• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 936
  • Last Modified:

Pix Firewalls and shutting down the fixup protocol smtp 25 and http 80

Hi all

I have a client who is having problems connecting to our web servers and sending us email.
We did a little experimentation and discovered that if i shutdown the fixup protocol for those two mentioned they were able to send email to my Exchange server and were able to reach my website faster.

Has anybody ever heard to this phenomenon?

I fear it's just two more holes the nastys have to go through.

They are also using Cisco PIX firewalls

I am using version 6.2 and they are using version 6.3
0
NetNinja
Asked:
NetNinja
  • 2
  • 2
1 Solution
 
gheistCommented:
Yes, " no fixup protocol smtp " allows encrypted smtp aka STARTTLS and ESMTP PIPELINING, for either version, problem is not characteristic to exchange, simply PIX breaks protocol extensions
http fixup is just as slow as you see.
0
 
lrmooreCommented:
Since you are using Exchange, you will most likely have to leave off the fixup for smtp. Exchange uses ESMTP commands and fixup breaks those.

You may need to permit ident packets and leave fixup http enabled.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094317.shtml
0
 
NetNinjaAuthor Commented:
lrmoore!

You are the Cisco Ninja!

I still owe you a steak dinner when you come to Atlanta. :)

Thanks for pointing me in the right direction.
0
 
NetNinjaAuthor Commented:
From what I can determine I can use both the

resetinbound and possible the resetoutside command.

but the documentation states this

If you use the resetoutside command, the PIX Firewall actively resets denied TCP packets that terminate at the PIX  Firewall least secure interface. By default, these packets are silently discarded. The resetoutside option is highly recommended with dynamic or static interface Port Address Translation (PAT). The static interface PAT is available with PIX Firewall version 6.0 and higher. This option allows the PIX Firewall to quickly terminate the identity request (IDENT) from an external SMTP or FTP server. Actively resetting these connections avoids the thirty-second time-out delay.

The statement "TCP packets that terminate at the PIX FIrewall Least secure Interface" is a little confusing.


0
 
lrmooreCommented:
>TCP packets that terminate at the PIX FIrewall Least secure Interface
If you have static (nat or pat) xlates, the tcp connection terminates on the PIX interface itself, not the system interface

>the PIX FIrewall Least secure Interface
The interface with the lowest security number. Default puts inside at 100, outside at 0
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now