Solved

Set up the cisco PIX 515 for Exchange server

Posted on 2006-11-10
31
1,338 Views
Last Modified: 2010-04-10
I have installed in configured an exchange 2003 server. What set up do i need to do to the PIX 515E in order for our exchange server to send and receive email from the internet. I do have a public IP address

Please help
0
Comment
Question by:moonzappa
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 19
  • 12
31 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17916554
static (inside,outside) <public ip> <server private ip> netmask 255.255.255.255
access-list outside_access_in permit tcp any host <public ip> eq smtp
access-group outside_access_in in interface inside

Note: "outside_access_in" = your current inbound acl. This is just a modification of your existing acl if you have one.

That should get you most of the way there.
Two more things that you might need to do, depending on the PIX OS version and the Exchange set up
no fixup protocol smtp
no fixup protocol dns

0
 

Author Comment

by:moonzappa
ID: 17916620
static (inside,outside) <198.66.93.67> <172.16.1.20> netmask 255.255.255.255

198.66.93.66 is my public IP address with mask 255.255.255.224
172.16.1.20 is the server IP address with mask 255.255.255.0
so which mask do i use? 255.255.255.255? do i have to specify which ports? i just need SMTP for internal user. and POP/Web mail for workers when they are at home. I have the older 3.0  PIX Version 6.3(5)
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 17916925
You have several options.
Assuming that 198.66.93.66 is the IP address you have assigned to the outside interface and
198.66.93.65 is your default gateway for the PIX
AND you have full use of the entire range of IP nos  .67 - .94

Option1 - 1-1 full nat
 static (inside,outside) 198.66.93.67 172.16.1.20 netmask 255.255.255.255

Option 2 - port forwarding only, using the outside IP of the PIX (yes, use the word "interface" just as shown
 static (inside,outside) tcp interface smtp 172.16.1.20 smtp dns netmask 255.255.255.255
 static (inside,outside) tcp interface pop3 172.16.1.20 pop3 dns netmask 255.255.255.255
 static (inside,outside) tcp interface http 172.16.1.20 http dns netmask 255.255.255.255
 static (inside,outside) tcp interface https 172.16.1.20 https dns netmask 255.255.255.255

inbound acl also uses "interface" keyword
 access-list outside_in permit tcp any interface outside eq smtp
 access-list outside_in permit tcp any interface outside eq http
 access-list outside_in permit tcp any interface outside eq https
 access-list outside_in permit tcp any interface outside eq pop3

access-group outside_in in interface outside


0
Report: Liquid Web beats Amazon, Rackspace & More

A study by performance analyst firm Cloud Spectator finds that Liquid Web beats rivals Amazon, Rackspace and DigitalOcean when it comes to website and cloud application performance.

 

Author Comment

by:moonzappa
ID: 17917833
can you explain the ACL ?? and the different between the 2 options...also what is the best antivirus for exchange?? panda bussiness exchange with true prevent?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17918172
The difference between the two options is a one-to-one full nat for a dedicated public IP address to the Exchange server vs a port-forwarding technique that only forwards the ports you need open, and uses the IP address assigned to the outside interface.

I can't advise on AV for Exchange, but I can tell you that I despise Panda's marketing tactics.

>can you explain the ACL ??
Allow anyone on the Internet to send data to eq <port>
Without the acl, all inbound traffic is blocked by default on the PIX.
0
 

Author Comment

by:moonzappa
ID: 17918386
I can just go to the command line...select multiple command line and cut and paste in the infomation in there right. I have never used the command line interface. can this be done though the web interface?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17918425
Easier to do from command line, and also can cut/paste into multiple command line through the PDM GUI

Copy/Paste the following:

static (inside,outside) tcp interface smtp 172.16.1.20 smtp dns netmask 255.255.255.255
static (inside,outside) tcp interface pop3 172.16.1.20 pop3 dns netmask 255.255.255.255
static (inside,outside) tcp interface http 172.16.1.20 http dns netmask 255.255.255.255
static (inside,outside) tcp interface https 172.16.1.20 https dns netmask 255.255.255.255
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq http
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq pop3
access-group outside_in in interface outside
0
 

Author Comment

by:moonzappa
ID: 17918467
i still need to do this first right .65 is my Road Runner Modem Router. .66 is the outside interface of the 515E and
67 is the public ip i will use to NAT the traffic to my exchange server

static (inside,outside) <198.66.93.67> <172.16.1.20> netmask 255.255.255.255
static (inside,outside) tcp interface smtp 172.16.1.20 smtp dns netmask 255.255.255.255
static (inside,outside) tcp interface pop3 172.16.1.20 pop3 dns netmask 255.255.255.255
static (inside,outside) tcp interface http 172.16.1.20 http dns netmask 255.255.255.255
static (inside,outside) tcp interface https 172.16.1.20 https dns netmask 255.255.255.255
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq http
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq pop3
access-group outside_in in interface outside
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17918539
>and 67 is the public ip i will use to NAT the traffic to my exchange server
OK, lets start over... just use the following:

static (inside,outside) 198.66.93.67 172.16.1.20 netmask 255.255.255.255
access-list outside_in permit tcp any host 198.66.93.67 eq smtp
access-list outside_in permit tcp any host 198.66.93.67 eq http
access-list outside_in permit tcp any  host 198.66.93.67 eq https
access-list outside_in permit tcp any  host 198.66.93.67 eq pop3
access-group outside_in in interface outside

0
 

Author Comment

by:moonzappa
ID: 17930618
hello,
I made a mistake editing and how do i fix it? I changed the first IP in the static to .70 in stead of 67 but i forgot to edit the other IPs 67 to 70. Also i forgot to change the server ip to .12instead of .20. Please help
      
static (inside,outside) 198.66.93.67 172.16.1.20 netmask 255.255.255.255
access-list outside_in permit tcp any host 198.66.93.67 eq smtp
access-list outside_in permit tcp any host 198.66.93.67 eq http
access-list outside_in permit tcp any  host 198.66.93.67 eq https
access-list outside_in permit tcp any  host 198.66.93.67 eq pop3
access-group outside_in in interface outside

thank you much
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17933224
"no" in front of any line will remove it

no static (inside,outside) 198.66.93.67 172.16.1.20 netmask 255.255.255.255
clear xlate
no access-group outside_in in interface outside
no access-list outside_in permit tcp any host 198.66.93.67 eq smtp
no access-list outside_in permit tcp any host 198.66.93.67 eq http
no access-list outside_in permit tcp any  host 198.66.93.67 eq https
no access-list outside_in permit tcp any  host 198.66.93.67 eq pop3


static (inside,outside) 198.66.93.70 172.16.1.12 netmask 255.255.255.255
access-list outside_in permit tcp any host 198.66.93.70 eq smtp
access-list outside_in permit tcp any host 198.66.93.70 eq http
access-list outside_in permit tcp any  host 198.66.93.70 eq https
access-list outside_in permit tcp any  host 198.66.93.70 eq pop3
access-group outside_in in interface outside

0
 

Author Comment

by:moonzappa
ID: 17982705
For some reason our FTp site is no longer working please help. I am not sure if what the command we did above has anything to do with it but i need to have it fixed please ASAP

198.66.93.78 is the public IP for this FTp site and the internal Ip for this machine is 172.16.1.28 ftp-inside


thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17982779
Make sure you have these in your config

static (inside,outside) 198.66.93.78 172.16.1.28 netmask 255.255.255.255
access-list outside_in permit tcp any host 198.66.93.78 eq ftp
access-list outside_in permit tcp any host 198.66.93.78 eq ftp-data

0
 

Author Comment

by:moonzappa
ID: 17982844
i have something similar
static (inside,outside) tcp ftp.lateraldata.com ftp-inside netmask 255.255.255.255 0 0
access-list outside_in permit tcp any host ftp.lateraldata.com object group F
0
 

Author Comment

by:moonzappa
ID: 17982865
name 198.66.93.78 ftp.lateraldata.com
name 172.16.1.28 ftp-inside
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17982903
Then it should be working. When did it stop working?
Try rebooting the PIX, or re-applying the oaccess-list to the interface

  access-group outside_in in interface outside
0
 

Author Comment

by:moonzappa
ID: 17988059
still doesnt work..i applied this command "access-group outside_in in interface outside" and reboot the pix but still doesnt seem like the server getting any traffic from the outside..any idea?
0
 

Author Comment

by:moonzappa
ID: 17988168
i just found out some of the commands were ignored by the fire wall
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit udp object-group Verio.Net.DNS eq domain any eq domain
access-list outside_access_in permit tcp any host ftp.lateraldata.com object-group FTP-Traffic
access-list outside_access_in permit tcp any interface outside eq www

can you please explain and see if it has anything to do with the fact we are not getting through with our FTP site from the outside world
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17988782
I think you're going to have to post the complete config for me to see any relationship between what is and what is not working.
You can post it up here at http://www.ee-stuff.com
0
 

Author Comment

by:moonzappa
ID: 17988828
can i have ur email address??
0
 

Author Comment

by:moonzappa
ID: 17991215
please email me at hdang@lateraldata.com
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17991760
That's not the way this site works. We need to keep the dialog in this thread. We need to end up with a complete problem/solution set in the database for future use. You can safely post your config at the link above, and remove it when we're done.
0
 

Author Comment

by:moonzappa
ID: 17995941
hello i updated the files already one is running pix and one is the command that been ignored by the PDM please help
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17996426
>access-group outside_in in interface outside
The acl that you have applied to the interface that is allowing email is a different acl
You have "outside_in" and "outside_access_in"

Let's try this again, using the acl that you already have applied...
Remove the acl that PDM is ignoring (because it is not applied to any interface)
 no access-list outside_access_in

Add these to the existing acl:
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit udp object-group Verio.Net.DNS eq domain any eq domain
access-list outside_in permit tcp any host ftp.lateraldata.com object-group FTP-Traffic
access-list outside_in permit tcp any interface outside eq www

re-apply the acl to the interface
  no access-group outside_in in interface outside
  access-group outside_in in interface outside

On a side note, I noticed your 'inside' acl isn't doing anything for you:

access-list inside_access_in permit ip Office 255.255.255.0 any
access-list inside_access_in deny ip any bitsoft.ru 255.255.255.0  <== since this is second in the list, it will never get hit.

I understand that you want to block anyone from going to bitsoft.ru...
Let's try this:
 no access-group inside_access_in in interface inside
 no access-list inside_access_in
 access-list inside_access_out deny ip any bitsoft.ru 255.255.255.0
 access-list inside_access_out permit ip any any
 access-group inside_access_out in interface inside

0
 

Author Comment

by:moonzappa
ID: 17996463
thank a bunch
0
 

Author Comment

by:moonzappa
ID: 18030727
I need to enable IMAP protocol please help

Thanks in advance
0
 

Author Comment

by:moonzappa
ID: 18030776
access-list outside_in permit tcp any host 198.66.93.70 eq imap4

is that command above correct??
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18031369
Yes, that is the correct syntax
0
 

Author Comment

by:moonzappa
ID: 18042690
It seems like something is not working from outside of the firewall. I can receive pop email and IMAP email but unable to send them. Do you think my ISP block their ports??
0
 

Author Comment

by:moonzappa
ID: 18042821
i think my ISP blocking port 25 and i found out about port 587 to send email. I would need to add a rule for my pix right??
access-list outside_in permit tcp any host 198.66.93.70 eq 587

is the command above correct?
0
 

Author Comment

by:moonzappa
ID: 18043110
nevermind...i figured it out already...i guess i need to close port 25 to prevent spam relay??

Huy
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question