Solved

Set up the cisco PIX 515 for Exchange server

Posted on 2006-11-10
31
1,332 Views
Last Modified: 2010-04-10
I have installed in configured an exchange 2003 server. What set up do i need to do to the PIX 515E in order for our exchange server to send and receive email from the internet. I do have a public IP address

Please help
0
Comment
Question by:moonzappa
  • 19
  • 12
31 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
static (inside,outside) <public ip> <server private ip> netmask 255.255.255.255
access-list outside_access_in permit tcp any host <public ip> eq smtp
access-group outside_access_in in interface inside

Note: "outside_access_in" = your current inbound acl. This is just a modification of your existing acl if you have one.

That should get you most of the way there.
Two more things that you might need to do, depending on the PIX OS version and the Exchange set up
no fixup protocol smtp
no fixup protocol dns

0
 

Author Comment

by:moonzappa
Comment Utility
static (inside,outside) <198.66.93.67> <172.16.1.20> netmask 255.255.255.255

198.66.93.66 is my public IP address with mask 255.255.255.224
172.16.1.20 is the server IP address with mask 255.255.255.0
so which mask do i use? 255.255.255.255? do i have to specify which ports? i just need SMTP for internal user. and POP/Web mail for workers when they are at home. I have the older 3.0  PIX Version 6.3(5)
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
Comment Utility
You have several options.
Assuming that 198.66.93.66 is the IP address you have assigned to the outside interface and
198.66.93.65 is your default gateway for the PIX
AND you have full use of the entire range of IP nos  .67 - .94

Option1 - 1-1 full nat
 static (inside,outside) 198.66.93.67 172.16.1.20 netmask 255.255.255.255

Option 2 - port forwarding only, using the outside IP of the PIX (yes, use the word "interface" just as shown
 static (inside,outside) tcp interface smtp 172.16.1.20 smtp dns netmask 255.255.255.255
 static (inside,outside) tcp interface pop3 172.16.1.20 pop3 dns netmask 255.255.255.255
 static (inside,outside) tcp interface http 172.16.1.20 http dns netmask 255.255.255.255
 static (inside,outside) tcp interface https 172.16.1.20 https dns netmask 255.255.255.255

inbound acl also uses "interface" keyword
 access-list outside_in permit tcp any interface outside eq smtp
 access-list outside_in permit tcp any interface outside eq http
 access-list outside_in permit tcp any interface outside eq https
 access-list outside_in permit tcp any interface outside eq pop3

access-group outside_in in interface outside


0
 

Author Comment

by:moonzappa
Comment Utility
can you explain the ACL ?? and the different between the 2 options...also what is the best antivirus for exchange?? panda bussiness exchange with true prevent?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
The difference between the two options is a one-to-one full nat for a dedicated public IP address to the Exchange server vs a port-forwarding technique that only forwards the ports you need open, and uses the IP address assigned to the outside interface.

I can't advise on AV for Exchange, but I can tell you that I despise Panda's marketing tactics.

>can you explain the ACL ??
Allow anyone on the Internet to send data to eq <port>
Without the acl, all inbound traffic is blocked by default on the PIX.
0
 

Author Comment

by:moonzappa
Comment Utility
I can just go to the command line...select multiple command line and cut and paste in the infomation in there right. I have never used the command line interface. can this be done though the web interface?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Easier to do from command line, and also can cut/paste into multiple command line through the PDM GUI

Copy/Paste the following:

static (inside,outside) tcp interface smtp 172.16.1.20 smtp dns netmask 255.255.255.255
static (inside,outside) tcp interface pop3 172.16.1.20 pop3 dns netmask 255.255.255.255
static (inside,outside) tcp interface http 172.16.1.20 http dns netmask 255.255.255.255
static (inside,outside) tcp interface https 172.16.1.20 https dns netmask 255.255.255.255
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq http
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq pop3
access-group outside_in in interface outside
0
 

Author Comment

by:moonzappa
Comment Utility
i still need to do this first right .65 is my Road Runner Modem Router. .66 is the outside interface of the 515E and
67 is the public ip i will use to NAT the traffic to my exchange server

static (inside,outside) <198.66.93.67> <172.16.1.20> netmask 255.255.255.255
static (inside,outside) tcp interface smtp 172.16.1.20 smtp dns netmask 255.255.255.255
static (inside,outside) tcp interface pop3 172.16.1.20 pop3 dns netmask 255.255.255.255
static (inside,outside) tcp interface http 172.16.1.20 http dns netmask 255.255.255.255
static (inside,outside) tcp interface https 172.16.1.20 https dns netmask 255.255.255.255
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq http
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq pop3
access-group outside_in in interface outside
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>and 67 is the public ip i will use to NAT the traffic to my exchange server
OK, lets start over... just use the following:

static (inside,outside) 198.66.93.67 172.16.1.20 netmask 255.255.255.255
access-list outside_in permit tcp any host 198.66.93.67 eq smtp
access-list outside_in permit tcp any host 198.66.93.67 eq http
access-list outside_in permit tcp any  host 198.66.93.67 eq https
access-list outside_in permit tcp any  host 198.66.93.67 eq pop3
access-group outside_in in interface outside

0
 

Author Comment

by:moonzappa
Comment Utility
hello,
I made a mistake editing and how do i fix it? I changed the first IP in the static to .70 in stead of 67 but i forgot to edit the other IPs 67 to 70. Also i forgot to change the server ip to .12instead of .20. Please help
      
static (inside,outside) 198.66.93.67 172.16.1.20 netmask 255.255.255.255
access-list outside_in permit tcp any host 198.66.93.67 eq smtp
access-list outside_in permit tcp any host 198.66.93.67 eq http
access-list outside_in permit tcp any  host 198.66.93.67 eq https
access-list outside_in permit tcp any  host 198.66.93.67 eq pop3
access-group outside_in in interface outside

thank you much
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
"no" in front of any line will remove it

no static (inside,outside) 198.66.93.67 172.16.1.20 netmask 255.255.255.255
clear xlate
no access-group outside_in in interface outside
no access-list outside_in permit tcp any host 198.66.93.67 eq smtp
no access-list outside_in permit tcp any host 198.66.93.67 eq http
no access-list outside_in permit tcp any  host 198.66.93.67 eq https
no access-list outside_in permit tcp any  host 198.66.93.67 eq pop3


static (inside,outside) 198.66.93.70 172.16.1.12 netmask 255.255.255.255
access-list outside_in permit tcp any host 198.66.93.70 eq smtp
access-list outside_in permit tcp any host 198.66.93.70 eq http
access-list outside_in permit tcp any  host 198.66.93.70 eq https
access-list outside_in permit tcp any  host 198.66.93.70 eq pop3
access-group outside_in in interface outside

0
 

Author Comment

by:moonzappa
Comment Utility
For some reason our FTp site is no longer working please help. I am not sure if what the command we did above has anything to do with it but i need to have it fixed please ASAP

198.66.93.78 is the public IP for this FTp site and the internal Ip for this machine is 172.16.1.28 ftp-inside


thanks
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Make sure you have these in your config

static (inside,outside) 198.66.93.78 172.16.1.28 netmask 255.255.255.255
access-list outside_in permit tcp any host 198.66.93.78 eq ftp
access-list outside_in permit tcp any host 198.66.93.78 eq ftp-data

0
 

Author Comment

by:moonzappa
Comment Utility
i have something similar
static (inside,outside) tcp ftp.lateraldata.com ftp-inside netmask 255.255.255.255 0 0
access-list outside_in permit tcp any host ftp.lateraldata.com object group F
0
 

Author Comment

by:moonzappa
Comment Utility
name 198.66.93.78 ftp.lateraldata.com
name 172.16.1.28 ftp-inside
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Then it should be working. When did it stop working?
Try rebooting the PIX, or re-applying the oaccess-list to the interface

  access-group outside_in in interface outside
0
 

Author Comment

by:moonzappa
Comment Utility
still doesnt work..i applied this command "access-group outside_in in interface outside" and reboot the pix but still doesnt seem like the server getting any traffic from the outside..any idea?
0
 

Author Comment

by:moonzappa
Comment Utility
i just found out some of the commands were ignored by the fire wall
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit udp object-group Verio.Net.DNS eq domain any eq domain
access-list outside_access_in permit tcp any host ftp.lateraldata.com object-group FTP-Traffic
access-list outside_access_in permit tcp any interface outside eq www

can you please explain and see if it has anything to do with the fact we are not getting through with our FTP site from the outside world
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
I think you're going to have to post the complete config for me to see any relationship between what is and what is not working.
You can post it up here at http://www.ee-stuff.com
0
 

Author Comment

by:moonzappa
Comment Utility
can i have ur email address??
0
 

Author Comment

by:moonzappa
Comment Utility
please email me at hdang@lateraldata.com
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
That's not the way this site works. We need to keep the dialog in this thread. We need to end up with a complete problem/solution set in the database for future use. You can safely post your config at the link above, and remove it when we're done.
0
 

Author Comment

by:moonzappa
Comment Utility
hello i updated the files already one is running pix and one is the command that been ignored by the PDM please help
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>access-group outside_in in interface outside
The acl that you have applied to the interface that is allowing email is a different acl
You have "outside_in" and "outside_access_in"

Let's try this again, using the acl that you already have applied...
Remove the acl that PDM is ignoring (because it is not applied to any interface)
 no access-list outside_access_in

Add these to the existing acl:
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit udp object-group Verio.Net.DNS eq domain any eq domain
access-list outside_in permit tcp any host ftp.lateraldata.com object-group FTP-Traffic
access-list outside_in permit tcp any interface outside eq www

re-apply the acl to the interface
  no access-group outside_in in interface outside
  access-group outside_in in interface outside

On a side note, I noticed your 'inside' acl isn't doing anything for you:

access-list inside_access_in permit ip Office 255.255.255.0 any
access-list inside_access_in deny ip any bitsoft.ru 255.255.255.0  <== since this is second in the list, it will never get hit.

I understand that you want to block anyone from going to bitsoft.ru...
Let's try this:
 no access-group inside_access_in in interface inside
 no access-list inside_access_in
 access-list inside_access_out deny ip any bitsoft.ru 255.255.255.0
 access-list inside_access_out permit ip any any
 access-group inside_access_out in interface inside

0
 

Author Comment

by:moonzappa
Comment Utility
thank a bunch
0
 

Author Comment

by:moonzappa
Comment Utility
I need to enable IMAP protocol please help

Thanks in advance
0
 

Author Comment

by:moonzappa
Comment Utility
access-list outside_in permit tcp any host 198.66.93.70 eq imap4

is that command above correct??
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Yes, that is the correct syntax
0
 

Author Comment

by:moonzappa
Comment Utility
It seems like something is not working from outside of the firewall. I can receive pop email and IMAP email but unable to send them. Do you think my ISP block their ports??
0
 

Author Comment

by:moonzappa
Comment Utility
i think my ISP blocking port 25 and i found out about port 587 to send email. I would need to add a rule for my pix right??
access-list outside_in permit tcp any host 198.66.93.70 eq 587

is the command above correct?
0
 

Author Comment

by:moonzappa
Comment Utility
nevermind...i figured it out already...i guess i need to close port 25 to prevent spam relay??

Huy
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Let’s list some of the technologies that enable smooth teleworking. 
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now