MS-Exchange and pix Firewall

[aree]

I'm trying to open the required ports to get an exchange server to work but I'm still getting error that smtp and pop3 ports are close. I have pix506 software v. 6.2

Here is the pix configuration anyone has any idea to what I might be doing wrong:

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol http 80
no fixup protocol h323 h225 1720
names
access-list outside permit tcp any host 14.160.170.14 eq smtp
access-list outside permit tcp any host 14.160.170.14 eq pop3
access-list outside permit tcp any host 14.160.170.14 eq netbios-ssn
access-list outside permit udp any host 14.160.170.14 eq netbios-ns
access-list outside permit udp any host 14.160.170.14 eq netbios-dgm
access-list outside permit tcp any host 14.160.170.14 eq 135
pager lines 24
logging on
logging monitor debugging
interface ethernet0 10full
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 14.160.170.6 255.255.255.240
ip address inside 10.20.10.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 14.160.170.5 netmask 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 14.160.170.14 10.20.10.14 netmask 255.255.255.255 0 0
access-group outside in interface outside
established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0
route outside 0.0.0.0 0.0.0.0 14.160.170.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

My ISP forwards all the emails to 14.160.170.14 address.
exchange server's ip: 10.20.10.14

If i put the exchange server outside the firewall and give it ip address 14.160.170.14 everything would work fine.


Thanks

 

[yizhar]

HI.

> If i put the exchange server outside the firewall and give it ip address 14.160.170.14
Then you probably have a "dirty" ARP cache entry for that address at the ROUTER , which points to the MAC address of the Exchange server NIC.
You should reload or clear arp cache at the perimeter router.

> access-list outside permit tcp any host 14.160.170.14 eq netbios-ssn
> access-list outside permit udp any host 14.160.170.14 eq netbios-ns
> access-list outside permit udp any host 14.160.170.14 eq netbios-dgm
> access-list outside permit tcp any host 14.160.170.14 eq 135

You should not allow netbios nor RPC traffic from the internet that way for security reasons.
Openning POP3 is also not a great idea.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[aree]

Thanks Yizhar,

How would I clear arp cache at the perimeter router?
what other option do i have if i don't open POP3?
with the above configuration Outlook Express 6 gives me these errors:

The connection to the server has failed.
Account: 'mail.delsoftcorp.com (1)',
Server: 'mail.delsoftcorp.com', Protocol: POP3, Port: 110, Secure(SSL): No,
Socket Error: 10060, Error Number: 0x800CCC0E

The connection to the server has failed.
Account: 'mail.delsoftcorp.com (1)',
Server: 'mail.delsoftcorp.com', Protocol: SMTP, Port: 25, Secure(SSL): No,
Socket Error: 10060, Error Number: 0x800CCC0E

Thanks!

 

[yizhar]

HI.

> How would I clear arp cache at the perimeter router?
You can power cicle it.

> what other option do i have if i don't open POP3?
Many options.
One of them is POP3 over VPN.
Many other options, depending on your needs and specific scenario.

> Socket Error: 10060
This means that it cannot connect to the server.
After power cicling the router, try again.

Are you going to provide mail services for Outlook Express clients connecting from the Internet?
If so, then these client will need to use the ISP SMTP mail server for sending and should not relay via your server.
You should carefuly plan your SMTP services so it won't become an open relay:

http://www.ordb.org

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[aree]

HI,
Clients access this server only via the Internet. There are no LAN users. The error message I get is from the Outlook express installed on the exchange server.

I just found out that other users could send and receive emails fine.

Thanks

 

[azstyx]

Hello,
I have configured access to Exchange through a pix before and it worked ok, these are the ports i opened:
MS Outlook Client: tcp/udp/135-139 to Exchange Server & to Exchange Bridge-Head server.