MS Exchange in PIX DMZ

[hgpilot]

Hi,

I have a dual PIX 525 firewall set up with "outside", "dmz1", and "inside" interfaces. I'm trying to install a MS Exchange server in the dmz for webmail but I'm having problems getting the webmail server to connect to the exchange cluster on the inside.

I have the following in the acl applied to the "dmz1" interface:
access-list 102 permit tcp host Webmail-Server1 any eq netbios-ssn
access-list 102 permit tcp host Webmail-Server1 any eq 137
access-list 102 permit udp host Webmail-Server1 any eq netbios-ns
access-list 102 permit udp host Webmail-Server1 any eq netbios-dgm
access-list 102 permit tcp host Webmail-Server1 any eq 135
access-list 102 permit udp host Webmail-Server1 any eq 135
access-list 102 permit tcp host Webmail-Server1 any gt 1023
access-list 102 permit tcp host Webmail-Server1 any eq 691
access-list 102 permit tcp host Webmail-Server1 any eq ldap
access-list 102 permit udp host Webmail-Server1 any eq 389
access-list 102 permit tcp host Webmail-Server1 any eq 3268
access-list 102 permit tcp host Webmail-Server1 any eq 88
access-list 102 permit udp host Webmail-Server1 any eq 88
access-list 102 permit tcp host Webmail-Server1 any eq domain
access-list 102 permit udp host Webmail-Server1 any eq domain

I have the following in the acl applied to the "inside" interface:
access-list 104 permit tcp host Exchange-Server any eq netbios-ssn
access-list 104 permit tcp host Exchange-Server any eq 137
access-list 104 permit udp host Exchange-Server any eq netbios-ns
access-list 104 permit udp host Exchange-Server any eq netbios-dgm
access-list 104 permit tcp host Exchange-Server any eq 135
access-list 104 permit udp host Exchange-Server any eq 135

The following command is also in the config:
established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0

I have the "any" right now while I'm trying to get it working and will then lock it down.

Any help from someone doing this would be appreciated.

Thanks... HGPilot

 

[yizhar]

HI.

What version of Exchange?

As you can see above, the current design you have allows the dmz server almost full access to the internal network, which is too risky IMHO.

You can use an alternate solution:
Place an ISA server as a frontend server, instead of Exchange.
This is something like a reverse proxy.
You'll need to open port 80 only from dmz to inside if I'm correct.

static (inside,dmz1) x.x.x.x exchangeserver
access-list 102 permit tcp host isaserver host x.x.x.x
access-list 102 deny ip any ???? (block any other access to internal network)
access-list 102 permit .... (add here lines to allow the dmz server to access DNS or other services out there).
access-group 102 in interface dmz1

No need for anything special on the ACL bound to "inside" because the traffic will be initiated from dmz in your case.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[hgpilot]

Yizhar,

Thanks for the reply. I realize it's pretty open right now but that's while we're trying to get it working. FYI - I found a document on CCO that states that ports 135 and 137 are not supported when using NAT or PAT and that's exactly what we're doing. I have a ticket open with Cisco right now to confirm.

Steve

 

[minxca]

Hi,

I'm very very new in PIX, What is the command to open port 1024-65535 for port 135?
My users need to connect to exchange using RPC and I can't give them vpn access.

Also I can't ping my PIX from outside and from inside I can't ping any domain/ip.

Thanks,
Winoto