How do I use Cisco Pix Devise Manager to create rules to allow mail to come to my Exchange 2003 Server

I have a Cisco Pix Firewall 506 and would like to use the Cisco Pix Devise Manager to configure it to allow Exchange 2003 mail to pass through.  How can I do this?

Who is Participating?
lrmooreConnect With a Mentor Commented:
Much simpler to create a text command in notepad and drop it into the Command Line Tool of the PDM. Using the PDM is actually quite confusing..

Else, the steps involve
- create static port map to map port 25 from interface public IP to private IP
   static (inside,outside) tcp interface 25 25
- create inbound access-list to permit inbound port 25
   access-list inbound permit tcp any interface outside eq 25  <== note you must be using 6.3x to use "interface" in the acl
- bind the acl to the interface
   access-group inbound in interface outside
- turn off fixup
   no fixup protocol smtp 25

Using PDM:
- Configuration
- Access Rules
   - new rule
      Action: permit
        source host/network
           interface Outside
           ip add:
        Destination host/network
            interface inside
            ip add:
        Protocol and Service (*) TCP, source port Service = any
                  Destination port Service = smtp
     - click OK, and you get a prompt "No static Network Address Translation (NAT) rule is configured ....
         - click OK
            NAT tab, chose (*)static     <ip address>(interface PAT)
          - click OK
        -click OK again
        - click Apply
      - Click Save
Then go into configuration | system properties
  + Advanced
       + fixup
           * SMTP  - click "delete" button
     Click    Apply
    - click Save


Hate to give just URL's, but, this is pretty involved.

Hope this helps!
In anticipation of any future issues, here is another good article.;en-us;q320027
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

rmeffordAuthor Commented:
Thanks for the help, but that doesn't really discribe how to use create a new rule with the device manager.  Also that example is if I am going to have a second server outside my firewall.  I am not.  I will have just the Exchange Server on the inside.  Am I missing something?  Please help.

rmeffordAuthor Commented:
I will try that, thanks everyone.
We must have hit submit at the same time...  hehe..
Quick tip,

if you are using only 2 interfaces your static command do not require you to specify insde,outside in your command line.  Helps expediting programming the pix via commandline.  

static insideip outsideip


Hey rmefford,  

The link is Cisco's suggestion on how to make Exchange work across a PIX firewall.  If all your looking for is port forwarding, Irmoore described that.
rmeffordAuthor Commented:
Thanks for the help, is that the only port I need to open to get my exchange server mail working?  I can send out but have not been able to receive an email in yet.

You only need two commands to get this working.  Go to the CLI command input in the PDM and enter these commands. The third command is incase you have switched of the fixup for smtp.

Replace with your public ip on the firewall and with your internal ip of the exchange server.

access-list 101 permit tcp any host eq smtp
static (inside,outside) tcp smtp smtp netmask 0 0
fixup protocol smtp 25

I know this works as I use it all the time with my customers.

Any questions please let me know.


> out but have not been able to receive an email in yet.
Did you disable the fixup protocol smtp 25?
You MUST do this step.
All Courses

From novice to tech pro — start learning today.