PIX, Exchange 2000, Windows 2000 in a DMZ

[karlvg]

I don’t understand why this isn’t working. Please provide input.

I have a pix 515 firewall with 3 nic cards. They are defined as
outside ip address xx.xx.xx.xx
inside ip address 192.168.20.1
dmz ip address 192.168.10.1

What I am trying to accomplish is a Frontend Exchange Sever 2000 and OWA, in the DMZ.
My BEExchange Server 2000 (DC & DNS) is 192.168.20.5
My DMZ FEExchange 2000 Server is 192.168.10.13

The following opens up ip between the 2 servers in the firewall
I know this is wrong, I will close up the holes later. I need to make sure it works first.

static (inside,dmz) 192.168.10.5 192.168.20.5 netmask 255.255.255.255 0 0
conduit permit ip host 192.168.10.5 host 192.168.10.13

I can ping the Backend Exchange Server using the ip address 192.168.10.5
I can ping the Backend Exchange Server using the name because of LMHost and Host files
Host file: 192.168.10.5 beExchange.xxx.com
LMHost File: 192.168.10.5 beExchange #PRE #DOM:xxx

I can telnet to the smtp port of the beExchange server from the FEExchange server.

I was able to join the FEExchange to the domain.
However, when I rebooted the machine, it was unable to communicate with the beExchange (DC) for authentication. I cannot view the Active Directory Users and Computers, but I can ping and telnet to the BEExchange from the FEExchange

I can ping the FEExchange server from the BEExchange server.

Here are a few questions that I have:
I am using hosts and the lmhost file on the FEExchange, but there has to be a better way. Also, what dns entries do I put in the Preferred and Alternate DNS fields of the FEExchange Nic settings?
Do I need to run DNS service on the FEExchange and make some Alias records to the BEExchange?

Why doesn’t the FEExchange server communicate using Active Directory
I am going to post this in the PIX, Windows 2000 and Exchange groups

Thank you for you replies.

 

[xmsre]

The front end needs to talk to the domain controllers, not just the back end.

 

[karlvg]

Thanks for the replay but this was in the description

My BEExchange Server 2000 (DC & DNS) is 192.168.20.5

 

[xmsre]

From the front end to the back end you need:

25 SMTP
53 DNS
80 HTTP
88 Kerberos
123 Time
135 Portmapper
389 LDAP
445 Direct hosting
691 Link state
3268 GC LDAP
1024-1026 Directory Service [unless you statically map the directory service port to one of these]

 

[karlvg]

Again Thanks for the reply but these lines allows everything open.

The following opens up ip between the 2 servers in the firewall
I know this is wrong, I will close up the holes later. I need to make sure it works first.

static (inside,dmz) 192.168.10.5 192.168.20.5 netmask 255.255.255.255 0 0
conduit permit ip host 192.168.10.5 host 192.168.10.13

It says IP, so everything is open.

 

[Zelandakh]

it may say IP but the conduit say 10.x for both and should be 10.x and 20.y?

 

[karlvg]

static mapping already creates the pointer from 10.5 <-> 20.5 and the counduit statement is an acl

static (inside,dmz) 192.168.10.5 192.168.20.5 netmask 255.255.255.255 0 0
conduit permit ip host 192.168.10.5 host 192.168.10.13

Thanks

 

[tpulley]

Why wouldn't you put the Internal DNS server (192.168.20.5 Ip address in the DNS properties of the FE Exchange server. I have connected other servers to my world and unless I put the DNS entries in there it sometimes acts up.

Can't imagine why you would need to put DNS on that server. Espically if you have the holes opened for now.

 

[karlvg]

I have done this, however it does not resolve properly. The FEExchange server thinks that the BEExchange server is 192.168.20.5, as you pointed out, but the FEExchange server can only communicate to the BEExchange via 192.168.10.5 conduit. This is the issue.
Is there anyone out there that is doing BE/FE Exchange with OWA in a DMZ?

 

[xmsre]

Below is the PIX firewall configuration needed to setup a 2003 OWA server in the DMZ.

These lines are need to allow access to the DMZ.
access-list acl_dmz permit icmp host 192.168.0.10 any echo
access-list acl_dmz permit udp host 192.168.0.10 any eq domain
access-list acl_dmz permit tcp host 192.168.0.10 any eq www
access-list acl_dmz permit tcp any host 192.168.0.10 eq www
access-list acl_dmz permit tcp host 192.168.0.10 any eq 88
access-list acl_dmz permit tcp any host 192.168.0.10 eq 88
access-list acl_dmz permit udp host 192.168.0.10 any eq 88
access-list acl_dmz permit udp any host 192.168.0.10 eq 88
access-list acl_dmz permit tcp host 192.168.0.10 any eq 135
access-list acl_dmz permit tcp any host 192.168.0.10 eq 135
access-list acl_dmz permit tcp host 192.168.0.10 any eq ldap
access-list acl_dmz permit tcp any host 192.168.0.10 eq ldap
access-list acl_dmz permit udp host 192.168.0.10 any eq 389
access-list acl_dmz permit udp any host 192.168.0.10 eq 389
access-list acl_dmz permit tcp host 192.168.0.10 any eq https
access-list acl_dmz permit tcp any host 192.168.0.10 eq https
access-list acl_dmz permit tcp host 192.168.0.10 any eq 445
access-list acl_dmz permit tcp any host 192.168.0.10 eq 445
access-list acl_dmz permit tcp host 192.168.0.10 any eq 1024
access-list acl_dmz permit tcp any host 192.168.0.10 eq 1024
access-list acl_dmz permit tcp host 192.168.0.10 any eq 1025
access-list acl_dmz permit tcp any host 192.168.0.10 eq 1025
access-list acl_dmz permit tcp host 192.168.0.10 any eq 1026
access-list acl_dmz permit tcp any host 192.168.0.10 eq 1026
access-list acl_dmz permit tcp host 192.168.0.10 any eq 3268
access-list acl_dmz permit tcp any host 192.168.0.10 eq 3268
access-list acl_dmz permit udp host 192.168.0.10 any eq 3268
access-list acl_dmz permit udp any host 192.168.0.10 eq 3268
access-list acl_dmz permit tcp host 192.168.0.10 any eq 6103
access-list acl_dmz permit tcp any host 192.168.0.10 eq 6103
access-list acl_dmz permit tcp host 192.168.0.10 host 10.10.0.136 eq 10000
access-list acl_dmz permit udp host 192.168.0.10 host 10.10.0.136 eq 10000
access-list acl_dmz permit tcp host 192.168.0.10 host 10.10.0.136 range 24001 24030
access-list acl_dmz permit udp host 192.168.0.10 host 10.10.0.136 range 24001 24030

The following lines are needed to allow our DMZ OWA server to access our internal domain controllers for authentication.

static (inside,dmz) 10.10.0.1 10.10.0.1 netmask 255.255.255.255 0 0
static (inside,dmz) 10.10.0.2 10.10.0.2 netmask 255.255.255.255 0 0
static (inside,dmz) 10.10.0.3 10.10.0.3 netmask 255.255.255.255 0 0


The following line is needed to allow access from the outside to the DMZ.
static (dmz,outside) xxx.xxx.xxx.xxx 192.168.0.10 netmask 255.255.255.255 0 0

 

[karlvg]

Thanks for the response.
On the owa server what ip address are you using for dns? Are you using the internal lan dns servers? or are you using lmhost or hosts files?
is the owa 2003 a FE/BE exchange system like 2000?

I don't understand these lines, could you explain?
static (inside,dmz) 10.10.0.1 10.10.0.1 netmask 255.255.255.255 0 0
static (inside,dmz) 10.10.0.2 10.10.0.2 netmask 255.255.255.255 0 0
static (inside,dmz) 10.10.0.3 10.10.0.3 netmask 255.255.255.255 0 0

By the looks of things, your OWA server is 192.168.0.10 and the DMZ network is 192.168.0.x. Your internal lan is 10.10.0.x.
My question is, if the in side network is 10.10.0.x and the DMZ is 192.168.0.x, how do you route between the two networks?

In my situation above
static (inside,dmz) 192.168.10.5 192.168.20.5 netmask 255.255.255.255 0 0
conduit permit ip host 192.168.10.5 host 192.168.10.13
the static command translates the 192.168.10.5 (dmz network) and points to 192.168.20.5 (internal network)
that's how I am able to communicate with the internal lan, however there are issues with this configuration regarding dns and loggin on to the network.

 

[xmsre]

You have to use internal. If the front end can't find the srv record, it won't use direct hosting over 445 and reverts to 137, 138,139.

 

[karlvg]

OK. Thanks for your help. You pointed me in the right direction. The servers in the dmz, are they able to access the Internet?
Would you please post your whole config file? I have the email flowing just fine, however, whenever I add the access list rule to allow mail to flow from the dmz to the internal network, it kills my ability to use NAT in the DMZ.
Thanks

 

[xmsre]

The 10. addresses are the domain controllers. They are static mapped.

 

[speedingwolf]

Please try this. 192.168.100.0 is the DMZ network. It means anything from your DMZ network traffic will to the outside interface public IP address. It depends how you define your global IP. If you have one IP, your global IP will be the outside interface of your pix. If you have more than one public IP, you can use that. Example:

global (outside) 1 1.1.1.x netmask 255.255.255.252

nat (inside)1 10.0.0.0 0.0
nat (DMZ) 1 192.168.100.0 255.255.255.0 0 0

Then you need to tell the pix to allow traffic to go outside and not go back to your intranet say 10.dot from your DMZ:

access-list 101 remark Deny DMZ network from Entering 10dot network

access-list 101 line 53 deny ip any 10.0.0.0 255.0.0.0
access-list 101 line 54 remark Allow DMZ to go outside
access-list 101 line 55 permit ip 192.168.100.0 255.255.255.0 any


If you want a DMZ computer to go inside, you need to either create a static mapping and then access-list to allow it in.
If you do not enable NAT from inside to DMZ, then you can just have an access-list that allows DMZ to inside.

For example: you want everyone sends email to your SMTP computer in the DMZ while does not allow people know what its IP address in the DMZ, and you have NAT or PAT enable. You can achieve this:

static (DMZ,outside) 1.1.1.x 192.168.100.68 netmask 255.255.255.255

Then create access-list:

access-list 100 permit tcp any host 1.1.1.x eq smtp
access-group in interface Outside (or whatever you name your interface)

You are not done yet. Since you have front end exchange, you will have back end server. Then you will open port from this computer, 192.168.100.68, to inside say, 10.dot network and talks to your back end server as well as Active Directory, DNS, et.

I also assumed your PIX firewall has 3 or more interfaces: Outside, DMZ, and Inside

access-list 101 permit tcp host 192.168.100.68 host 10.0.0.22 eq smtp


don't forget to apply access-group DMZ

Access-group in interface DMZ

Public IP mapped to DMZ server 192.168.100.68
Allow internet sends smtp to DMZ server 192.168.100.68
Allow 192.168.100.68 to BackEnd Exchange Server 10.0.0.22

No NAT between inside network to DMZ.

Hope this helps.