable access-lists are then applied to the user logging in. The users are able to hit the Exchange server and while configuring the email profile , it will do so with the IP address and also resolve the name . I think it uses the DNS server for this.But after that I keep connecting the message that the station is unable to contact the Exchange server. I thought it could be because of WINS so I added the VPNGROUP WINS-Server parameter and also addedd ACL entries for ports 135-139 TCP/UDP for the WINS server. After this though I think the client is still using DNS.

I would appreciate some help in configuring Exchange Email access through a PIX VPN .
Question by:zoonyspaz
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 7987816
Email is not a WINS thing so that should not be a factor.
Make sure the users are using the Inside ip address
to connect to. Probably the email server also has an outside one since it is an email server.
The PIX VPN client transparently connects users to the network, so if the client and the PIX are configured correctly , then the user's pc should act as though it
were directly connected to the inside LAN.
In enable mode on the PIX, enable icmp to test pings by:
conduit permit icmp any any
While the VPN client is active, try pinging another inside address. If that works, then the VPN and PIX side is ok. If it doesn't work, probably PIX config is incorrect.
Disable icmp when done testing: no conduit permit icmp any any


Author Comment

ID: 7988550
I agree about WINS . The IP address of the server is the same on the inside and outside. Although we are using NAT , the IP address of the server is transaletd onto itself so the outside and inside are the same. Also, the exchange server uses ports 1225,1226,1227 for the DS,IS ans SA respectively. I opened up the ports on the PIIX for the VPN. I also opened up port 135 for RPC . Still no go. The name would resolve ok, but the Email Client {Outlook} would freeze up after that. I am able to get to all other resources Ok. Itt's just Email that we are having a problem with.I saw somewehere that the x400 connector port needs to be opened . Is that true ?

Any help would be appreciated.
LVL 79

Accepted Solution

lrmoore earned 100 total points
ID: 7989558
Have you enabled logging on the PIX so you see if any packets are getting denied? That is where I always look when troubleshooting this type thing.

Are you using Cisco VPN client, or Msoft PPTP VPN?
Are remote users broadband? With a router? and DSL or cable?
If DSL, using PPPoE, you must change the MTU size. If using Cisco VPN client, there is a set MTU utility. Set it to 1300 and all troubles are gone.

If not using Cisco client, and there is a router, perhaps the router has a setting for MTU size. I know my Linksys does... It is generally not required to change it for Cable, but PPPoE adds more overhead.
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.


Expert Comment

ID: 8089041
The connection to an Exchange server might be done through the IP number. However, once the initial connection is made using port 135, the Exchange server send what it thinks is it's name to the client, and the client then uses name lookup [1] and connects to whatever the names resolves to. These connections are done on dynamic ports, but can be configured to two static ports. So, in the end, you have to get the client to resolve the name that the Exchange server sends to the client.

[1] Primarilly DNS, but I guess you could get it to use WINS as well.

Expert Comment

ID: 8118032
To test if the DNS is your problem, and as a work-around, add the name and IP of it to your HOSTS-file (C:\WINDOWS\system32\drivers\etc\hosts)

Assisted Solution

jlindq earned 100 total points
ID: 8260915
Did you get this to work?

Expert Comment

ID: 9816089
This question has been classified as abandoned.  I will make a recommendation to the moderators on its resolution in approximately one week.  I would appreciate any comments by the experts that would help me in making a recommendation.

It is assumed that any participant not responding to this request is no longer interested in its final deposition.

If the asker does not know how to close the question, the options are here:

EE Page Editor

Expert Comment

ID: 9816132
I would say all three of us who has contributed have provided helpful input. Which one of our comments that would lead to a solution depends on the problem, and since there has been no feedback, I'd suggest splitting th points across all participants.

Expert Comment

ID: 9872289
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

Split: lrmoore {http:#7989558} & jlindq {http:#8089041}

Please leave any comments here within the next seven days.

EE Page Editor

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question