Configuring PIX 501 With MS Small Business Server 2000

[cascadnac]

Can the Cisco PIX 501 be configured to operate with MS Exchange Small Business Server? Cisco's site goes into using 2-Exchange servers .... In my attempts to date, the configuration works fine without the PIX (setting one of the Exchange NIC's to the registered address), and using ISA. When adding the PIX to the mix, and setting the server NIC back to an 192.. address, I can send mail, but not receive. I've created a Static address map, and access-list for smtp, with no success. Am I close, or is there not a solution with my configuration?

Thanks for any help. Much appreciated.

 

[havanajoe]

First of all could you paste in a copy of your pix configuration file. Are there any fixup commands in there, specifically for the smtp service? In our configuratio we had to have a no fixup protocol smtp 25. Also, have you tried to telnet into port 25 from outside of the firewall to see if a connection can be made? See if you can get into the port and see if you get any errors. I know that this command is legacy but try building a conduit for it just in case there is a problem with your access-list.

static (inside,outside) xxx.xxx.xxx.xxx 192.168.x.X netmask 255.255.255.255 0 0
conduit permit tcp host XXX.XXX.XXX.XXX eq smtp any

With this in place you should be able to telnet into port 25 on the regitered external address from say your home computer.

I hope this helps.

 

[cascadnac]

Hi,

Thanks for the quick reply. Yes, I get a Telnet response. I haven't tried the adding the - no fixup protocol smtp 25 -
line in the configuration. You're right. I should have included a copy of the config. I'll try your suggestion tomorrow. Is your configuration similar? At least you're suggesting that my hardware configuration is capable of working. Just getting the PIX config correct. I appreciate your help. I will get back to you tomorrow, once I've had a chance to to make the change at work.

Best regards

 

[havanajoe]

The configuration that we had was our main exchange server that did all of the smtp and pop email sat inside our network. We had the internal address statically mapped to an external registered address, then conduits allowing smtp and pop to the registered ip. I cannot recall the reason for adding the no fixup clause for smtp but that was our setup and it worked fine. I hope it helps.

Dave

 

[cascadnac]

Thanks Dave. I keep you posted. bob

 

[cascadnac]

Hi Dave,

Your suggestions worked! E-mail working splendidly.
Thanks for all your help. This is the best welcome I could
have received from Tek-Tips. I'll make this my first stop.

Best wishes for the holidays, bob

 

[havanajoe]

I am glad that you got it working. Happy Holidays to you and yours as well!

 

[keithlages]

Hi, I'm in a similar situation with a pix 506e and an SBS 4.5 environment.

Can someone help me out with a sample config file? I'd like to use my SBS server with Proxy Server to control user access to internet and use the pix to control outside attempts into my network.

Any examples will really help me to understand this thing.

Thanks,

Keith

 

[cascadnac]

Hi keithlages,

I will get a config for you tomorrow. Havanajoe might beat me to it. He was very helpful in solving my problem.

Regards, bob

 

[havanajoe]

Hi there -

Here is the config that I am running. I have used ACL's to limit the types of outbound traffic. Let me know if you have any questions or suggestions for improvement.



PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password xxx encrypted
passwd xxx encrypted
hostname pix
domain-name domain.com
clock timezone edt -5
clock summer-time est recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list returning permit icmp any any echo-reply
access-list returning permit icmp any any time-exceeded
access-list returning permit icmp any any unreachable
access-list outbound permit tcp any any eq www
access-list outbound permit tcp any any eq domain
access-list outbound permit tcp any any eq pop3
access-list outbound permit tcp any any eq smtp
access-list outbound permit tcp any any eq 510
access-list outbound permit tcp any any eq 123
access-list outbound permit icmp any any echo
access-list outbound permit udp any any
access-list outbound permit tcp any any eq 1863
access-list outbound permit tcp any any eq ftp
pager lines 24
logging on
logging trap warnings
logging host inside x.x.x.x (syslog server)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
icmp deny any outside
icmp deny any dmz
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 10.10.20.2 255.255.255.0
ip address inside 10.10.30.1 255.255.255.0
ip address dmz 192.168.1.0 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
access-group returning in interface outside
access-group outbound in interface inside
rip inside default version 2
route outside 0.0.0.0 0.0.0.0 10.10.20.1 1
route inside 10.10.10.0 255.255.255.0 10.10.30.2 1
route dmz 192.168.1.0 255.255.255.0 192.168.1.1 1
timeout xlate 0:10:00
timeout conn 0:05:00 half-closed 0:05:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:02:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server x.x.x.x source outside prefer
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 10.10.0.0 255.255.0.0 inside
telnet timeout 60
ssh timeout 5
terminal width 80

 

[keithlages]

Thanks! havanajoe.

I'm still learning pix config, but the config you have looks really good for what I need. Unfortunately I don't have the dmz option in a 506 (sucks).

Are you using OWA with your SBS setup? Right now I am retrieving email by pop3 with Exchange server, that will change when I update my mx records away from our isp.

Do you know what I need to change to so that the external nic on the sbs server (i know its still internal but its the external one now) is the only ip address that is allowed out by the pix?

Thanks again!

 

[havanajoe]

We were running a full enterprise wide backoffice network so SBS wasn't involved. We were running our OWA server on a seperate webserver. If I understand your question, all you will have to do is to allow external users to port 80 on your OWA server. I assume that since you are pulling pop from your exchange server right now that you have a static translation in your config. All you will have to do is to add an ACL to allow any host to hit port 80 on that server. I would look into finding a way to possibly tighten security on that though.

Your last question about the second nic in the exchange server just confused me. Once you make these changes are you going place both nics on the internal network and change the ip of the second to be running on the same subnet? If that is the case, all ALL you want is THAT nic to be able to send traffic outbound then add an ACL such as

access-list outbound permit ip any host <2nd nic>
access-group outbound in interface inside

that will stop any other traffic that is internal to go outbound. Not too sure if that was what you are looking for.

 

[keithlages]

That was it! Perfect!

You are sooo beautifullllll tooooo meeeeeee.....

Thanks!