Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ms Exchange 5.5 in DMZ-please help

Status
Not open for further replies.
AgentK

AgentK

IS-IT--Management
Jul 10, 2002
47
US
Hi,

I have setup Internet Mail Connector (IMC)on a server, (192.168.11.3) in DMZ. And I have Exchange 5.5, (195.200.15.44) in INSIDE .And a Win2k svr (Domain) (195.200.15.37)in INSIDE.

I need help on the access lists that would allow the Exchange, INSIDE, using the IMC service in DMZ to send mail to outside world.

Here is my config

PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50

access-list acl_dmz permit tcp host 192.168.11.3 host 195.200.15.37 eq netbios-ssn
access-list acl_dmz permit udp host 192.168.11.3 host 195.200.15.37 eq netbios-ns
access-list acl_dmz permit udp host 192.168.11.3 host 195.200.15.37 eq netbios-dgm
access-list acl_dmz permit tcp host 192.168.11.3 host 195.200.15.44 eq netbios-ssn
access-list acl_dmz permit udp host 192.168.11.3 host 195.200.15.44 eq netbios-ns
access-list acl_dmz permit udp host 192.168.11.3 host 195.200.15.44 eq netbios-dgm
access-list acl_dmz permit tcp host 192.168.11.3 host 195.200.15.44 eq 135
access-list acl_dmz permit tcp host 192.168.11.3 host 195.200.15.44 eq smtp

ip address outside 192.168.1.10 255.255.255.0
ip address inside 10.1.1.3 255.255.255.0
ip address dmz 192.168.11.1 255.255.255.0

no failover

arp timeout 14400
global (outside) 1 192.168.1.11-192.168.1.250
global (outside) 2 192.168.1.254
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,dmz) 195.200.15.32 195.200.15.32 netmask 255.255.255.224 0 0
static (dmz,outside) 192.168.1.13 192.168.11.3 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.11.3 195.200.15.44 netmask 255.255.255.255 0 0

access-group acl_dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
route inside 10.1.2.0 255.255.255.0 10.1.1.1 1
route inside 195.200.15.32 255.255.255.224 10.1.1.1 2

I also getting errors on syslog like this:

Deny tcp src dmz:192.168.11.3/1143 dst inside:195.200.15.44/1040 by access-group "acl_dmz"

Deny udp src dmz:192.168.11.3/1142 dst inside:195.200.15.37/53 by access-group "acl_dmz"

Can someone give me a hint pointing to something that i missed, or any advice, or refer to url that may help

Thanks In Advance for your help and valuable Time.

K:)
 
Sort by date Sort by votes
HI.

It is best from security point of view, that the DMZ server will not have access to the inside network, or a very limitted one.
If you allow the DMZ server to be part of the domain, and it does not matter how you do it, you compromise security high too much. An attacker that will be able to take control of the DMZ server will be able to login and use MS protocols on the inside.

This means that the DMZ server should be a standalone server in its own NT domain and its own Exchange organization, and only provide relay for incoming and/or outgoing emails.

What do you think?
Yizhar Hurwitz
 
Upvote 0 Downvote
I am in a similar situation.
What is your recommendation and how do you configure the Pix and Exchange to work securely
 
Upvote 0 Downvote

Yizhar,

Thanks for the advice, I agree with you that by allowing the IMC be a part of INSIDE domain would compromise security. Is there any option beside setting up as separate (stand alone) domain and allow only appropriate access?

Thanks again
K
 
Upvote 0 Downvote
HI.

There are many options, but any option with the server being part of internal domain is not good.

You don't need an Exchange server for that task - you can setup a mail relay in many different ways - like use a linux box, or a Windows box with an SMTP gateway that also scans for virusses like the one that comes on the NAVCE 3rd CDROM, or many other choices including using a dedicated Exchange server like you are planning to do (but not as part of internal domain).

Then you setup the internal server with IMC which is not accessible from the outside and only communicates with the mail relay, and/or use utilities like "Popbeamer" for Exchange to mail relay communication.

So my answer to your question is no, I do not know of a good option besides setting up something on a stand alone server.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
579
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
538
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
562
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
109
tklamb
tklamb
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
141
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top