WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.
COURSE of the MONTH
8 days, 11 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Setting Mail and Mail Gateway servers on PIX515e
Posted on 2004-09-09
I have a PIX 515 Firewall. I am setting up an exchange server and need to send and receive e-mail thru a mail gateway. How do I allow traffic to and from the mail server thru the mail gateway. I also need to allow web-mail service. Thank you.
Setting Mail and Mail Gateway traffic on PIX515
I already did the following commands
pixfirewall#config term
pixfirewall(config)#static
pixfirewall(config)#access
pixfirewall(config)#access
pixfirewall(config)#no fixup protocol smtp 25
pixfirewall(config)#clear xlate
pixfirewall(config)#exit
pixfirewall#
Setting Mail and Mail Gateway traffic on PIX515
I already did the following commands
pixfirewall#config term
pixfirewall(config)#static
pixfirewall(config)#access
pixfirewall(config)#access
pixfirewall(config)#no fixup protocol smtp 25
pixfirewall(config)#clear xlate
pixfirewall(config)#exit
pixfirewall#
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4-
4
9 Comments
where is the mail gateway ?
how does the mail gateway communicate with your mail server (is it just SMTP) ?
The way I understand what you are saying, the mail gateway is going to send/receive all the email to/from the Internet. In this case, your configuration above seems fine. You need to configure EXCH to forward all emails outbound to the gateway & you need to configure the gateway to send all emails inbound to EXCH (after it has checked them and verified that they are valid of course).
Are you going to use OWA for webmail ?
how does the mail gateway communicate with your mail server (is it just SMTP) ?
The way I understand what you are saying, the mail gateway is going to send/receive all the email to/from the Internet. In this case, your configuration above seems fine. You need to configure EXCH to forward all emails outbound to the gateway & you need to configure the gateway to send all emails inbound to EXCH (after it has checked them and verified that they are valid of course).
Are you going to use OWA for webmail ?
Thanks for replying.
The mail gateway is behind the firewall. The mail gateway and the mail server communicate via SMTP.
My current configuration is exactly as you mention it above. The "mail gateway is going to send/receive all the email to/from the Internet" and foward them to the EXCH server and viceversa for outbound emails. Thus, the above configuration is correct?
Yes, we are planning to use OWA from the EXCH server. Please advice.
DF
The mail gateway is behind the firewall. The mail gateway and the mail server communicate via SMTP.
My current configuration is exactly as you mention it above. The "mail gateway is going to send/receive all the email to/from the Internet" and foward them to the EXCH server and viceversa for outbound emails. Thus, the above configuration is correct?
Yes, we are planning to use OWA from the EXCH server. Please advice.
DF
The above config looks fine. Although you may need to reboot as well, as there is a known bug with some versions of PIX.
Also DISABLE mailguard. It will upset Exchange.
Also DISABLE mailguard. It will upset Exchange.
If you want to enable OWA, then you need to setup a static NAT to port 80/443 for the EXCH server. I would advise ONLY using port 443 (ie. SSL) and then educating your users that they need to type "https://....."
To setup the NAT, it is same as you have already done for SMTP, just change the ports.
It's been a while since I looked into any potential security issues from OWA, so you may want to have a search/read about this prior to using OWA.
To setup the NAT, it is same as you have already done for SMTP, just change the ports.
It's been a while since I looked into any potential security issues from OWA, so you may want to have a search/read about this prior to using OWA.
td_miles,
Should OWA settings looks like this?
pixfirewall#config term
pixfirewall(config)#static
pixfirewall(config)#access
pixfirewall(config)#access
pixfirewall(config)#no fixup protocol https 443
pixfirewall(config)#clear xlate
pixfirewall(config)#exit
pixfirewall#
Thanks. DF
Should OWA settings looks like this?
pixfirewall#config term
pixfirewall(config)#static
pixfirewall(config)#access
pixfirewall(config)#access
pixfirewall(config)#no fixup protocol https 443
pixfirewall(config)#clear xlate
pixfirewall(config)#exit
pixfirewall#
Thanks. DF
td_miles,
In addition, I am in the process of converting security policies from a Checkpoint platform to Cisco Pix platform using the PDM. Any ideas.
DF
In addition, I am in the process of converting security policies from a Checkpoint platform to Cisco Pix platform using the PDM. Any ideas.
DF
The lines in the config are correct to allow port 443 through to the exchange server. One line that you don't need is:
> pixfirewall(config)#no fixup protocol https 443
It is only for SMTP that you need to remove the fixup. Most other protocols it doesn't cause any issues.
----
> In addition, I am in the process of converting security policies from a Checkpoint platform to Cisco Pix platform using the PDM. > Any ideas.
I assume that you are asking about automated solutions to convert from one to the other ? Not that I know of. Having a well documented security policy (in English with diagrams) means that it can then be implement on whatever platform you choose.
> pixfirewall(config)#no fixup protocol https 443
It is only for SMTP that you need to remove the fixup. Most other protocols it doesn't cause any issues.
----
> In addition, I am in the process of converting security policies from a Checkpoint platform to Cisco Pix platform using the PDM. > Any ideas.
I assume that you are asking about automated solutions to convert from one to the other ? Not that I know of. Having a well documented security policy (in English with diagrams) means that it can then be implement on whatever platform you choose.
Thanks td_miles,
I don't have a lot of policies in my checkpoint server. I am looking to transport the policies manually by reading the policies on checkpoint and realize what field goes where in the PDM.
For example,
checkpoint has the following fields:
Source-Destination-If VIA-Service-Action-4 more
Any -Any -Any -tcp http-accept-
Notice service got two set of information. How can I translate this to PDM?
Thx. DF
I don't have a lot of policies in my checkpoint server. I am looking to transport the policies manually by reading the policies on checkpoint and realize what field goes where in the PDM.
For example,
checkpoint has the following fields:
Source-Destination-If VIA-Service-Action-4 more
Any -Any -Any -tcp http-accept-
Notice service got two set of information. How can I translate this to PDM?
Thx. DF
Sorry about the delayed response. Yes, the policies should be translatable directly:
Checkpoint:
Source-Destination-If VIA-Service-Action-4 more
Any -Any -Any -tcp http-accept-
PIX:
access-list 101 permit tcp any any eq 80
I don't normally use the PDM, so I can't say what the GUI looks like to configure, but if you are doing it from a command prompt, it is straight forward mapping as you can see from the above example.
The syntax for the access-list command is:
access-list id [line line-num] {deny | permit}{protocol | object-group protocol_obj_grp_id {source_addr source_mask} | object-group network_obj_grp_id [operator port [port] | interface if_name | object-group service_obj_grp_id] {destination_addr | remote_addr} {destination_mask | remote_mask} | object-group network_obj_grp_id [operator port [port] | object-group service_obj_grp_id]} [log [[disable | default] | [level]]] [interval secs]]
which looks very complicated, but in general you don't you need a lot of the options and it can be simplified to:
access-list id {deny | permit} source destination operator port
Checkpoint:
Source-Destination-If VIA-Service-Action-4 more
Any -Any -Any -tcp http-accept-
PIX:
access-list 101 permit tcp any any eq 80
I don't normally use the PDM, so I can't say what the GUI looks like to configure, but if you are doing it from a command prompt, it is straight forward mapping as you can see from the above example.
The syntax for the access-list command is:
access-list id [line line-num] {deny | permit}{protocol | object-group protocol_obj_grp_id {source_addr source_mask} | object-group network_obj_grp_id [operator port [port] | interface if_name | object-group service_obj_grp_id] {destination_addr | remote_addr} {destination_mask | remote_mask} | object-group network_obj_grp_id [operator port [port] | object-group service_obj_grp_id]} [log [[disable | default] | [level]]] [interval secs]]
which looks very complicated, but in general you don't you need a lot of the options and it can be simplified to:
access-list id {deny | permit} source destination operator port
Featured Post
Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list. It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month8 days, 11 hours left to enroll
764 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.