Pixs config with exchange 2003 and dmz

mcr
Question

1) 172.16.10.2 is your Exchange & OWA server sitting in the DMZ and hence you need the following ports: http, https, ftp & smtp. Am I right?

2) 192.168.10.2 is your DC sitting in the inside. Right?

bill, the exchange server is in the inside,
 Exchange 192.168.10.2  smtp, and owa
 DC 192.168.10.3

DMZ
 172.16.10.2 web and ftp

irmoore, I got some questions on the config

>access-list outside_in deny ip any any   <=== DO NOT DO THIS!

why should i not do this in the outside interface? the dmz interface has it?

>The preferred way to bypass nat between inside and DMZ:

static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

   why is the same ip on the destination and source?
   If i were to use the nat the way i had it what problems would i have?

>Highly suggest you get another public IP address to redirect the https to.

  If i got another public ip would do the following to redirect the traffic to that ip?
   static (inside, outside) public_ip 192.168.10.4 netmask 255.255.255.255 0 0   remark assuming the .4 is a second interface on the exchange server and the .2 is the first
Would i need an acl applied to the inside or static?? not sure

Ok one last question, do i need some acls for the inside? I guess my thought behind that is the fact the a lower interface will not be able to send smtp request to the inside exchange. I know we have the static but i thought you needed both a static and an acl?

thank you for your help..

>>access-list outside_in deny ip any any   <=== DO NOT DO THIS!
>why should i not do this in the outside interface? the dmz interface has it?

The DMZ acl has enough permits to allow traffic from specific servers/services
The outside acl with deny ip any any will bock all returning traffic from connections initiated on the inside or from the DMZ (i.e. dns queries, www browsing, etc)

All unsolicited traffic from outside is automatically blocked, with ASA creating permits "on the fly" for return traffic coming back in response to a request from the inside (www browse, etc). Unless and until you expressly permit it with an access-list (access-list outside_in permit tcp any host <host> object-group Web_Mail_Server)
The PIX is not IOS and the acls do not behave exactly the same as they do on a router. By setting a explicit deny all, you will block traffic.

>static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
>   why is the same ip on the destination and source?

This statement says that between the inside interface and the dmz, the IP subnet 192.168.10.0 is NOT natted. It is the same from the inside to the dmz.

With Nat 0 statement was designed for IPSEC functions and works well for that. However, since the acl is built with source/destination, (i.e. inside to dmz) and only applied to the inside, the issue is confusing to traffic comeing from the DMZ to the inside. Simply much cleaner to use a static in this case.

> If i got another public ip would do the following to redirect the traffic to that ip?
>   static (inside, outside) public_ip 192.168.10.4 netmask 255.255.255.255 0 0  
Yes, but it  does not have to be a second interface on the server. Actually, it should be the one and only interface on the server
      static (inside, outside) new_public_ip 192.168.10.2 netmask 255.255.255.255 0 0
Or, you can reserver part of this 2nd ip and only use the port forwarding:
     static (inside, outside) tcp new_public_ip 25 192.168.10.4 25 netmask 255.255.255.255 0 0

>Would i need an acl applied to the inside or static?? not sure
No acls applied to the inside are necessary. If you feel the need, then suggest
 deny x
 deny y
 deny z
 permit ip any any  

>i thought you needed both a static and an acl?
Yes, but from higher security interface to lower security interface, the acl is default "permit ip any any" unless/until you change it (see above)

I’m testing the config.
>access-list dmz_in permit ip host 172.16.10.2  192.168.10.1 255.255.255.0

 I’m I suppose to let the entire 192.168.10.0 subnet access to 172.16.10.2? I got an error while inputting the above line but I think its because it is not 192.168.10.0 255.255.255.0..
Thank you.

>ip address inside 192.168.10.1 255.255.255.0
With this config item, I just assumed that this was the real subnet of the inside...

>I’m I suppose to let the entire 192.168.10.0 subnet access to 172.16.10.2?
This is to be applied to the dmz interface, and permits the host server to talk to anyone on the inside LAN. You can make it as restrictive as you want, or as liberal as you want, this is just a starting point.

Are you still working on this? Can you close out this question yet?

I am sorry for the delay, I just got everything set up. I will be launching everything within a day or two and testing this out. I hope its ok to leave the question open…thanks for your help.

Please help.
Here is the problem I encountered; the pcs in the inside were not able to connect to the internet. This includes the DC and mail server. When I did a sh xlate it showed the ip using pat.
Here is the config. DMZ was not tested.  Here is the config. thank you

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password Wxl3HeIv428WKR.Y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name mydomain.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service Inbound_Web_Server tcp
  port-object eq www
  port-object eq https
  port-object eq ftp
  port-object eq domain
  port-object eq smtp
access-list outside_in permit tcp any interface outside object-group Inbound_Web
_Server
access-list dmz_in permit ip host 172.16.5.2 192.168.60.0 255.255.255.0
access-list dmz_in permit icmp any any
access-list dmz_in permit udp host 172.16.5.2 any eq domain
access-list dmz_in permit tcp host 172.16.5.2 any eq www
access-list dmz_in permit tcp host 172.16.5.2 any eq https
access-list dmz_in permit tcp host 172.16.5.2 eq www any
access-list dmz_in permit tcp host 172.16.5.2 eq https any
access-list dmz_in permit tcp host 172.16.5.2 eq ftp any
access-list dmz_in deny ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside public_IP 255.255.255.252
ip address inside 192.168.60.1 255.255.255.0
ip address dmz 172.16.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.60.0 255.255.255.0 0 0
nat (dmz) 1 172.16.5.0 255.255.255.0 0 0
static (dmz,outside) tcp interface www 172.16.5.2 www netmask 255.255.255.255 0
0
static (dmz,outside) tcp interface ftp 172.16.5.2 ftp netmask 255.255.255.255 0
0
static (inside,outside) tcp interface smtp 192.168.60.2 smtp netmask 255.255.255
.255 0 0
static (inside,outside) tcp interface https 192.168.60.2 https netmask 255.255.2
55.255 0 0
static (inside,outside) tcp interface www 192.168.60.2 www netmask 255.255.255.2
55 0 0
static (inside,dmz) 192.168.60.0 192.168.60.0 netmask 255.255.255.0 0 0
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 public_ip 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.60.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:f3ebcfdcf8080680a57fe91696e836a7
: end
[OK]

sh xlate
5 in use, 20 most used  ***this is the outside public ip
PAT Global 216.x.x.x(1167) Local 192.168.60.2(1142)
PAT Global 216.x.x.x(1112) Local 192.168.60.3(2311)
PAT Global 216.x.x.x(1113) Local 192.168.60.5(1037)
PAT Global 216.x.x.x(1168) Local 192.168.60.2(1143)
PAT Global 216.x.x.x(1169) Local 192.168.60.2(1149)

sh connectoins **we forward to our isp dns

UDP out public_dns:53 in 192.168.60.5:1037 idle 0:01:09 flags -

UDP out public_dns:53 in 192.168.60.5:1037 idle 0:01:09 flags -

UDP out public_dns:53 in 192.168.60.5:1037 idle 0:01:09 flags -

UDP out public_dns:53 in 192.168.60.5:1037 idle 0:01:09 flags -

UDP out public_dns:53 in 192.168.60.5:1037 idle 0:01:09 flags -

This should be the only thing that does not work:
>static (inside,outside) tcp interface https 192.168.60.2 https

You can't use the interface to forward https while still having the internal http server enabled.

>When I did a sh xlate it showed the ip using pat
Of course it does. All you have is the Interface IP address.

It looks like the PC's on the inside can get out to the Internet. What exactly is not working at this point?

>the pcs in the inside were not able to connect to the internet. This includes the DC and mail server.
Are you positive that these PC's and servers point to the PIX inside IP address as the default gateway?

Just noticed something else:
>static (dmz,outside) tcp interface www 172.16.5.2 www netmask 255.255.255.255
>static (inside,outside) tcp interface www 192.168.60.2 www netmask 255.255.255.255

You can't forward port 80 from the interface to two different inside/dmz hosts. Pick one or the other, not both.

>This should be the only thing that does not work:
>static (inside,outside) tcp interface https 192.168.60.2 https
 I will take this line out since ssl will not be used until everything is up and running.

The hosts from the inside are not unable to browse the net.

 The gateway i put on the hosts is 192.168.60.1

>static (dmz,outside) tcp interface www 172.16.5.2 www netmask 255.255.255.255
  If i take this line out how will that affect the web server?

>static (inside,outside) tcp interface www 192.168.60.2 www netmask 255.255.255.255
  This line i had so owa will work, is this right?

 I'm not sure if this will help you but from the pix i can ping all interfaces including the routers.

thanks for all your help,

>The hosts from the inside are not unable to browse the net.

Help me out here. Host can or cannot browse the internet? I know they can't ping, but can they bring up a web browser and get to https://www.experts-exchange.com? Do you have a proper DNS server IP in the client config?

>>static (dmz,outside) tcp interface www 172.16.5.2 www netmask 255.255.255.255
>  If i take this line out how will that affect the web server?
  It will block all public access to this WWW server
>>static (inside,outside) tcp interface www 192.168.60.2 www netmask 255.255.255.255
  >This line i had so owa will work, is this right?
  Not with the line above in the same config.

Bottom line. You cannot have TWO webservers, both using port 80, and both using "interface" as their public IP. You must do one of two things:
1) get another public IP address so that you can use a different public IP for each server
2) Set one of the servers to use a different port other than port 80, perhaps 81 or something. Clients will have to access it using http://<ip address>:81

Host cannot bring up  https://www.experts-exchange.com.

>Do you have a proper DNS server IP in the client config?
For DNS we forward to our isp. I used their ips 216.x.x.x on the client pc. I also used our own dns server(which forwards to our ISP as well) ip on the client pc.

>static (dmz,outside) tcp interface www 172.16.5.2 www netmask 255.255.255.255
  I will take this line out.