Solved

Pix Firewalls and shutting down the fixup protocol smtp 25 and http 80

Posted on 2004-09-12
5
926 Views
Last Modified: 2008-02-01
Hi all

I have a client who is having problems connecting to our web servers and sending us email.
We did a little experimentation and discovered that if i shutdown the fixup protocol for those two mentioned they were able to send email to my Exchange server and were able to reach my website faster.

Has anybody ever heard to this phenomenon?

I fear it's just two more holes the nastys have to go through.

They are also using Cisco PIX firewalls

I am using version 6.2 and they are using version 6.3
0
Comment
Question by:NetNinja
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 12043040
Yes, " no fixup protocol smtp " allows encrypted smtp aka STARTTLS and ESMTP PIPELINING, for either version, problem is not characteristic to exchange, simply PIX breaks protocol extensions
http fixup is just as slow as you see.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12043285
Since you are using Exchange, you will most likely have to leave off the fixup for smtp. Exchange uses ESMTP commands and fixup breaks those.

You may need to permit ident packets and leave fixup http enabled.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094317.shtml
0
 

Author Comment

by:NetNinja
ID: 12043539
lrmoore!

You are the Cisco Ninja!

I still owe you a steak dinner when you come to Atlanta. :)

Thanks for pointing me in the right direction.
0
 

Author Comment

by:NetNinja
ID: 12043655
From what I can determine I can use both the

resetinbound and possible the resetoutside command.

but the documentation states this

If you use the resetoutside command, the PIX Firewall actively resets denied TCP packets that terminate at the PIX  Firewall least secure interface. By default, these packets are silently discarded. The resetoutside option is highly recommended with dynamic or static interface Port Address Translation (PAT). The static interface PAT is available with PIX Firewall version 6.0 and higher. This option allows the PIX Firewall to quickly terminate the identity request (IDENT) from an external SMTP or FTP server. Actively resetting these connections avoids the thirty-second time-out delay.

The statement "TCP packets that terminate at the PIX FIrewall Least secure Interface" is a little confusing.


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12043708
>TCP packets that terminate at the PIX FIrewall Least secure Interface
If you have static (nat or pat) xlates, the tcp connection terminates on the PIX interface itself, not the system interface

>the PIX FIrewall Least secure Interface
The interface with the lowest security number. Default puts inside at 100, outside at 0
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Telepresence on backup 3 78
How VPC help preventing STP Loops 4 166
Clarification about access via WAN 6 52
Can we see Configuration labeled by "commit label xxx" in ASR9K? 2 61
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question