Exchange server problems with the PIX 501.

Posted on 2003-11-03
Medium Priority
Last Modified: 2013-11-16
   For the last couple of months, off and on, I've been trying to tweak my PIX 501 for my SOHO needs and now that I'm re-motivated to get it working I hope someone can help me. Here is my problem(s).

   I have a Cable Modem connection to the internet which ties into my PIX's ouside interface. The PIX has 4 inside eth ports and one outside eth port. I am NAT'ing to my inside interfaces of my network. This all works fine except for my exchange server. I've read that you "must" do a static NAT traslation for the exchange server so that mail knows how to get in and out of the firewall which makes sense. I can get this working one of two ways. Either all of my workstations get access to the internet and the exchange server doesn't transfer mail correctly- or I insert the static NAT translation into the PIX and my exchange server will pass mail correctly but my workstations lose access to the internet? I'd like to have the best of both worlds so I'm hoping someone can assist me with this before I throw the thing out the window and stick with the measly little Linksys that "does" allow all this to work....I just don't have a warm and fuzzy about Linksys as a firewall product?

Here is a bit of config info that may help you out.

Lets just say that my outside interface is:
My inside interface for my exchange server is:
Also, I use static addresses for all of my inside workstations rather than allowing the PIX to do DHCP --> I'm not sure if this would help as far as translations go? My ISP gives me one static address and one dynamic address to use.

Another problem with the static NAT translation to the exchange server I see is with IPSec VPN. Will I be able to IPSec VPN into the PIX if it's public address is translated to the exchange server?

Thanks in advance for any/all help!

Question by:cdhansen10
  • 3
  • 2
  • 2
LVL 13

Expert Comment

ID: 9674925
can you post you config.

The short answer to all of your questions is "yes, it is possible to all of what you want at the same time"
LVL 79

Assisted Solution

lrmoore earned 400 total points
ID: 9675107
What you need is a static Port address translation, not a 1-1 static NAT:

static (inside,outside) tcp 25 25 netmask

Now, only smtp email will be forwarded to your server and everyone else can browse the internet at the same time.
AND, you can VPN into the PIX, too..

Author Comment

ID: 9684924
   It's still not working correctly so I'll go ahead and copy/paste my current (now bare bones minimum config to simplify things) here. I rebuilt it with a minimal config to get back to the basics but I still can't get it working correctly? Thanks in advance foranyone that helps get this thing working correctly. As of now it appears mail can go out....but it can't get in? I know it's not a DNS issue because mail works both ways when I swap the PIX out with a Linksys router. You'll notice a command  I inserted (name mail.mydomain-name.com) this was so that the pix knew how to get to my mail server. I guess the PIX needs to know something else about the mail server?

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***********
passwd ********** encrypted
hostname pix
domain-name mydomain-name.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name mail.mydomain-name.com
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
static (inside,outside) tcp smtp mail.mydomain-name.com smtp netmask 0 0
route outside 100.10.10..97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet inside
telnet timeout 10
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 13

Accepted Solution

td_miles earned 400 total points
ID: 9685014
You need an ACL to allow the traffic destined for your mail server to be able to enter the outside interface. Add the following lines:

access-list permit_mail permit tcp any host eq 25
access-group permit_mail in outside

The first line defines the access list to allow traffic to you server (it's NAT'ed public address on port 25. The second line applies the access-list to inbound traffic on the outside interface.

LVL 79

Assisted Solution

lrmoore earned 400 total points
ID: 9686599
Agree with td_miles about the inbound acl..

If it is exchange, you may also need to turn off fixup:

no fixup protocol smtp 25

LVL 13

Expert Comment

ID: 9690876
I've always wondered about that, they have the "fixup" for SMTP, but I have always found that it screws nearly every mail server up. In all of the PIX that I manage it is disabled. It seems like a good idea, but in practice it doesn't work. Is that a feature or a bug ?

Author Comment

ID: 9691571
   Thanks so much for your help!

td_miles and lrmoore --> you guys are awesome man! I read through all the Q & A questions before I made my first post a few days ago hoping to find the answer and I noticed you guys had answered a great deal of the questions.

I ended up inserting the ACL and I had to do the no fixup as well because it is an Exchange Server.

Thanks guys!

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month8 days, 3 hours left to enroll

616 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question