[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 420
  • Last Modified:

Pix 515E - Exchange

We currently have a PIX 515E Firewall & an Exchange server.  For some reason, several months back - users behind the firewall have needed to modify their OUTGOING pop3 server within MS Outlook.  The outgoing mail server entry needed to be changed to our local Exchange server (i.e., exchange.ourdomain.com server).

Since I'm new to servicing this network and have never worked on a PIX 515E, my best guess is that somehow the firewall isn't liking several different OUTGOING mail server requests, but I'm not sure.  Does anyone know if the PIX515E has issues with this and if so, what can I do to fix it?  Also, is there a GOOD reference help manual anyone knows of to get started on the command line interface?

Most of these users use laptops & require mobility.  In addition to using the local exchange server when they are on-site, the users on this network use other outgoing pop3 servers to check other email sources.  I would like to be able to set them up with several different pop3 servers so that they do not have to modify those settings every time they need to come/go to the office.

0
cholotek
Asked:
cholotek
  • 5
  • 5
  • 3
  • +1
2 Solutions
 
Cyclops3590Commented:
first of all do you mean outgoing server smtp or incoming server pop3.  There is a "fixup protocol smtp 25" that screws up MS email servers because MS doesn't follow standards.

please post your pix config

after logged in type
show run

however please x out the first three octets of any public address and change any domain name to example.com to sanitize the config before posting
0
 
Tim HolmanCommented:
By default, a PIX will permit all outbound traffic, and deny all inbound traffic.  You then configure inbound access to your WWW/SMTP servers where necessary to get the inbound stuff working.
What problem are the laptop users running into?
0
 
kanwalzeetCommented:
your question is not very clear. I guess you meant OUTGOING SMTP server and not OUTGOING POP3 server. PIX515 should not have any issue regarding the outgoing smtp trafffic ( but yes you need to fix up the smtp protocol by using fixup smtp command). If you are new to PIX please refer some online tutorial which will help you in configuring pix. to start with, you can refer this link: http://www.secmanager.com/how_to_configure_pix_firewall_part1.

your laptop/mobile users problem was not clear.. it would be great if you explain it further

thanks
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
cholotekAuthor Commented:
It is the Outgoing SMTP mail server.

This is the scenario in the event it was unclear:
OUTSIDE OFFICE (this works fine when a mobile user is outside the office):
Incoming POP3 Server: mail.somewhere.com
Outgoing SMTP Server: mail.somewhere.com

INSIDE OFFICE (the FIX - when a mobile user comes inside the office, he/she needs to change the Outgoing SMTP server to the local EXCHANGE Mail Server):
Incoming POP3 Server: mail.somewhere.com
Outgoing SMTP Server: mail.LocalExchangeDomain.com

BELOW IS THE CONFIG FROM THE PIX:
firewall.example.local# show run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz/intf2 security50
enable password ***************** encrypted
passwd ************** encrypted
hostname firewall.example.local
domain-name example
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any echo-reply
access-list acl_out permit icmp any any time-exceeded
access-list acl_out permit icmp any any unreachable
access-list acl_out permit tcp any host xxx.xxx.xxx.136 eq ssh
access-list acl_out permit tcp any host xxx.xxx.xxx.136 eq smtp
access-list acl_out permit tcp any host xxx.xxx.xxx.136 eq www
access-list acl_out permit tcp any host xxx.xxx.xxx.136 eq pop3
access-list acl_out permit tcp any host xxx.xxx.xxx.136 eq https
access-list acl_out permit tcp any host xxx.xxx.xxx.136 eq 444
access-list acl_out permit tcp any host xxx.xxx.xxx.136 eq pptp
access-list acl_out permit tcp any host xxx.xxx.xxx.136 eq 3389
access-list acl_out permit tcp any host xxx.xxx.xxx.136 eq 4125
access-list acl_out permit tcp any host xxx.xxx.xxx.137 eq ssh
access-list acl_out permit tcp any host xxx.xxx.xxx.137 eq smtp
access-list acl_out permit tcp any host xxx.xxx.xxx.137 eq www
access-list acl_out permit tcp any host xxx.xxx.xxx.137 eq pop3
access-list acl_out permit tcp any host xxx.xxx.xxx.137 eq https
access-list acl_out permit tcp any host xxx.xxx.xxx.137 eq 444
access-list acl_out permit tcp any host xxx.xxx.xxx.137 eq pptp
access-list acl_out permit tcp any host xxx.xxx.xxx.137 eq 3389
access-list acl_out permit tcp any host xxx.xxx.xxx.137 eq 4125
access-list acl_out permit tcp any host xxx.xxx.xxx.138 eq ssh
access-list acl_out permit tcp any host xxx.xxx.xxx.138 eq smtp
access-list acl_out permit tcp any host xxx.xxx.xxx.138 eq www
access-list acl_out permit tcp any host xxx.xxx.xxx.138 eq pop3
access-list acl_out permit tcp any host xxx.xxx.xxx.138 eq https
access-list acl_out permit tcp any host xxx.xxx.xxx.138 eq 444
access-list acl_out permit tcp any host xxx.xxx.xxx.138 eq pptp
access-list acl_out permit tcp any host xxx.xxx.xxx.138 eq 3389
access-list acl_out permit tcp any host xxx.xxx.xxx.138 eq 4125
access-list acl_out permit tcp any host xxx.xxx.xxx.139 eq ssh
access-list acl_out permit tcp any host xxx.xxx.xxx.139 eq smtp
access-list acl_out permit tcp any host xxx.xxx.xxx.139 eq www
access-list acl_out permit tcp any host xxx.xxx.xxx.139 eq pop3
access-list acl_out permit tcp any host xxx.xxx.xxx.139 eq https
access-list acl_out permit tcp any host xxx.xxx.xxx.139 eq 444
access-list acl_out permit tcp any host xxx.xxx.xxx.139 eq pptp
access-list acl_out permit tcp any host xxx.xxx.xxx.139 eq 3389
access-list acl_out permit tcp any host xxx.xxx.xxx.139 eq 4125
access-list acl_out permit tcp any host xxx.xxx.xxx.140 eq ssh
access-list acl_out permit tcp any host xxx.xxx.xxx.140 eq smtp
access-list acl_out permit tcp any host xxx.xxx.xxx.140 eq www
access-list acl_out permit tcp any host xxx.xxx.xxx.140 eq pop3
access-list acl_out permit tcp any host xxx.xxx.xxx.140 eq https
access-list acl_out permit tcp any host xxx.xxx.xxx.140 eq 444
access-list acl_out permit tcp any host xxx.xxx.xxx.140 eq pptp
access-list acl_out permit tcp any host xxx.xxx.xxx.140 eq 3389
access-list acl_out permit tcp any host xxx.xxx.xxx.140 eq 4125
access-list acl_out permit tcp any host xxx.xxx.xxx.141 eq ssh
access-list acl_out permit tcp any host xxx.xxx.xxx.141 eq smtp
access-list acl_out permit tcp any host xxx.xxx.xxx.141 eq www
access-list acl_out permit tcp any host xxx.xxx.xxx.141 eq pop3
access-list acl_out permit tcp any host xxx.xxx.xxx.141 eq https
access-list acl_out permit tcp any host xxx.xxx.xxx.141 eq 444
access-list acl_out permit tcp any host xxx.xxx.xxx.141 eq pptp
access-list acl_out permit tcp any host xxx.xxx.xxx.141 eq 3389
access-list acl_out permit tcp any host xxx.xxx.xxx.141 eq 4125
access-list acl_out permit tcp any host xxx.xxx.xxx.142 eq ssh
access-list acl_out permit tcp any host xxx.xxx.xxx.142 eq smtp
access-list acl_out permit tcp any host xxx.xxx.xxx.142 eq www
access-list acl_out permit tcp any host xxx.xxx.xxx.142 eq pop3
access-list acl_out permit tcp any host xxx.xxx.xxx.142 eq https
access-list acl_out permit tcp any host xxx.xxx.xxx.142 eq 444
access-list acl_out permit tcp any host xxx.xxx.xxx.142 eq pptp
access-list acl_out permit tcp any host xxx.xxx.xxx.142 eq 3389
access-list acl_out permit tcp any host xxx.xxx.xxx.142 eq 4125
access-list acl_out permit tcp any host xxx.xxx.xxx.133 eq ssh
access-list acl_out permit tcp any host xxx.xxx.xxx.133 eq smtp
access-list acl_out permit tcp any host xxx.xxx.xxx.133 eq www
access-list acl_out permit tcp any host xxx.xxx.xxx.133 eq pop3
access-list acl_out permit tcp any host xxx.xxx.xxx.133 eq https
access-list acl_out permit tcp any host xxx.xxx.xxx.133 eq 444
access-list acl_out permit tcp any host xxx.xxx.xxx.133 eq pptp
access-list acl_out permit tcp any host xxx.xxx.xxx.133 eq 3389
access-list acl_out permit tcp any host xxx.xxx.xxx.133 eq 4125
access-list acl_out permit tcp any host xxx.xxx.xxx.134 eq ssh
access-list acl_out permit tcp any host xxx.xxx.xxx.134 eq smtp
access-list acl_out permit tcp any host xxx.xxx.xxx.134 eq www
access-list acl_out permit tcp any host xxx.xxx.xxx.134 eq pop3
access-list acl_out permit tcp any host xxx.xxx.xxx.134 eq https
access-list acl_out permit tcp any host xxx.xxx.xxx.134 eq 444
access-list acl_out permit tcp any host xxx.xxx.xxx.134 eq pptp
access-list acl_out permit tcp any host xxx.xxx.xxx.134 eq 3389
access-list acl_out permit tcp any host xxx.xxx.xxx.134 eq 4125
access-list acl_out permit gre any host xxx.xxx.xxx.133
access-list acl_out permit tcp any host xxx.xxx.xxx.135 eq ssh
access-list acl_out permit tcp any host xxx.xxx.xxx.135 eq smtp
access-list acl_out permit tcp any host xxx.xxx.xxx.135 eq www
access-list acl_out permit tcp any host xxx.xxx.xxx.135 eq pop3
access-list acl_out permit tcp any host xxx.xxx.xxx.135 eq https
access-list acl_out permit tcp any host xxx.xxx.xxx.135 eq 444
access-list acl_out permit tcp any host xxx.xxx.xxx.135 eq pptp
access-list acl_out permit tcp any host xxx.xxx.xxx.135 eq 3389
access-list acl_out permit tcp any host xxx.xxx.xxx.135 eq 4125
access-list acl_out permit tcp any host xxx.xxx.xxx.132 eq ssh
access-list acl_out permit tcp any host xxx.xxx.xxx.132 eq smtp
access-list acl_out permit tcp any host xxx.xxx.xxx.132 eq www
access-list acl_out permit tcp any host xxx.xxx.xxx.132 eq pop3
access-list acl_out permit tcp any host xxx.xxx.xxx.132 eq https
access-list acl_out permit tcp any host xxx.xxx.xxx.132 eq 444
access-list acl_out permit tcp any host xxx.xxx.xxx.132 eq pptp
access-list acl_out permit tcp any host xxx.xxx.xxx.132 eq 3389
access-list acl_out permit tcp any host xxx.xxx.xxx.132 eq 4125
access-list inside_access_out permit tcp host xxx.local.xxx.40 any eq smtp
access-list inside_access_out deny tcp any any eq smtp
access-list inside_access_out permit ip any any
pager lines 24
logging on
logging timestamp
logging monitor warnings
logging buffered warnings
logging history warnings
mtu outside 1500
mtu inside 1500
mtu dmz/intf2 1500
ip address outside xxx.xxx.xxx.130 255.255.255.240
ip address inside xxx.local.xxx.2 255.255.255.0
ip address dmz/intf2 192.168.100.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location xxx.local.xxx.0 255.255.255.0 inside
pdm location xxx.local.xxx.0 255.255.0.0 inside
pdm location xxx.xxx.xxx.130 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.135 netmask 255.255.255.255
nat (inside) 1 xxx.local.xxx.0 255.255.0.0 0 0
nat (dmz/intf2) 1 192.168.100.0 255.255.255.0 0 0
static (inside,outside) tcp xxx.xxx.xxx.132 ssh xxx.local.xxx.132 ssh netmask 255.255.2
55.255 0 0
static (dmz/intf2,outside) xxx.xxx.xxx.136 192.168.100.10 netmask 255.255.255.255
0 0
static (dmz/intf2,outside) xxx.xxx.xxx.137 192.168.100.11 netmask 255.255.255.255
0 0
static (dmz/intf2,outside) xxx.xxx.xxx.138 192.168.100.12 netmask 255.255.255.255
0 0
static (dmz/intf2,outside) xxx.xxx.xxx.139 192.168.100.13 netmask 255.255.255.255
0 0
static (dmz/intf2,outside) xxx.xxx.xxx.140 192.168.100.14 netmask 255.255.255.255
0 0
static (dmz/intf2,outside) xxx.xxx.xxx.141 192.168.100.15 netmask 255.255.255.255
0 0
static (dmz/intf2,outside) xxx.xxx.xxx.142 192.168.100.16 netmask 255.255.255.255
0 0
static (dmz/intf2,outside) xxx.xxx.xxx.133 192.168.100.5 netmask 255.255.255.255 0
 0
static (dmz/intf2,outside) xxx.xxx.xxx.134 192.168.100.6 netmask 255.255.255.255 0
 0
static (dmz/intf2,outside) xxx.xxx.xxx.132 xxx.local.xxx.132 netmask 255.255.255.255 0
0
access-group acl_out in interface outside
access-group inside_access_out in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http xxx.local.xxx.40 255.255.255.255 inside
http xxx.local.xxx.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet xxx.local.xxx.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username admin password ********* encrypted privilege 15
terminal width 80
Cryptochecksum:8d8ccc06af4fdcd34fa06fff35930bde
: end
firewall.example.local#
0
 
Cyclops3590Commented:
my guess would be because of the acl applied to your inside interface

access-list inside_access_out permit tcp host xxx.local.xxx.40 any eq smtp
access-list inside_access_out deny tcp any any eq smtp
access-list inside_access_out permit ip any any

the first line i'm guessing allows your internal exchange server to send mail, and then the second line forbids any other hosts to do smtp traffic to anyone except for inside hosts of course.
you can either find the ip for the mail.somewhere.com and add that like this
access-list inside_access_out line 2 permit tcp any host <server ip> eq smtp
or just get rid of the acl altogether
no access-group inside_access_out in interface inside

is there a good reason for blocking all outgoing smtp traffic except for the exchange server?
0
 
cholotekAuthor Commented:
If I removed it completely, what would the security implications be?  This would be my choice as this is sort of like a Virtual office, where clients come into the office & check their Email / Send print jobs to the network printer, etc.  There is no good reason to block all outgoing SMTP traffic as the internal office does not have threats of Spammers.

If I did choose to remove, what would be the "command" to do that?  Is it the: "no access-group inside_access_out" command?

Thank you.
0
 
Cyclops3590Commented:
basically people can connect to other mail servers directly.  basically the spammer threat.  however of course if someone has a virus that installs a small mail server on a client and sends spam, then your current config blocks this traffic, but if you take it out you'll obviously allow it.  thats the only thing I can think of anyway

and yes, the
no access-group inside_access_out in interface inside
is the command to remove the application of the acl to the interface.

whenever you want to remove something from the config just look at the line and put "no" in front of it
for example you'd also remove the inside_access_out acl since it wouldn't be used anywhere anymore.
you'd do it like this
no access-list inside_access_out permit tcp host xxx.local.xxx.40 any eq smtp
no access-list inside_access_out deny tcp any any eq smtp
no access-list inside_access_out permit ip any any
0
 
cholotekAuthor Commented:
Is it the entire command (within the quotes below?):
"no access-group inside_access_out in interface inside"

0
 
Cyclops3590Commented:
yes
0
 
cholotekAuthor Commented:
I attempted your response (Cyclops3590), but all I got back was the following:
firewall.example.local> login
Username: admin
Password: *******
firewall.example.local# no access-group inside_access_out in interface inside
Type help or '?' for a list of available commands.
firewall.example.local#

Any other suggestions as I'm not familiar with this command line interface?

Thank you,

-TS
0
 
Tim HolmanCommented:
One more step:

enable       <-------- then enter the enable password
no access-group inside_access_out in interface inside
0
 
cholotekAuthor Commented:
OK, what am I doing wrong?  Am I not already in "priveledged mode"?  Here's what I got:

User Access Verification

Password: ********
Type help or '?' for a list of available commands.
firewall.example.local> login
Username: admin
Password: *******
firewall.example.local# enable
Type help or '?' for a list of available commands.
firewall.example.local# ?

At the end of show <command>, use the pipe character '|' followed by:
begin|include|exclude|grep [-v] <regular_exp>, to filter show output.

arp             Change or view arp table, set arp timeout value, view statistics
capture         Capture inbound and outbound packets on one or more interfaces
configure       Configure from terminal
copy            Copy image or PDM file from TFTP server into flash.
debug           Debug packets or ICMP tracings through the PIX Firewall.
disable         Exit from privileged mode
eeprom          show or reprogram the 525 onboard i82559 devices
flashfs         Show, destroy, or preserve filesystem information
help            Help list
kill            Terminate a telnet session
logout          Exit from current user profile, and to unprivileged mode
logging         Clear syslog entries from the internal buffer
memory          System memory utilization
pager           Control page length for pagination
passwd          Change Telnet console access password
ping            Test connectivity from specified interface to <ip>
quit            Quit from the current mode, end configuration or logout
reload          Halt and reload system
shun            Manages the filtering of packets from undesired hosts
who             Show active administration sessions on PIX
write           Write config to net, flash, floppy, or terminal, or erase flash

firewall.example.local# no access-group inside_access_out in interface inside
Type help or '?' for a list of available commands.

firewall.example.local#
0
 
Cyclops3590Commented:
when you are at
firewall.example.local#
type
config t
first, then the no access-group command
0
 
Tim HolmanCommented:
Good point...  conf t always helps..  :P

There's a good getting started guide here that may help:

http://www.linuxhomenetworking.com/cisco-hn/dsl-pix.htm
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now