Solved

Pix Firewalls and shutting down the fixup protocol smtp 25 and http 80

Posted on 2004-09-12
5
924 Views
Last Modified: 2008-02-01
Hi all

I have a client who is having problems connecting to our web servers and sending us email.
We did a little experimentation and discovered that if i shutdown the fixup protocol for those two mentioned they were able to send email to my Exchange server and were able to reach my website faster.

Has anybody ever heard to this phenomenon?

I fear it's just two more holes the nastys have to go through.

They are also using Cisco PIX firewalls

I am using version 6.2 and they are using version 6.3
0
Comment
Question by:NetNinja
  • 2
  • 2
5 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 12043040
Yes, " no fixup protocol smtp " allows encrypted smtp aka STARTTLS and ESMTP PIPELINING, for either version, problem is not characteristic to exchange, simply PIX breaks protocol extensions
http fixup is just as slow as you see.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12043285
Since you are using Exchange, you will most likely have to leave off the fixup for smtp. Exchange uses ESMTP commands and fixup breaks those.

You may need to permit ident packets and leave fixup http enabled.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094317.shtml
0
 

Author Comment

by:NetNinja
ID: 12043539
lrmoore!

You are the Cisco Ninja!

I still owe you a steak dinner when you come to Atlanta. :)

Thanks for pointing me in the right direction.
0
 

Author Comment

by:NetNinja
ID: 12043655
From what I can determine I can use both the

resetinbound and possible the resetoutside command.

but the documentation states this

If you use the resetoutside command, the PIX Firewall actively resets denied TCP packets that terminate at the PIX  Firewall least secure interface. By default, these packets are silently discarded. The resetoutside option is highly recommended with dynamic or static interface Port Address Translation (PAT). The static interface PAT is available with PIX Firewall version 6.0 and higher. This option allows the PIX Firewall to quickly terminate the identity request (IDENT) from an external SMTP or FTP server. Actively resetting these connections avoids the thirty-second time-out delay.

The statement "TCP packets that terminate at the PIX FIrewall Least secure Interface" is a little confusing.


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12043708
>TCP packets that terminate at the PIX FIrewall Least secure Interface
If you have static (nat or pat) xlates, the tcp connection terminates on the PIX interface itself, not the system interface

>the PIX FIrewall Least secure Interface
The interface with the lowest security number. Default puts inside at 100, outside at 0
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question