Exchange server problems with the PIX 501.

All,
   For the last couple of months, off and on, I've been trying to tweak my PIX 501 for my SOHO needs and now that I'm re-motivated to get it working I hope someone can help me. Here is my problem(s).

   I have a Cable Modem connection to the internet which ties into my PIX's ouside interface. The PIX has 4 inside eth ports and one outside eth port. I am NAT'ing to my inside interfaces of my network. This all works fine except for my exchange server. I've read that you "must" do a static NAT traslation for the exchange server so that mail knows how to get in and out of the firewall which makes sense. I can get this working one of two ways. Either all of my workstations get access to the internet and the exchange server doesn't transfer mail correctly- or I insert the static NAT translation into the PIX and my exchange server will pass mail correctly but my workstations lose access to the internet? I'd like to have the best of both worlds so I'm hoping someone can assist me with this before I throw the thing out the window and stick with the measly little Linksys that "does" allow all this to work....I just don't have a warm and fuzzy about Linksys as a firewall product?

Here is a bit of config info that may help you out.

Lets just say that my outside interface is: 100.10.10.10
My inside interface for my exchange server is: 192.168.1.150
Also, I use static addresses for all of my inside workstations rather than allowing the PIX to do DHCP --> I'm not sure if this would help as far as translations go? My ISP gives me one static address and one dynamic address to use.

Another problem with the static NAT translation to the exchange server I see is with IPSec VPN. Will I be able to IPSec VPN into the PIX if it's public address is translated to the exchange server?

Thanks in advance for any/all help!

-Craig
cdhansen10Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

td_milesCommented:
can you post you config.

The short answer to all of your questions is "yes, it is possible to all of what you want at the same time"
0
lrmooreCommented:
What you need is a static Port address translation, not a 1-1 static NAT:

example:
static (inside,outside) tcp 100.10.10.10 25 192.168.1.150 25 netmask 255.255.255.255

Now, only smtp email will be forwarded to your server and everyone else can browse the internet at the same time.
AND, you can VPN into the PIX, too..
0
cdhansen10Author Commented:
All,
   It's still not working correctly so I'll go ahead and copy/paste my current (now bare bones minimum config to simplify things) here. I rebuilt it with a minimal config to get back to the basics but I still can't get it working correctly? Thanks in advance foranyone that helps get this thing working correctly. As of now it appears mail can go out....but it can't get in? I know it's not a DNS issue because mail works both ways when I swap the PIX out with a Linksys router. You'll notice a command  I inserted (name 192.168.1.150 mail.mydomain-name.com) this was so that the pix knew how to get to my mail server. I guess the PIX needs to know something else about the mail server?

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***********
passwd ********** encrypted
hostname pix
domain-name mydomain-name.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.150 mail.mydomain-name.com
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 100.10.10.10 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 100.10.10.10 smtp mail.mydomain-name.com smtp netmask
 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 100.10.10..97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

td_milesCommented:
You need an ACL to allow the traffic destined for your mail server to be able to enter the outside interface. Add the following lines:

access-list permit_mail permit tcp any host 100.10.10.10 eq 25
access-group permit_mail in outside

The first line defines the access list to allow traffic to you server (it's NAT'ed public address 100.10.10.10) on port 25. The second line applies the access-list to inbound traffic on the outside interface.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lrmooreCommented:
Agree with td_miles about the inbound acl..

If it is exchange, you may also need to turn off fixup:

no fixup protocol smtp 25

0
td_milesCommented:
I've always wondered about that, they have the "fixup" for SMTP, but I have always found that it screws nearly every mail server up. In all of the PIX that I manage it is disabled. It seems like a good idea, but in practice it doesn't work. Is that a feature or a bug ?
0
cdhansen10Author Commented:
All,
   Thanks so much for your help!

td_miles and lrmoore --> you guys are awesome man! I read through all the Q & A questions before I made my first post a few days ago hoping to find the answer and I noticed you guys had answered a great deal of the questions.

I ended up inserting the ACL and I had to do the no fixup as well because it is an Exchange Server.

Thanks guys!
-Craig
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.