Link to home
Start Free TrialLog in
Avatar of moonzappa
moonzappa

asked on

Set up the cisco PIX 515 for Exchange server

I have installed in configured an exchange 2003 server. What set up do i need to do to the PIX 515E in order for our exchange server to send and receive email from the internet. I do have a public IP address

Please help
Avatar of Les Moore
Les Moore
Flag of United States of America image

static (inside,outside) <public ip> <server private ip> netmask 255.255.255.255
access-list outside_access_in permit tcp any host <public ip> eq smtp
access-group outside_access_in in interface inside

Note: "outside_access_in" = your current inbound acl. This is just a modification of your existing acl if you have one.

That should get you most of the way there.
Two more things that you might need to do, depending on the PIX OS version and the Exchange set up
no fixup protocol smtp
no fixup protocol dns

Avatar of moonzappa
moonzappa

ASKER

static (inside,outside) <198.66.93.67> <172.16.1.20> netmask 255.255.255.255

198.66.93.66 is my public IP address with mask 255.255.255.224
172.16.1.20 is the server IP address with mask 255.255.255.0
so which mask do i use? 255.255.255.255? do i have to specify which ports? i just need SMTP for internal user. and POP/Web mail for workers when they are at home. I have the older 3.0  PIX Version 6.3(5)
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
can you explain the ACL ?? and the different between the 2 options...also what is the best antivirus for exchange?? panda bussiness exchange with true prevent?
The difference between the two options is a one-to-one full nat for a dedicated public IP address to the Exchange server vs a port-forwarding technique that only forwards the ports you need open, and uses the IP address assigned to the outside interface.

I can't advise on AV for Exchange, but I can tell you that I despise Panda's marketing tactics.

>can you explain the ACL ??
Allow anyone on the Internet to send data to eq <port>
Without the acl, all inbound traffic is blocked by default on the PIX.
I can just go to the command line...select multiple command line and cut and paste in the infomation in there right. I have never used the command line interface. can this be done though the web interface?
Easier to do from command line, and also can cut/paste into multiple command line through the PDM GUI

Copy/Paste the following:

static (inside,outside) tcp interface smtp 172.16.1.20 smtp dns netmask 255.255.255.255
static (inside,outside) tcp interface pop3 172.16.1.20 pop3 dns netmask 255.255.255.255
static (inside,outside) tcp interface http 172.16.1.20 http dns netmask 255.255.255.255
static (inside,outside) tcp interface https 172.16.1.20 https dns netmask 255.255.255.255
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq http
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq pop3
access-group outside_in in interface outside
i still need to do this first right .65 is my Road Runner Modem Router. .66 is the outside interface of the 515E and
67 is the public ip i will use to NAT the traffic to my exchange server

static (inside,outside) <198.66.93.67> <172.16.1.20> netmask 255.255.255.255
static (inside,outside) tcp interface smtp 172.16.1.20 smtp dns netmask 255.255.255.255
static (inside,outside) tcp interface pop3 172.16.1.20 pop3 dns netmask 255.255.255.255
static (inside,outside) tcp interface http 172.16.1.20 http dns netmask 255.255.255.255
static (inside,outside) tcp interface https 172.16.1.20 https dns netmask 255.255.255.255
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq http
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq pop3
access-group outside_in in interface outside
>and 67 is the public ip i will use to NAT the traffic to my exchange server
OK, lets start over... just use the following:

static (inside,outside) 198.66.93.67 172.16.1.20 netmask 255.255.255.255
access-list outside_in permit tcp any host 198.66.93.67 eq smtp
access-list outside_in permit tcp any host 198.66.93.67 eq http
access-list outside_in permit tcp any  host 198.66.93.67 eq https
access-list outside_in permit tcp any  host 198.66.93.67 eq pop3
access-group outside_in in interface outside

hello,
I made a mistake editing and how do i fix it? I changed the first IP in the static to .70 in stead of 67 but i forgot to edit the other IPs 67 to 70. Also i forgot to change the server ip to .12instead of .20. Please help
      
static (inside,outside) 198.66.93.67 172.16.1.20 netmask 255.255.255.255
access-list outside_in permit tcp any host 198.66.93.67 eq smtp
access-list outside_in permit tcp any host 198.66.93.67 eq http
access-list outside_in permit tcp any  host 198.66.93.67 eq https
access-list outside_in permit tcp any  host 198.66.93.67 eq pop3
access-group outside_in in interface outside

thank you much
"no" in front of any line will remove it

no static (inside,outside) 198.66.93.67 172.16.1.20 netmask 255.255.255.255
clear xlate
no access-group outside_in in interface outside
no access-list outside_in permit tcp any host 198.66.93.67 eq smtp
no access-list outside_in permit tcp any host 198.66.93.67 eq http
no access-list outside_in permit tcp any  host 198.66.93.67 eq https
no access-list outside_in permit tcp any  host 198.66.93.67 eq pop3


static (inside,outside) 198.66.93.70 172.16.1.12 netmask 255.255.255.255
access-list outside_in permit tcp any host 198.66.93.70 eq smtp
access-list outside_in permit tcp any host 198.66.93.70 eq http
access-list outside_in permit tcp any  host 198.66.93.70 eq https
access-list outside_in permit tcp any  host 198.66.93.70 eq pop3
access-group outside_in in interface outside

For some reason our FTp site is no longer working please help. I am not sure if what the command we did above has anything to do with it but i need to have it fixed please ASAP

198.66.93.78 is the public IP for this FTp site and the internal Ip for this machine is 172.16.1.28 ftp-inside


thanks
Make sure you have these in your config

static (inside,outside) 198.66.93.78 172.16.1.28 netmask 255.255.255.255
access-list outside_in permit tcp any host 198.66.93.78 eq ftp
access-list outside_in permit tcp any host 198.66.93.78 eq ftp-data

i have something similar
static (inside,outside) tcp ftp.lateraldata.com ftp-inside netmask 255.255.255.255 0 0
access-list outside_in permit tcp any host ftp.lateraldata.com object group F
name 198.66.93.78 ftp.lateraldata.com
name 172.16.1.28 ftp-inside
Then it should be working. When did it stop working?
Try rebooting the PIX, or re-applying the oaccess-list to the interface

  access-group outside_in in interface outside
still doesnt work..i applied this command "access-group outside_in in interface outside" and reboot the pix but still doesnt seem like the server getting any traffic from the outside..any idea?
i just found out some of the commands were ignored by the fire wall
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit udp object-group Verio.Net.DNS eq domain any eq domain
access-list outside_access_in permit tcp any host ftp.lateraldata.com object-group FTP-Traffic
access-list outside_access_in permit tcp any interface outside eq www

can you please explain and see if it has anything to do with the fact we are not getting through with our FTP site from the outside world
I think you're going to have to post the complete config for me to see any relationship between what is and what is not working.
You can post it up here at http://www.ee-stuff.com
can i have ur email address??
please email me at hdang@lateraldata.com
That's not the way this site works. We need to keep the dialog in this thread. We need to end up with a complete problem/solution set in the database for future use. You can safely post your config at the link above, and remove it when we're done.
hello i updated the files already one is running pix and one is the command that been ignored by the PDM please help
>access-group outside_in in interface outside
The acl that you have applied to the interface that is allowing email is a different acl
You have "outside_in" and "outside_access_in"

Let's try this again, using the acl that you already have applied...
Remove the acl that PDM is ignoring (because it is not applied to any interface)
 no access-list outside_access_in

Add these to the existing acl:
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit udp object-group Verio.Net.DNS eq domain any eq domain
access-list outside_in permit tcp any host ftp.lateraldata.com object-group FTP-Traffic
access-list outside_in permit tcp any interface outside eq www

re-apply the acl to the interface
  no access-group outside_in in interface outside
  access-group outside_in in interface outside

On a side note, I noticed your 'inside' acl isn't doing anything for you:

access-list inside_access_in permit ip Office 255.255.255.0 any
access-list inside_access_in deny ip any bitsoft.ru 255.255.255.0  <== since this is second in the list, it will never get hit.

I understand that you want to block anyone from going to bitsoft.ru...
Let's try this:
 no access-group inside_access_in in interface inside
 no access-list inside_access_in
 access-list inside_access_out deny ip any bitsoft.ru 255.255.255.0
 access-list inside_access_out permit ip any any
 access-group inside_access_out in interface inside

thank a bunch
I need to enable IMAP protocol please help

Thanks in advance
access-list outside_in permit tcp any host 198.66.93.70 eq imap4

is that command above correct??
Yes, that is the correct syntax
It seems like something is not working from outside of the firewall. I can receive pop email and IMAP email but unable to send them. Do you think my ISP block their ports??
i think my ISP blocking port 25 and i found out about port 587 to send email. I would need to add a rule for my pix right??
access-list outside_in permit tcp any host 198.66.93.70 eq 587

is the command above correct?
nevermind...i figured it out already...i guess i need to close port 25 to prevent spam relay??

Huy