Exchange and PIX firewall - newbie setup question

[hbalf1]

Hi All
We currently use POP3 mail pickup and SMTP mail delivery on Exchange 2000 on W2000 SBS. We are going to migrate to SMTP mail.
To this end I want to make sure I can access my mail server through the firewall and router before I go live. I understand I should be albe to telnet through on port 25 using IP address from 'outside' and get some response. (No MX is set up yet, but should not be needed.)
The installation has a default SMTP connector - and inside the network I can get a response from ESMTP service.
Question - do I need to set up another SMTP connector to get a repsonse, or do I need to make any other changes. Would you expect the telnet seesion to get a repsonse if the firewall side is all set up OK?
Thanks in advance
Balf1

 

[sab4you]

Well this is really a PIX question, not an Exchange question.

From my vauge and limited PIX experience, from what I understand is that you open up port 25 and tell the PIX its for SMTP traffic. It can analyze the traffic and block non SMTP traffic.

If this is the case, then in theory, if you attempt to telnet to port 25 through your PIX, it should see its not SMTP traffic and not allow it.

But, my real suggestion is to post this question in the PIX forum to make sure

As for simply telnetting to an exchange server on port 25, yes it will respond.

 

[hbalf1]

Hi sab4you
Right you are....the PIX group asked me to post here to check me Exchange bit was set up.
I have now tried a client on the subnet between the PIX and ISA server, and I can telnet through on port 25, so I am assuming that all my Exchange bits are set up OK!!
Thanks
HBalf1

P.S. I understand (but am not certain why) that if you allow port 25 to be open, then you can telnet through it to exchange
QUOTE:..."You dont need to open a Telnet port up to telnet to port 25 either. If your ACL is allowing 25 in then you can telnet to 25 if the internal server responds."

 

[Zelandakh]

Hello BHalf1,

Internally (i.e. not through ISA or anything else, even try it on the Exchange box itself) telnet <emailserver> 25 and see if you get a reponse. Email is working.

Then in the Pix add a line

static (inside,outside) <MailOutside> <mailinside> netmask 255.255.255.255 5000 1000

that will map the external public IP that matches your MX record to the internal IP of your mail server.

then

fixup protocol smtp 25

if you haven't got it already

then

access-list acl_outside permit tcp any host MailOutside eq smtp

to allow port 25 through.

also

access-list acl_outside permit tcp any host MailOutside eq www

if you want outlook web access from outside

Then test it from outside by telnetting to port 25. Then set your MX record on your domain.

That is pretty much all you need.

 

[hbalf1]

Thanks Zelandakh

I have managed to get this going.

Your advice looks spot on though - so thanks again.

FYI apparently ('cause I am a newbie at this) for it work for Exchange you need to add a 'no fixup protocol smtp 25' as Echange uses ESMTP.

Cheers

HBalf1

 

[Tekmazter]

For all you other newbies out there --a subset of intructions directly from CISCO themselves:

http://www.cisco.com/en/US/products...figuration_guide_chapter09186a00800eb732.html