PIX 515E Config for Exchange 2000

[TheStressFactor]

Hello all,

I was wondering if anyone had any advice or info for allowing internet mail to pass through to my exchange 2000 server. Do I have to have an exchange box set up on the dmz or can it all be internal? Do I have to enter the mx record anywhere on the pix? I have posted my config below...192.168.3.2 is the internal ip of my mail server and .67 is my the ip of my mx record...just wondering if anyone can help me out or point in the right direction.

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 7DeygvHKjBuxNxrP encrypted
passwd 0fTucaWSYztRT69N encrypted
hostname marinofw1
domain-name marinoware.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list nonat permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list nonat permit ip 192.168.77.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list split permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list tunnel permit ip 192.168.3.0 255.255.255.0 192.168.77.0 255.255.255.
0
access-list tunnel permit ip 192.168.77.0 255.255.255.0 192.168.3.0 255.255.255.
0
pager lines 24
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.70 255.255.255.240
ip address inside 192.168.3.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.1.1-10.1.1.50
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 192.168.4.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
static (inside,outside) 192.168.3.2 x.x.x.67 netmask 255.255.255.255 0 0
conduit permit tcp host x.x.x.67 eq smtp any
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
route inside 192.168.0.0 255.255.255.0 192.168.3.6 1
route inside 192.168.1.0 255.255.255.0 192.168.3.6 1
route inside 192.168.4.0 255.255.255.0 192.168.3.6 1
route inside 192.168.5.0 255.255.255.0 192.168.3.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set pixtransform esp-3des esp-sha-hmac
crypto ipsec transform-set marinohome esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set marinohome
crypto map testmap 10 ipsec-isakmp
crypto map testmap 10 match address tunnel
crypto map testmap 10 set peer x.x.x.83
crypto map testmap 10 set transform-set pixtransform
crypto map testmap 10 set security-association lifetime seconds 3600 kilobytes 8
192
crypto map testmap 999 ipsec-isakmp dynamic dynmap
crypto map testmap interface outside
crypto map marinohome 10 ipsec-isakmp dynamic dynmap
isakmp enable outside
isakmp key ******** address x.x.x.83 netmask 255.255.255.248
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup marino address-pool ippool
vpngroup marino dns-server 192.168.3.7
vpngroup marino wins-server 192.168.3.7
vpngroup marino default-domain marinoware.com
vpngroup marino split-tunnel split
vpngroup marino idle-time 2000
vpngroup marino password ********
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
terminal width 80

 

[daherne]

Prob best to put a linux box in the DMZ with basic mail services forwarding mail to your internal mail server.Then you can only allow port 25 from DMZ to internal. Or you could have your MX record as the external ip address of the pix , then forward all port 25 traffic to the DMZ, then from the DMZ to the internal mail server.
Use the static commands for this

 

[TheStressFactor]

Hmmm..interesting..is it possible to have a second nic on the exchange server with a public ip and have that ip forward port 25 traffic to the internal ip on the other nic?

 

[Nocturnalis]

Put the IP of the Firewall in your MX record at you ISP and forward port 25 to your Exchange server which is an internal address. When anything SMTP(port 25) related hits your FW it will route it internal to your Exchange box. This is one way of doing it.

You could also like someone said put the Exchange box on your DMZ and have the FW route port 25 to the Exchange box external address.

I'm not really in favor of a DMZ with such a sensitive box. I use option 1 for my setup.

 

[TheStressFactor]

Nocturnalis that sounds like a really good idea..so your saying change my mx record to that of the firewall...then set up a rule forwarding all smtp traffic destined to the ip of my firewall gets routed to my internal mail servers ip?

Patrick

 

[TheStressFactor]

I can also change the outside ip of my pix to that of my current mx record right? Instead of having the mx record changed it may be easier to change the ip and then reflect changes where necassary? what do you suggest?


Patrick

 

[Nocturnalis]

The public address goes into the MX record and your rule forwards your SMTP internal to Exchange. If you can change the outside address of the box to make it easier thats fine also. That might be your best bet b/c an MX change take 24-48 hours to cycle throughout all the intenic's DNS servers.

 

[TheStressFactor]

Noctunalis..that is great...what would the correct rule syntax be to properly forward the mail to my internal mail server?

 

[Nocturnalis]

Sorry that I don't know I use a checkpoint firewall right now. I came here to find info about PIX's and saw your post and though I might add to it. Create a post called need help writing a rule for 515E.

 

[yizhar]

HI MarionWare.

In most cases with pix, I use a dedicated ip address (not the pix outside ip) that will map the MX record IP with either the ip address of the mail server itself, or the internal ip of a dedicated mail relay that will be in the DMZ.
The second is better because in that way you don't allow direct access from the Internet to your mail server, and in that way prevent some potential attacks.
Using port forward on the ip address of the pix itself is very similar to using "static" with a different address and there is no benefit with this method over the configuration that you are currently trying.
i.e., the current statement:
> static (inside,outside) 192.168.3.2 x.x.x.67
Should be OK, unless you plan to add a mail relay box.

With additional mail relay server, you will need some way (like the PopBeamer program) to push or pull the incoming mail from mail relay to your Exchange server.

The pix and CheckPoint do not handle SMTP in the exact same way. The pix mail-guard feature (fixup smtp) will protect any ip address, not only the pix outside ip.

You will also need to add an "access-list" on the outside interface to allow port 25 for incoming mail.

So, to conclude:
* Best practice is to use a dedicated mail relay server as "Daherne" suggested. This will be placed on the unused ethernet2 inteface.
* You will need to forward traffic to either the mail relay server or directly to the Exchange box if you don't have a mail relay. This can be done in 2 ways:
1) Use a dedicated ip address (the MX record) that is not your pix outside interface. This is what I recommend and is what you had in your original config.
2) As "Nocturnalis" suggested, use the pix own outside interface address as the MX record and port forward port 25 to the mail server. This can work but I prefer the other way for several reasons. One of them is that the current PDM version does not support port forwarding so it is more dificult to manage such configuration.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[TheStressFactor]

Yizhar,

Once again, thank you for your help.

I do not plan to add a mail relay so I guess I will use my current set-up as you said...> static (inside,outside) 192.168.3.2 x.x.x.67.

My only concern is the access-list..what will be the proper syntax to allow smtp to come into my internal mail server?

Any help or insight would be greatly appreciated.

Patrick

 

[yizhar]

HI.

The access list is easy:

access-list fromoutside permit tcp any host x.x.x.67 eq smtp
access-group fromoutside in interface outside

Or you can use PDM to help you.

It is important that you verify your mail server configuration to make sure it can not be used as an open relay for spam.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar