Solved

What ports to open on Cisco PIX 506e to allow external Outlook clients access to my Exchange 2003 server on the inside of my firewall?

Posted on 2004-09-22
14
9,628 Views
Last Modified: 2013-11-16
We just installed a Cisco PIX 506e.  My ISP configured it to only allow basic web, ftp, smtp and pop traffic.  Before the installation, my remote clients could connect to my exchange server.  Now they get "unable to connect to exchange server"  I opened all udp and tcp traffic on the PIX for the IP of my exchange server.  They now can connect, but this kind of defeats the purpose of the PIX firewall.  After deleteing that entry in my PIX, I only  opened the following ports, (which I found on Microsoft's Technet search), but they still can't connect.  What port(s) am I missing, and which ones below should I remove from my access list (if any)?

Port 25 (TCP and UDP)
Port 53 (TCP and UDP)
Port 80 (TCP)
Port 88 (TCP and UDP)
Port 123 (TCP)
Port 135 (TCP)
Port 389 (TCP and UDP)
Port 445 (TCP)
Port 3268 (TCP)

Thanks Bvaal
0
Comment
Question by:Bob Vaal
  • 5
  • 4
  • 3
  • +1
14 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Easy enough to figure out.
Use "show access-list" to see the hitcounts on the ports that are used
Turn logging on and use Use "show log" to see what is being denied..
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
You have a few ports missing...  ;)

http://support.microsoft.com/default.aspx?scid=kb;en-us;q278339

Plus you do have to reconfigure Exchange to use static ports so that you can setup a firewall rule to allow them:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;155831

A better solution would be to use Outlook Web Access instead, or setup a VPN tunnel into your network, as running these ports naked over an Internet connection is insecure...
0
 

Author Comment

by:Bob Vaal
Comment Utility
Like what tim_holman is suggesting, but it seems to more for Exchange 5.5   I am running Exchange 2003 on a Windows 2000 server.  The MS solution has you editing registry, but the entries it wants you to modify, don't exist on Exchange 2003.  What would be my best approach for setting up a VPN?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
Comment Utility
>What would be my best approach for setting up a VPN?
Issue the Cisco VPN client to users, and setup the PIX as the endpoint

The PDM wizard makes it very simple.
Command line details:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
As far as OWA goes - it's pretty easy to setup if you have ISA server:

http://www.msexchange.org/tutorials/OWA_Exchange_Server_2003.html

..and the Exchange 2003 registry settings are here:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;270836

..although if you're using OL 2003 or whatever it's called then you shouldn't need static mappings for this to work.
0
 
LVL 3

Expert Comment

by:oldhamuk
Comment Utility
You are opening way to many ports here.

Why don't you use RPC over HTTP if you are using outlook clients?

What services do you host inside your network that need to be accessed from the internet?

Also post a copy of your config.

Regards

Mark
0
 

Author Comment

by:Bob Vaal
Comment Utility
OLDHAMUK - I don't think I can run RPC over HTTP because my server is still running Windows Server 2000 not Server 2003.  I am running Exchange 2003 on Windows 2000 server.

LRMOORE - I ran the PIX VPN setup wizard (very easy)  I installed Cisco's client on a remote computer and I now am able to attach to my network.  Browse thru My Network Places and see my Exchange server, but...   Outlook 2002 and even Outlook 2003 still don't see the Exchage server.  
OWA works and has always worked even before I posted this challange.  BUT, my remote clients need to run the Outlook client on their computers in order to sync their PDA's.  My remotes are connecting from their homes using DSL connections.  I have noticed when they run the Cisco VPN client and establish a  connection to the network, their computer loses the ability to "surf the web"  IE basically gives a 404 screen... check DNS... etc...  Is this normal?  

Below is my PIX 506e config as of this comment posting. I placed xx instead of my real outside ip addresses.

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lrKHtHiNQoYaF1AQ encrypted
passwd lrKHtHiNQoYaF1AQ encrypted
hostname thedome-pix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any 216.49.102.xx4 255.255.255.240 eq www
access-list 101 permit tcp any host 216.49.102.xx7 eq https
access-list 101 permit tcp any host 216.49.102.xx7 eq ftp
access-list 101 permit tcp any host 216.49.102.xx7 eq smtp
access-list 101 permit tcp any host 216.49.102.xx7 eq pop3
access-list 101 permit tcp any host 216.49.102.xx7 eq 8383
access-list 101 permit tcp any host 216.49.102.xx7 eq 8484
access-list 101 permit tcp any host 216.49.102.xx9 eq 3389
access-list 101 deny ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.1.248 255.255.255.248
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.248 255.255.255.248
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside 192.168.1.73
mtu outside 1500
mtu inside 1500
ip address outside 216.49.102.xx3 255.255.255.240
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-ip 192.168.1.251-192.168.1.253
pdm location 216.49.102.xx7 255.255.255.255 outside
pdm location 192.168.1.1 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.1.3 255.255.255.255 inside
pdm location 192.168.1.4 255.255.255.255 inside
pdm location 192.168.1.5 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.240 inside
pdm location 192.168.1.73 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) 216.49.102.xx8 192.168.1.5 netmask 255.255.255.255 0 0
static (inside,outside) 216.49.102.xx6 192.168.1.3 netmask 255.255.255.255 0 0
static (inside,outside) 216.49.102.xx7 192.168.1.1 netmask 255.255.255.255 0 0
static (inside,outside) 216.49.102.xx9 192.168.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 216.49.102.xx1 192.168.1.4 netmask 255.255.255.255 0 0
static (inside,outside) 216.49.102.xx0 192.168.1.1 netmask 255.255.255.255 0 0
static (inside,outside) 216.49.102.xx2 192.168.1.1 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 216.49.102.xx5 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup thedome-vpn address-pool vpn-ip
vpngroup thedome-vpn idle-time 1800
vpngroup thedome-vpn password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:ca98dc2b3e70029baedc550cf4e4794b
: end
[OK]

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
Comment Utility
You need to do one of two things.
Exchange/Outlook is a legacy application dependent on NetBios
Either 1) setup a WINS server and add the wins server entry in the vpngroup settings so that your remote clients can resolve all netbios system names
or 2) setup a LMHOSTS file on the client that has at a minimum the required 2 entries for a domain controller + the exchange server ip-netbios name mapping.

This has proven to work time after time...
0
 
LVL 3

Expert Comment

by:oldhamuk
Comment Utility
I had the same problems when I have worked on a customers network that wasn't 100% Windows 2003 / XP and I had to specifiy a WINS server like 'lrmoore' has stated above.

Are you running your VPN and a split tunnel VPN?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Any luck yet? Are you still working this? Do you need more information?

0
 

Author Comment

by:Bob Vaal
Comment Utility
*** lrmoore ***
I'm still working on this issue.  Like you suggested, I've setup a vpn using the Cisco wizard. I installed at a client the Cisco VPN Client ver 4.0.1.
I edited the LMHOSTS file and added the ip of my Exchange server and Domain server.  I created a WINS server and edited the TCP/IP protocol on my Domain and Exchange server WINS section.  The WINS server shows them in the active window.  I re-ran the VPN setup wizard on the PIX to now insclude sending the WINS server's IP to the client.  

At the client, I connect via the VPN client.  When I launch  "ipconfig /all"   I see the IP, DNS and WINS setting the PIX assigned to local.  I can browse my Exchange server via the My Network Places by typing \\<server name>.
But, when I launch Outlook, it still says it can't find the Exchange server.  I've tried the name as well as the external ip in the Outlook account setup.

What am I missing.  Below is the config currently running on my PIX.

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lrKHtHiNQoYaF1AQ encrypted
passwd lrKHtHiNQoYaF1AQ encrypted
hostname thedome-pix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any 216.49.102.144 255.255.255.240 eq www
access-list 101 permit tcp any host 216.49.102.147 eq https
access-list 101 permit tcp any host 216.49.102.147 eq ftp
access-list 101 permit tcp any host 216.49.102.147 eq smtp
access-list 101 permit tcp any host 216.49.102.147 eq pop3
access-list 101 permit tcp any host 216.49.102.147 eq 8383
access-list 101 permit tcp any host 216.49.102.147 eq 8484
access-list 101 permit tcp any host 216.49.102.152 eq 3389
access-list 101 permit tcp any host 216.49.102.149 eq 3389
access-list 101 permit tcp any host 216.49.102.146 eq 3389
access-list 101 permit tcp any host 216.49.102.151 eq 3389
access-list 101 permit tcp any host 216.49.102.148 eq 3389
access-list 101 deny ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.1.248 255.255.255.248
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.248 255.255.255.248
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.240 192.168.1.248 255.255.255.248
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.1.248 255.255.255.248
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.248 255.255.255.248
access-list outside_cryptomap_dyn_40 permit ip any 192.168.1.248 255.255.255.248
access-list thedome-vpn_splitTunnelAcl permit ip 192.168.1.0 255.255.255.240 any
access-list outside_cryptomap_dyn_60 permit ip any 192.168.1.248 255.255.255.248
access-list thedome-vpn_splitTunnelAcl_1 permit ip 192.168.1.0 255.255.255.0 any
access-list outside_cryptomap_dyn_80 permit ip any 192.168.1.248 255.255.255.248
access-list outside_cryptomap_dyn_100 permit ip any 192.168.2.0 255.255.255.128
access-list outside_cryptomap_dyn_120 permit ip any 192.168.1.248 255.255.255.248
access-list outside_cryptomap_dyn_140 permit ip any 192.168.1.248 255.255.255.248
access-list outside_cryptomap_dyn_160 permit ip any 192.168.1.248 255.255.255.248
access-list outside_cryptomap_dyn_180 permit ip any 192.168.1.248 255.255.255.248
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside 192.168.1.73
mtu outside 1500
mtu inside 1500
ip address outside 216.49.102.153 255.255.255.240
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-ip 192.168.1.251-192.168.1.253
pdm location 216.49.102.147 255.255.255.255 outside
pdm location 192.168.1.1 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.1.3 255.255.255.255 inside
pdm location 192.168.1.4 255.255.255.255 inside
pdm location 192.168.1.5 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.240 inside
pdm location 192.168.1.73 255.255.255.255 inside
pdm location 192.168.1.248 255.255.255.248 outside
pdm location 192.168.2.0 255.255.255.128 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) 216.49.102.148 192.168.1.5 netmask 255.255.255.255 0 0
static (inside,outside) 216.49.102.146 192.168.1.3 netmask 255.255.255.255 0 0
static (inside,outside) 216.49.102.147 192.168.1.1 netmask 255.255.255.255 0 0
static (inside,outside) 216.49.102.149 192.168.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 216.49.102.151 192.168.1.4 netmask 255.255.255.255 0 0
static (inside,outside) 216.49.102.150 192.168.1.1 netmask 255.255.255.255 0 0
static (inside,outside) 216.49.102.152 192.168.1.1 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 216.49.102.145 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 140 match address outside_cryptomap_dyn_140
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 160 match address outside_cryptomap_dyn_160
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 180 match address outside_cryptomap_dyn_180
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup thedome-vpn address-pool vpn-ip
vpngroup thedome-vpn dns-server 216.49.96.1 216.49.96.2
vpngroup thedome-vpn wins-server 192.168.1.2
vpngroup thedome-vpn default-domain thedome.org
vpngroup thedome-vpn split-tunnel thedome-vpn_splitTunnelAcl
vpngroup thedome-vpn idle-time 1800
vpngroup thedome-vpn password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:22f79f682f0f0f4793e3fc090c716bc7
: end
[OK]

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Could be because you are using public DNS servers:
>> vpngroup thedome-vpn dns-server 216.49.96.1 216.49.96.2

Try re-creating your Outlook profile, and use the Exchange server's Netbios name vs FQDN and click on "check name" again...

0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 100 total points
Comment Utility
>enable password lrKHtHiNQoYaF1AQ encrypted
>passwd lrKHtHiNQoYaF1AQ encrypted

Won't take me long to crack those...  shame my rainbow tables have gone missing...  :)

As far as your LMHOSTS file goes, it needs to be specifically formatted with a few extra tags, as per:

http://support.microsoft.com/default.aspx?kbid=180094




0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
What fixed this ?  Was it the format of the LMHOSTS file that was playing up ?
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now