Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX's between Exchange Servers 1

Status
Not open for further replies.
primate

primate

IS-IT--Management
Jan 6, 2003
123
GB
Hi,

I have just set up an additional Exchange server in my organisation in a remote site. The sites are connected via a site to site VPN between a PIX515R and a PIX506e.

Message routing is not happening between the Exchange servers.

Telnetting from one site to an Exchange server at the other produces a garbled SMTP banner as follows: 220*******************************************************0*2******0***********************2002*******2***0*00

I believe this is due to the functionality of the mailguard feature on the PIX's.

I need to be able to allow connectivity over SMTP between the servers via the VPN, not the public internet.

The IP of one server is 192.168.0.249 and the other 172.31.100.12.

If I use the following commands on the server in the 172.31.0.0/16 subnet, am I going in the right direction?:

static (inside, outside) 192.168.0.229 172.31.100.12
access-list acl_out permit tcp host 192.168.0.249 host 192.168.0.229 eq 25

I can't think of any real security problems with this, or am I overlooking something?

I've looked at the documentation I can find from Cisco about this but it doesn't seem to make sense as its referring to NetBIOS communication not SMTP communication between Exch2K3 servers.
 
Sort by date Sort by votes
I tried this a few moments ago and it worked.

However I have SMTP smart hosts at each site in DMZ's which deal with incoming and outgoing mail to the internet, won't turning off SMTP fixup reduce the protection afforded to these servers?
 
Upvote 0 Downvote
The Fixup for SMTP is to stop against unauthorized SMTP commands. Exchanges uses ESMTP which the Fixup is not compatible with. I think there is a way you can make your exchange server just use smtp, not sure though. Protection will be there in other forms just not for the SMTP fixup.
 
Upvote 0 Downvote
Erm.....you can tell Exchange to use a HELO command rather than EHLO in the advanced properties of an SMTP connector. However I'm using the standard Routing Group Connector between Exchange servers and this doesn't allow this feature.

I think I am just going to have to disable the SMTP fixup. The smart hosts are in a DMZ and have some SMTP inspection capabilities themselves anyway so this is probably OK.

Thanks for your help
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
819
Johnkite
Johnkite
handle2110
  • Locked
  • Question
Communication between interfaces
Replies
0
Views
167
handle2110
handle2110
Spork52
  • Locked
  • Question
Is this secure? Serving content from two servers with SSL
Replies
3
Views
328
ChrisHirst
ChrisHirst
basball
  • Locked
  • Question
How to connect between two different subnets on the same router?
Replies
0
Views
211
basball
basball
Dinamik
  • Locked
  • Question
Easy VPN between PIX's
Replies
0
Views
114
Dinamik
Dinamik

Part and Inventory Search

Sponsor

Back
Top