Solved

Exchange server problems with the PIX 501.

Posted on 2003-11-03
7
1,444 Views
Last Modified: 2013-11-16
All,
   For the last couple of months, off and on, I've been trying to tweak my PIX 501 for my SOHO needs and now that I'm re-motivated to get it working I hope someone can help me. Here is my problem(s).

   I have a Cable Modem connection to the internet which ties into my PIX's ouside interface. The PIX has 4 inside eth ports and one outside eth port. I am NAT'ing to my inside interfaces of my network. This all works fine except for my exchange server. I've read that you "must" do a static NAT traslation for the exchange server so that mail knows how to get in and out of the firewall which makes sense. I can get this working one of two ways. Either all of my workstations get access to the internet and the exchange server doesn't transfer mail correctly- or I insert the static NAT translation into the PIX and my exchange server will pass mail correctly but my workstations lose access to the internet? I'd like to have the best of both worlds so I'm hoping someone can assist me with this before I throw the thing out the window and stick with the measly little Linksys that "does" allow all this to work....I just don't have a warm and fuzzy about Linksys as a firewall product?

Here is a bit of config info that may help you out.

Lets just say that my outside interface is: 100.10.10.10
My inside interface for my exchange server is: 192.168.1.150
Also, I use static addresses for all of my inside workstations rather than allowing the PIX to do DHCP --> I'm not sure if this would help as far as translations go? My ISP gives me one static address and one dynamic address to use.

Another problem with the static NAT translation to the exchange server I see is with IPSec VPN. Will I be able to IPSec VPN into the PIX if it's public address is translated to the exchange server?

Thanks in advance for any/all help!

-Craig
0
Comment
Question by:cdhansen10
  • 3
  • 2
  • 2
7 Comments
 
LVL 13

Expert Comment

by:td_miles
ID: 9674925
can you post you config.

The short answer to all of your questions is "yes, it is possible to all of what you want at the same time"
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 100 total points
ID: 9675107
What you need is a static Port address translation, not a 1-1 static NAT:

example:
static (inside,outside) tcp 100.10.10.10 25 192.168.1.150 25 netmask 255.255.255.255

Now, only smtp email will be forwarded to your server and everyone else can browse the internet at the same time.
AND, you can VPN into the PIX, too..
0
 

Author Comment

by:cdhansen10
ID: 9684924
All,
   It's still not working correctly so I'll go ahead and copy/paste my current (now bare bones minimum config to simplify things) here. I rebuilt it with a minimal config to get back to the basics but I still can't get it working correctly? Thanks in advance foranyone that helps get this thing working correctly. As of now it appears mail can go out....but it can't get in? I know it's not a DNS issue because mail works both ways when I swap the PIX out with a Linksys router. You'll notice a command  I inserted (name 192.168.1.150 mail.mydomain-name.com) this was so that the pix knew how to get to my mail server. I guess the PIX needs to know something else about the mail server?

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***********
passwd ********** encrypted
hostname pix
domain-name mydomain-name.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.150 mail.mydomain-name.com
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 100.10.10.10 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 100.10.10.10 smtp mail.mydomain-name.com smtp netmask
 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 100.10.10..97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 13

Accepted Solution

by:
td_miles earned 100 total points
ID: 9685014
You need an ACL to allow the traffic destined for your mail server to be able to enter the outside interface. Add the following lines:

access-list permit_mail permit tcp any host 100.10.10.10 eq 25
access-group permit_mail in outside

The first line defines the access list to allow traffic to you server (it's NAT'ed public address 100.10.10.10) on port 25. The second line applies the access-list to inbound traffic on the outside interface.

0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 100 total points
ID: 9686599
Agree with td_miles about the inbound acl..

If it is exchange, you may also need to turn off fixup:

no fixup protocol smtp 25

0
 
LVL 13

Expert Comment

by:td_miles
ID: 9690876
I've always wondered about that, they have the "fixup" for SMTP, but I have always found that it screws nearly every mail server up. In all of the PIX that I manage it is disabled. It seems like a good idea, but in practice it doesn't work. Is that a feature or a bug ?
0
 

Author Comment

by:cdhansen10
ID: 9691571
All,
   Thanks so much for your help!

td_miles and lrmoore --> you guys are awesome man! I read through all the Q & A questions before I made my first post a few days ago hoping to find the answer and I noticed you guys had answered a great deal of the questions.

I ended up inserting the ACL and I had to do the no fixup as well because it is an Exchange Server.

Thanks guys!
-Craig
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now