Exchange server problems with the PIX 501.

Posted on 2003-11-03
Last Modified: 2013-11-16
   For the last couple of months, off and on, I've been trying to tweak my PIX 501 for my SOHO needs and now that I'm re-motivated to get it working I hope someone can help me. Here is my problem(s).

   I have a Cable Modem connection to the internet which ties into my PIX's ouside interface. The PIX has 4 inside eth ports and one outside eth port. I am NAT'ing to my inside interfaces of my network. This all works fine except for my exchange server. I've read that you "must" do a static NAT traslation for the exchange server so that mail knows how to get in and out of the firewall which makes sense. I can get this working one of two ways. Either all of my workstations get access to the internet and the exchange server doesn't transfer mail correctly- or I insert the static NAT translation into the PIX and my exchange server will pass mail correctly but my workstations lose access to the internet? I'd like to have the best of both worlds so I'm hoping someone can assist me with this before I throw the thing out the window and stick with the measly little Linksys that "does" allow all this to work....I just don't have a warm and fuzzy about Linksys as a firewall product?

Here is a bit of config info that may help you out.

Lets just say that my outside interface is:
My inside interface for my exchange server is:
Also, I use static addresses for all of my inside workstations rather than allowing the PIX to do DHCP --> I'm not sure if this would help as far as translations go? My ISP gives me one static address and one dynamic address to use.

Another problem with the static NAT translation to the exchange server I see is with IPSec VPN. Will I be able to IPSec VPN into the PIX if it's public address is translated to the exchange server?

Thanks in advance for any/all help!

Question by:cdhansen10
  • 3
  • 2
  • 2
LVL 13

Expert Comment

Comment Utility
can you post you config.

The short answer to all of your questions is "yes, it is possible to all of what you want at the same time"
LVL 79

Assisted Solution

lrmoore earned 100 total points
Comment Utility
What you need is a static Port address translation, not a 1-1 static NAT:

static (inside,outside) tcp 25 25 netmask

Now, only smtp email will be forwarded to your server and everyone else can browse the internet at the same time.
AND, you can VPN into the PIX, too..

Author Comment

Comment Utility
   It's still not working correctly so I'll go ahead and copy/paste my current (now bare bones minimum config to simplify things) here. I rebuilt it with a minimal config to get back to the basics but I still can't get it working correctly? Thanks in advance foranyone that helps get this thing working correctly. As of now it appears mail can go out....but it can't get in? I know it's not a DNS issue because mail works both ways when I swap the PIX out with a Linksys router. You'll notice a command  I inserted (name this was so that the pix knew how to get to my mail server. I guess the PIX needs to know something else about the mail server?

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***********
passwd ********** encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
static (inside,outside) tcp smtp smtp netmask 0 0
route outside 100.10.10..97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet inside
telnet timeout 10
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

LVL 13

Accepted Solution

td_miles earned 100 total points
Comment Utility
You need an ACL to allow the traffic destined for your mail server to be able to enter the outside interface. Add the following lines:

access-list permit_mail permit tcp any host eq 25
access-group permit_mail in outside

The first line defines the access list to allow traffic to you server (it's NAT'ed public address on port 25. The second line applies the access-list to inbound traffic on the outside interface.

LVL 79

Assisted Solution

lrmoore earned 100 total points
Comment Utility
Agree with td_miles about the inbound acl..

If it is exchange, you may also need to turn off fixup:

no fixup protocol smtp 25

LVL 13

Expert Comment

Comment Utility
I've always wondered about that, they have the "fixup" for SMTP, but I have always found that it screws nearly every mail server up. In all of the PIX that I manage it is disabled. It seems like a good idea, but in practice it doesn't work. Is that a feature or a bug ?

Author Comment

Comment Utility
   Thanks so much for your help!

td_miles and lrmoore --> you guys are awesome man! I read through all the Q & A questions before I made my first post a few days ago hoping to find the answer and I noticed you guys had answered a great deal of the questions.

I ended up inserting the ACL and I had to do the no fixup as well because it is an Exchange Server.

Thanks guys!

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now