Exchange behind PIX 506e and ISA 2000 2

[hbalf1]

Hi

I have had a look around, but could not find anything for this scenario.

We use W2000 SBS, which comes with ISA and Exchange bundled onto the one server. We only use POP3 at the moment but want to move to smtp.

We also have a PIX 506e.

As a router we have a Dlink 50504T, which is set to no NAT and no firewall.

I have enabled Exchange server access on the SBS box - and as this is done throguh a wizard I presume it to be correct.

We now have some permanent public IP address too. I have given the router a public IP address, I have given the outside of the PIX a public addess, and I have reserved one for the Email.

Belwo is our PIX config. Should I be able to plug into the router with another public IP address and telnet to the mail server using 'telnet ExchangeIPaddress 25'? If so it does not respond.

Also do I or do I not fixup protocol smtp?

Not only am I a bit of a newbie, this is making me wonder about my IQ.

Any help gladly appreciated

Thanks

HBalf1

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password OVr00WX3N7/BuoOJ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname HistPIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside-in permit tcp any host 21.21.21.119 eq smtp
pager lines 24
logging on
logging buffered debugging
logging trap warnings
logging host inside 172.16.0.2
mtu outside 1500
mtu inside 1500
ip address outside 21.21.21.117 255.255.255.248
ip address inside 172.16.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 81.86.0.178 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 21.21.21.119 smtp 172.16.0.3 smtp netmask 255.255.255
.255 0 0
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 21.21.21.122 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 172.16.0.2 pix/config/test3
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:9950642cc283a259a16129478b99ae85
: end
[OK]

 

[hbalf1]

Oh I omitted to mention that our W2000 box has two NICs. The ISA external is 172.16.0.3 and the internal network is on 10.0.0.0 - if tha makes any difference.
I preusme pointing to the external ISA address is the correct thing to do.
HBalf1

 

[LloydSev]

You can leave "fixup protocol smtp 25" in there, unless you use esmtp, in which case you should use "no fixup protocol smtp 25".

As far as you said you use POP3, but not SMTP? I don't see how that's possible, if you send email... SMTP is the protocol used to send email, which POP3 is the protocol used to receive it.

As far as the DLink works, I'm not sure if it can MAP IPs.. I know our Linksys has this ability.

There is no need to use a public IP on the PIX, unless the router is not performing NAT. If not, then the easiest solution would be the use a static command for the exchange server.


I assume this is the Exchange server:

access-list outside-in permit tcp any host 21.21.21.119 eq smtp
static (inside,outside) tcp 21.21.21.119 smtp 172.16.0.3 smtp netmask 255.255.255

You should remove the smtp statement from the static, as the access-list is already denying all traffic to it except smtp.

Then.. to allow telnet, just add another line to the access-list to allow telnet to the exchange static'd IP.

Computer/Network Technician
CCNA

 

[hbalf1]

Hi LloydSev

Right - we collect va POP3 from our ISP, but as you correctly pointed out we send using smtp.

The Dlink is jsut set to be straight through, so I am sort of ignoring this bit fo it. It has no NAT or firewall functionality set on it, so it jsut acting as a terminal adaptor (modem).

We are set up to PAT.

I'll give your suggestions (remove smtp from static and set up an access lsit for telnet) a go tomorrow.

Thanks for the input

HBalf1

 

[karmic]

first up, you say telnet IPADDRESS 25? Right syntax but do you have an MX record? You'll need it for an exchange server...

You should be able to use telnet mycompany.com 25 and access your exchange from the outside. Hence the MX record, no MX, no SMTP for exchange.

Are you actually going to use the pix for the exchange server?
If so, add this into your access list...
access-list inbound permit tcp any host XXX.XXX.XXX.XXX eq smtp
where XXX.XXX.XXX.XXX is the IP tied to your MX record.

I'm a little confused tho. Which side of the pix is the dlink on? This will make a difference. Kinda makes me wonder why you cannot telnet into the exchange server...

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[NetworkGhost]

If you havent set up SMTP and are only using POP3 on your Exchange server then I dont thnk you would get a response from the server if you telnet to port 25. You dont need to open a Telnet port up to telnet to port 25 either. If your ACL is allowing 25 in then you can telnet to 25 if the internal server responds. Since you havent set up smtp yet your server should not respond. You can always test from an internal machine. Another thing is since you have 2 IP Address you will need to make sure your Exchange server is at least using your external IP address for receiving SMTP when you do set it up. Are you on DSL?

 

[hbalf1]

Hi All

Thanks for the response.

1. There is no MX record setup yet. However if I use the actual IP address then it should be OK?

2. The Dlink router connects between our DSL line and the PIX as below

DSL
|
DLink Router
|
Pix
|
ISA and Exchange on 2 NIC W2000 SBS

3. I can telnet within the domain to our Exchange on port 25. We have a default SMTP connector that does the sending.

That made me think that I should be able to telnet to the PIX outside IP and get routed through to the internal Exchange server; if I had set it up correctly.

I'll add another telnet acces list as Lloyd suggested and post any results back.

Thanks again

HBalf1

 

[NetworkGhost]

You may want to take out your fixup for smtp and see if that does the trick. I believe Exchange has some problems with the fixup becsause it strips out ESMTP info. When you try to telnet from the outside do you get anyhting at all or does it just time out?

 

[NetworkGhost]

And yes you only need a IP to telnet to 25. You dont need an MX record to do this.

 

[LloydSev]

Also.. you HAVE to have "no fixup protocol smtp 25" if you want to telnet on that port.

Computer/Network Technician
CCNA

 

[hbalf1]

Hi

I am still not having much success.

My Exchange server should be set up listening to both IP's on the internal network (that is a 10.0.0.0 range and the 172.16.0.3 address.)

I have added a static (inside,outside) command for both the external IP of the PIX, AND the IP I would like to use for Exchange.

I have taken the smtp statement out of the static comands.

Oh dear!!!

HCeers

HBalf1

 

[LloydSev]

you should not have a static line for both IPs of the exchange server, only the IP that the PIX can access.

Also, as far as configuration of the Exchange server listening on both, there is an Exchange forum you can ask there to make sure you have it setup correctly.

http://www.tek-tips.com/threadminder.cfm?pid=858

Computer/Network Technician
CCNA

 

[NetworkGhost]

Show your config one more time.

 

[hbalf1]

Hi All

Thanks for the response. I have posted the config below.

PIX interface is 21.21.0.177. PAT is on 21.21.0.178.

I would like the Exchange to answer to 21.21.0.179. However I am unclear if I should use the 21.21.0.177 address. I notice that if I have the 21.21.0.177 address in the static (inside,outside)line (instead of 21.21.0.179) then it all appears to stop (no internet connection).

So - should I be using the 21.21.0.177 (PIX outside interface) as the IP address to forward smtp requests to 172.16.0.3?

Thanks in advance

HBalf1






:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password OVr00WX3N7/BuoOJ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname HistPIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside-in permit tcp any host 172.16.0.3 eq smtp
pager lines 24
logging on
logging buffered debugging
logging trap warnings
logging host inside 172.16.0.2
mtu outside 1500
mtu inside 1500
ip address outside 21.21.0.177 255.255.255.248
ip address inside 172.16.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 21.21.0.178 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 21.21.0.179 172.16.0.3 netmask 255.255.255.255 0 0
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 21.21.0.182 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 172.16.0.2 pix/config/test3
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:243801952be9ccec34ccbf7d52b230b2
: end
[OK]

 

[NetworkGhost]

Change this

access-list outside-in permit tcp any host 172.16.0.3 eq smtp


to:


access-list outside-in permit tcp any host 21.21.0.179 eq smtp

Keep the .177 address assigned to the pix outside interface. You dont need to do anything else. As long as you have an external MX record pointing to the .179 address mail should flow for you. If not you can always change it if you control your DNS or have whoever is hosting your DNS change it for you.

 

[hbalf1]

Thanks NetworkGhost

I'll give it a go!!

Cheers

HBalf1

 

[hbalf1]

Hi
I am still not getting through!
As a test I put a laptop on the subnet between the PIX and ISA. Then I could telnet through ISA to my SMTP server.
This indicates to me that the PIX is the blocking device; rather than malconfiguration of Exchange or ISA.
My PIX config looks OK now I have changed as the access-lsit command suggested by NetworkGhost
I am sure it is going to be something simple - but what!!
CHeers
HBalf1

 

[hbalf1]

Oh - and what happens is that it times out with a message Could not open connection to the host, on port 25; Connection Failed.

 

[NetworkGhost]

What exactly is "it"?

 

[NetworkGhost]

Sorry, I figure your talking about telnet? How are you testing the external connection? from an external machine?