Exchange on DMZ 1

[wisper]

I have a Exchange Server hooked up to the DMZ of my Pix, but it won't let me log onto my Domain which is on the inside of my network.


Internet
|
|
Router1
|
| DMZ
PIX--------Exchange (172.16.1.19)
|10.10.2.1
|
|10.10.2.2
Router2
|10.1.0.1
|
|-------|
PDC BDC
10.1.0.3 10.1.0.4

I have all conduit permits for (udp,tcp,icmp) at any any. How can my Exchange log onto the Domain Server this way.

Thanks for all the help.

Chris Collins

 

[jacare]

Some people put the Exchange server in the DMZ and some let it on the inside. I like the later. Just install an IIS server in the DMZ with SMTP properly configured (check MS KB articles 257426, 314961 and 293800) to relay mail to the internet and leave the Exchange server inside. Only need a couple of conduit/static commands to allow SMTP traffic between the interfaces.
That is actually this model that Cisco presents in the book "Cisco Secure PIX firewalls".
I have seen the set of conduits/static to make Exchange work in the DMZ. Not pretty.
For remote access to mail, most secure option is to have the users VPN in.
Don't forget to read articles MS KB 304897 and 281224 and check abuse.org's website as well.
good luck

 

[wisper]

Now I can't ping from my DMZ to my Inside Computers, and none of the computers on my DMZ can access the Internet. Here is a copy of my config. Someone please help.

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password WIWDR7hWs0b/LYxW encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol domain 53
names
access-list dmz permit ip any any
pager lines 24
pager lines 24
logging on
logging host inside 10.1.0.7
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside ccc.ccc.ccc.2 255.255.255.0
ip address inside bbb.bbb.bbb.1 255.255.255.0
ip address dmz aaa.aaa.aaa.17 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 ccc.ccc.ccc.12-ccc.ccc.ccc.254
global (dmz) 1 aaa.aaa.aaa.17-aaa.aaa.aaa.30 netmask 255.255.255.240

nat (inside) 1 bbb.bbb.bbb.0 255.255.255.0 0 0
nat (dmz) 1 aaa.aaa.aaa.0 255.255.255.0 0 0

static (dmz,outside) ccc.ccc.ccc.11 bbb.bbb.bbb.20 netmask 255.255.255.255 0 0

static (dmz,outside) ccc.ccc.ccc.5 bbb.bbb.bbb.19 netmask 255.255.255.255 0 0

static (inside,outside) ccc.ccc.ccc.3 bbb.bbb.bbb.3 netmask 255.255.255.255 0 0

static (inside,dmz) bbb.bbb.bbb.0 bbb.bbb.bbb.0 netmask 255.255.255.255 0 0

access-group dmz in interface dmz
access-group dmz in interface outside
conduit permit tcp host ccc.ccc.ccc.5 eq smtp any
route outside 0.0.0.0 0.0.0.0 ccc.ccc.ccc.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
crypto map mymap 30 ipsec-isakmp
telnet timeout 5
ssh timeout 5
terminal width 80

Thanks Chris

 

[wisper]

Let me correct the last statement. The computers on the DMZ can access the Internet, but I still can not ping from the DMZ to the Inside network.

Chris

 

[jacare]

Hmmm,

first, remove these lines. Mixing conduits and access-list is a not supported configuration.

access-list dmz permit ip any any
access-group dmz in interface dmz
access-group dmz in interface outside

Remove
static (inside,dmz) bbb.bbb.bbb.0 bbb.bbb.bbb.0 netmask 255.255.255.255 0 0

You do not want all inside PCs pingable nor accessable from the DMZ. It defeats its purpose.

Just configure a conduit that allows the particular hosts from the inside that you want to be pingable/accessable from the DMZ.

static (inside,dmz) (ip-global-dmz) (ip-local-inside)netmask 255.255.255.255
conduit permit tcp host (ip-global-dmz) eq smtp any
conduit permit icmp host (ip-global-dmz) eq smtp any