Solved

Pix Firewalls and shutting down the fixup protocol smtp 25 and http 80

Posted on 2004-09-12
5
921 Views
Last Modified: 2008-02-01
Hi all

I have a client who is having problems connecting to our web servers and sending us email.
We did a little experimentation and discovered that if i shutdown the fixup protocol for those two mentioned they were able to send email to my Exchange server and were able to reach my website faster.

Has anybody ever heard to this phenomenon?

I fear it's just two more holes the nastys have to go through.

They are also using Cisco PIX firewalls

I am using version 6.2 and they are using version 6.3
0
Comment
Question by:NetNinja
  • 2
  • 2
5 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 12043040
Yes, " no fixup protocol smtp " allows encrypted smtp aka STARTTLS and ESMTP PIPELINING, for either version, problem is not characteristic to exchange, simply PIX breaks protocol extensions
http fixup is just as slow as you see.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12043285
Since you are using Exchange, you will most likely have to leave off the fixup for smtp. Exchange uses ESMTP commands and fixup breaks those.

You may need to permit ident packets and leave fixup http enabled.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094317.shtml
0
 

Author Comment

by:NetNinja
ID: 12043539
lrmoore!

You are the Cisco Ninja!

I still owe you a steak dinner when you come to Atlanta. :)

Thanks for pointing me in the right direction.
0
 

Author Comment

by:NetNinja
ID: 12043655
From what I can determine I can use both the

resetinbound and possible the resetoutside command.

but the documentation states this

If you use the resetoutside command, the PIX Firewall actively resets denied TCP packets that terminate at the PIX  Firewall least secure interface. By default, these packets are silently discarded. The resetoutside option is highly recommended with dynamic or static interface Port Address Translation (PAT). The static interface PAT is available with PIX Firewall version 6.0 and higher. This option allows the PIX Firewall to quickly terminate the identity request (IDENT) from an external SMTP or FTP server. Actively resetting these connections avoids the thirty-second time-out delay.

The statement "TCP packets that terminate at the PIX FIrewall Least secure Interface" is a little confusing.


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12043708
>TCP packets that terminate at the PIX FIrewall Least secure Interface
If you have static (nat or pat) xlates, the tcp connection terminates on the PIX interface itself, not the system interface

>the PIX FIrewall Least secure Interface
The interface with the lowest security number. Default puts inside at 100, outside at 0
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now