Milkybar-kid
asked on
Configuring PIX 501 for first time
I have just added a PIX 501 to my network.
I ran the statup wizard.
The outside interface gets it's IP using DHCP from the ethernet modem in bridged mode. That works OK
I wasn't entirely sure what to use for the PAT/NAT setting so I selected PAT with the IP address on the outside interface.
I haven't encountered PAT before so I'm not sure exactly how it operates. Can anyone offer a brief description of how it differs with NAT.
The NAT configuration refers to using an IP from the Global Address Pool - what is this ?
What I really want to achieve is to have any PC inside to have web browsing. To have certain PC's outside to have remote access to a small business server on the inside. To use the Small Business Server as the VPN server and just pass this traffic through the firewall.
Something that is confusing me is that the default configuration works fine and allows web browsing but also smtp mail is still getting delivered to the server and I thought that by default all inbound ports were blocked.
I ran the statup wizard.
The outside interface gets it's IP using DHCP from the ethernet modem in bridged mode. That works OK
I wasn't entirely sure what to use for the PAT/NAT setting so I selected PAT with the IP address on the outside interface.
I haven't encountered PAT before so I'm not sure exactly how it operates. Can anyone offer a brief description of how it differs with NAT.
The NAT configuration refers to using an IP from the Global Address Pool - what is this ?
What I really want to achieve is to have any PC inside to have web browsing. To have certain PC's outside to have remote access to a small business server on the inside. To use the Small Business Server as the VPN server and just pass this traffic through the firewall.
Something that is confusing me is that the default configuration works fine and allows web browsing but also smtp mail is still getting delivered to the server and I thought that by default all inbound ports were blocked.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Strange. I have just reset the units to factory defaults and I can telnet to port 25 on my exchange server. This shouldn't happen should it ?
You've closed the question, does that mean you found an answer to the email question and your other ones ?
ASKER
Actually I closed this by accident but opened another similar question. Aside from the smtp issue which was me being dumb the other questions are still relevant especially the ODMR.
ahh, you didn't mention you were using ODMR, that is the reason why the email was being delivered with an "out of the box" config. By default the PIX allows all outbound traffic (ie traffic that originates "inside" and is destined for "outside"). For such an outbound connection the PIX allows the initial outbound traffic and makes a note of what it was and where it was destined to. When it sees the return traffic from this outbound requrest, it permits it to return as the connection was initiated from inside. This fits with the way ODMR works, which is for your server to initiate a connection to the mail server receiving your email and to request delivery of the email over the same connection. ODMR is one way of getting email through a firewall (or router or ISP) that explictly blocks inbound traffic on port 25 as direct access to the normal SMTP port isn't required.
Does this answer all of the question you had, or were there others ?
Does this answer all of the question you had, or were there others ?
ASKER
I guess that the PIX must have the intelligence to know that an outbound connection initiated on on Port 366 comes back in on port 25 ? I hadn't realised that this was possible but it is actually a pretty cool feature isn't it ? It means that port 25 can be permanently closed on the outside interface. Anyway the device is all configured and in situ now so thanks for the assistance.
no, you're misunderstanding the ODMR specs, your mail server initiates an outbound connection to port 336 on the ISP mail server and the email comes back in over the same connection/port. At no point in time does port 25 need to be open. The reason this works isn't a feature of the PIX, but simply due to the way ODMR operates.
ASKER
OK I may have misunderstood
http://www.faqs.org/rfcs/rfc2645.html
I though that the connection was initiated on port 366 and then after reversing the connection normal mail delivery was then initiated to port 25.
So you're saying the initiated connection goes out and the mail flows in on port 366 ?
http://www.faqs.org/rfcs/rfc2645.html
I though that the connection was initiated on port 366 and then after reversing the connection normal mail delivery was then initiated to port 25.
So you're saying the initiated connection goes out and the mail flows in on port 366 ?
yes, when it reverses the connection, that is simply the flow of info not a new connection. It all happens over a single TCP connection from a high port on your server to port 366 on the remote end.
ASKER
I didn't specify any mail setting in the wizard. The mail delivery is triggered with ODMR on port 366 (outbound) but it just reverses the mail server to start the delivery to port 25 inbound. Does the the PIX allow the inbound traffic because of this ? I have definately not specified to open port 25 inbound or specified an internal IP to send the traffic to.
With regard to the VPN why is an additional IP required ? - is it not possible just to map all traffic on port 1723 to the SBS IP address ?