Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX Firewall and Microsoft Exchange 2003

Status
Not open for further replies.
King2004

King2004

IS-IT--Management
Jun 28, 2004
2
TN
Hi all,
I have installed Microsoft Exchange 2003 in two locations, the two sites are connected with cisco routers (without NAT); The architecture contains replication between Microsoft domain controllers ...I can send and receive mails from and to the two sites. I have integrated Cisco PIXes (version 6.3(3), (with NAT 0 and Static for the same addresses) , the replication between the DC works very well but i can't send and receive emails from the two sites (i haven't restrictions: permit ip any any on the two outside interfaces of pixes).*
I know that pix has problems with exchange, because exchange uses ESMTP so i disable the fixup smtp to not inspect it; but no function also.
The problem is in the return traffic from outside to inside ... there's no deny when debugging but just teardown...
Any help.
thanks.
 
Sort by date Sort by votes
Sounds like the NAT 0 access-list might be the problem.

You need to not put the ip permit any any on the outside interfaces. that won't do anything for you in regards to VPN except pretty much negate the firewall.


PIX doesn't have an issue with Exchange 2003. Exchange 2000/2003 use SMTP for server to server communications instead of RPC (or RFC) like exchange 5.5 did. Microsoft expanded the SMTP protocol to handle the server to server and site to site communications. You where right in that the smtp fixup will break that communications. You can make the server communicate using RPC instead of SMTP. Look on the knowledge base for more information or another forum here. Remember that the outside interface access-list really doesn't have much bearing on PIX to PIX VPN connectivity.

The other issue could be the interesting traffic access-list for the crypto map command.

look for a statement like the following.

crypto map VPN 20 match address 100

Make sure that the exchange server is that access-list. Inn addition, if this is the only VPN for this firewall, use the same access-list for the nat 0. In other words

nat (inside) 0 access-list 100




It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)
 
Upvote 0 Downvote
I've seen this on networks with Exchange servers and site-to-site VPNs as well. I've had to remove the fixup protocol smtp 25 command from the PIXs to allow the communication between the servers.

Scott [pipe]
CCNA, CCSE, CCSP, ISS-CE
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
285
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
304
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
247
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
209
Nitta84
Nitta84
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
113
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top