Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Exchange server problems with the PIX 501.

Posted on 2003-11-03
Medium Priority
Last Modified: 2013-11-16
   For the last couple of months, off and on, I've been trying to tweak my PIX 501 for my SOHO needs and now that I'm re-motivated to get it working I hope someone can help me. Here is my problem(s).

   I have a Cable Modem connection to the internet which ties into my PIX's ouside interface. The PIX has 4 inside eth ports and one outside eth port. I am NAT'ing to my inside interfaces of my network. This all works fine except for my exchange server. I've read that you "must" do a static NAT traslation for the exchange server so that mail knows how to get in and out of the firewall which makes sense. I can get this working one of two ways. Either all of my workstations get access to the internet and the exchange server doesn't transfer mail correctly- or I insert the static NAT translation into the PIX and my exchange server will pass mail correctly but my workstations lose access to the internet? I'd like to have the best of both worlds so I'm hoping someone can assist me with this before I throw the thing out the window and stick with the measly little Linksys that "does" allow all this to work....I just don't have a warm and fuzzy about Linksys as a firewall product?

Here is a bit of config info that may help you out.

Lets just say that my outside interface is:
My inside interface for my exchange server is:
Also, I use static addresses for all of my inside workstations rather than allowing the PIX to do DHCP --> I'm not sure if this would help as far as translations go? My ISP gives me one static address and one dynamic address to use.

Another problem with the static NAT translation to the exchange server I see is with IPSec VPN. Will I be able to IPSec VPN into the PIX if it's public address is translated to the exchange server?

Thanks in advance for any/all help!

Question by:cdhansen10
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 13

Expert Comment

ID: 9674925
can you post you config.

The short answer to all of your questions is "yes, it is possible to all of what you want at the same time"
LVL 79

Assisted Solution

lrmoore earned 400 total points
ID: 9675107
What you need is a static Port address translation, not a 1-1 static NAT:

static (inside,outside) tcp 25 25 netmask

Now, only smtp email will be forwarded to your server and everyone else can browse the internet at the same time.
AND, you can VPN into the PIX, too..

Author Comment

ID: 9684924
   It's still not working correctly so I'll go ahead and copy/paste my current (now bare bones minimum config to simplify things) here. I rebuilt it with a minimal config to get back to the basics but I still can't get it working correctly? Thanks in advance foranyone that helps get this thing working correctly. As of now it appears mail can go out....but it can't get in? I know it's not a DNS issue because mail works both ways when I swap the PIX out with a Linksys router. You'll notice a command  I inserted (name mail.mydomain-name.com) this was so that the pix knew how to get to my mail server. I guess the PIX needs to know something else about the mail server?

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***********
passwd ********** encrypted
hostname pix
domain-name mydomain-name.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name mail.mydomain-name.com
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
static (inside,outside) tcp smtp mail.mydomain-name.com smtp netmask 0 0
route outside 100.10.10..97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet inside
telnet timeout 10
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

LVL 13

Accepted Solution

td_miles earned 400 total points
ID: 9685014
You need an ACL to allow the traffic destined for your mail server to be able to enter the outside interface. Add the following lines:

access-list permit_mail permit tcp any host eq 25
access-group permit_mail in outside

The first line defines the access list to allow traffic to you server (it's NAT'ed public address on port 25. The second line applies the access-list to inbound traffic on the outside interface.

LVL 79

Assisted Solution

lrmoore earned 400 total points
ID: 9686599
Agree with td_miles about the inbound acl..

If it is exchange, you may also need to turn off fixup:

no fixup protocol smtp 25

LVL 13

Expert Comment

ID: 9690876
I've always wondered about that, they have the "fixup" for SMTP, but I have always found that it screws nearly every mail server up. In all of the PIX that I manage it is disabled. It seems like a good idea, but in practice it doesn't work. Is that a feature or a bug ?

Author Comment

ID: 9691571
   Thanks so much for your help!

td_miles and lrmoore --> you guys are awesome man! I read through all the Q & A questions before I made my first post a few days ago hoping to find the answer and I noticed you guys had answered a great deal of the questions.

I ended up inserting the ACL and I had to do the no fixup as well because it is an Exchange Server.

Thanks guys!

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question