Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Pix Firewalls and shutting down the fixup protocol smtp 25 and http 80

Posted on 2004-09-12
5
Medium Priority
?
934 Views
Last Modified: 2008-02-01
Hi all

I have a client who is having problems connecting to our web servers and sending us email.
We did a little experimentation and discovered that if i shutdown the fixup protocol for those two mentioned they were able to send email to my Exchange server and were able to reach my website faster.

Has anybody ever heard to this phenomenon?

I fear it's just two more holes the nastys have to go through.

They are also using Cisco PIX firewalls

I am using version 6.2 and they are using version 6.3
0
Comment
Question by:NetNinja
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 12043040
Yes, " no fixup protocol smtp " allows encrypted smtp aka STARTTLS and ESMTP PIPELINING, for either version, problem is not characteristic to exchange, simply PIX breaks protocol extensions
http fixup is just as slow as you see.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 12043285
Since you are using Exchange, you will most likely have to leave off the fixup for smtp. Exchange uses ESMTP commands and fixup breaks those.

You may need to permit ident packets and leave fixup http enabled.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094317.shtml
0
 

Author Comment

by:NetNinja
ID: 12043539
lrmoore!

You are the Cisco Ninja!

I still owe you a steak dinner when you come to Atlanta. :)

Thanks for pointing me in the right direction.
0
 

Author Comment

by:NetNinja
ID: 12043655
From what I can determine I can use both the

resetinbound and possible the resetoutside command.

but the documentation states this

If you use the resetoutside command, the PIX Firewall actively resets denied TCP packets that terminate at the PIX  Firewall least secure interface. By default, these packets are silently discarded. The resetoutside option is highly recommended with dynamic or static interface Port Address Translation (PAT). The static interface PAT is available with PIX Firewall version 6.0 and higher. This option allows the PIX Firewall to quickly terminate the identity request (IDENT) from an external SMTP or FTP server. Actively resetting these connections avoids the thirty-second time-out delay.

The statement "TCP packets that terminate at the PIX FIrewall Least secure Interface" is a little confusing.


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12043708
>TCP packets that terminate at the PIX FIrewall Least secure Interface
If you have static (nat or pat) xlates, the tcp connection terminates on the PIX interface itself, not the system interface

>the PIX FIrewall Least secure Interface
The interface with the lowest security number. Default puts inside at 100, outside at 0
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question