Announcement

Collapse
No announcement yet.

CISCO PIX515 and email (exchange) forwarding

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • CISCO PIX515 and email (exchange) forwarding

    Hi All,

    First post here so far you've helped me out a lot!

    This seems simple but I couldn't find it anywhere with a search. I've got a new domain set up with an exchange server behind a PIX 515 (2 port so no DMZ).

    On the outside of the PIX is a Firebrick bonding 4 ADSL lines.

    I can trace route to the Firebrick's IP and it is set up (by the ISP) to forward to the outside interface of the PIX.

    PAT is set up and internet works fine from the internal network.

    So to get exchange working I need to
    a) get the email domain name forwarded to the firebricks IP
    b) forward email through the PIX to the exchange sever.

    a) shouldn't be a problem as head office will sort it
    b) seems simple but CISCO never seem to make it look so!

    So any help with b) would be appreciated.

    Running PIX 6.1(3) and PDM 1.1(2)

    NB I've seen lots of command line help out there but would really like to get my head around the PDM.

    Cheers!

  • #2
    Re: CISCO PIX515 and email (exchange) forwarding

    Hi Chief,

    I know what you mean re: PDM. The problem with PDM config is:
    you have to describe a series of clicks and text entry, which is a
    bit daunting given the PDM's nature!

    Can I ask you to do the following:

    -Extract the configuration file from the PDM? I recall that if you click
    on 'Tools' its up there somewhere. There's an option to dump out
    the config.

    If you post it up here (sanitised) we can take a look. This will allow
    us to check access-lists and such like before we give you a bum steer.

    Sound okay?

    regards

    theterranaut

    Comment


    • #3
      Re: CISCO PIX515 and email (exchange) forwarding

      Apologies for not getting back sooner.

      But I think I'm onto it.

      Basically after lots of fiddling (and stopping the internet working a few times) I resorted to a factory reset of the PIX to use the setup wizard to configure the exchange settings.

      What I've discovered is because we only have one external IP address which is being used for PAT and exchange the exchange rule is overiding PAT and cutting off the internet. It also won't allow me to change the PAT rules priority so I'm forced to delete the exchange translation.

      I've asked HQ for another external address but if anyone else has got this working on a single IP please post!

      Comment


      • #4
        Re: CISCO PIX515 and email (exchange) forwarding

        It shouldn't be a problem, the PIX can handle this with 'policy nat'.
        One IP is all you need!

        Do me a favour though- dump out your config and let us review it!
        That way, there will be no unexpected gotchas, specifically around
        the access-lists. If you are struggling to so this- let me know.

        regards

        theterranaut

        Comment


        • #5
          Re: CISCO PIX515 and email (exchange) forwarding

          There's really not much to it at the mo...
          Internal addresses sanitised to a.b.x
          External to d.e.f

          Building configuration...
          : Saved
          :
          PIX Version 6.1(3)
          nameif ethernet0 outside security0
          nameif ethernet1 inside security100
          enable password zz encrypted
          passwd zz encrypted
          hostname FW
          domain-name rd.com
          fixup protocol ftp 21
          fixup protocol http 80
          fixup protocol h323 1720
          fixup protocol rsh 514
          fixup protocol rtsp 554
          fixup protocol smtp 25
          fixup protocol sqlnet 1521
          fixup protocol sip 5060
          fixup protocol skinny 2000
          names
          name a.b.c.31 dbyexch01
          name d.e.f.121 Firebrick
          pager lines 24
          interface ethernet0 auto
          interface ethernet1 auto
          mtu outside 1500
          mtu inside 1500
          ip address outside d.e.f.122 255.255.255.252
          ip address inside a.b.c.2 255.255.0.0
          ip audit info action alarm
          ip audit attack action alarm
          no failover
          failover timeout 0:00:00
          failover poll 15
          failover ip address outside 0.0.0.0
          failover ip address inside 0.0.0.0
          pdm location dbyexch01 255.255.255.255 inside
          pdm location a.b.g.1 255.255.255.255 inside
          pdm location Firebrick 255.255.255.255 outside
          pdm location a.b.h.99 255.255.255.255 inside
          pdm history enable
          arp timeout 14400
          global (outside) 200 interface
          nat (inside) 200 0.0.0.0 0.0.0.0 0 0
          route outside 0.0.0.0 0.0.0.0 Firebrick 1
          timeout xlate 3:00:00
          timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
          timeout uauth 0:05:00 absolute
          aaa-server TACACS+ protocol tacacs+
          aaa-server RADIUS protocol radius
          http server enable
          http a.b.g.1 255.255.255.255 inside
          http a.b.h.99 255.255.255.255 inside
          no snmp-server location
          no snmp-server contact
          snmp-server community public
          no snmp-server enable traps
          floodguard enable
          no sysopt route dnat
          telnet timeout 5
          ssh timeout 5
          terminal width 80
          Cryptochecksum:zzzz
          : end
          [OK]
          Last edited by chief007; 13th December 2006, 21:02.

          Comment


          • #6
            Re: CISCO PIX515 and email (exchange) forwarding

            OK. Here's your config: relevant parts remain, I've removed the bumf:

            Internal address= a.b.c
            External= d.e.f

            ---------------------------------------------------

            nameif ethernet0 outside security0
            nameif ethernet1 inside security100


            fixup protocol smtp 25

            names
            name a.b.c.31 dbyexch01
            name d.e.f.121 Firebrick


            interface ethernet0 auto
            interface ethernet1 auto

            ip address outside d.e.f.122 255.255.255.252
            ip address inside a.b.c.2 255.255.0.0


            arp timeout 14400

            global (outside) 200 interface
            nat (inside) 200 0.0.0.0 0.0.0.0 0 0
            route outside 0.0.0.0 0.0.0.0 Firebrick 1


            floodguard enable
            no sysopt route dnat
            telnet timeout 5
            ssh timeout 5

            ---------------------------------------------------

            Objectives:
            1)Allow SMTP (tcp 25) in to an internal Exchange server
            2)Allow all outbound traffic originating on the inside outside to 'the internet'

            Assumptions:

            -I'm doing this from a console cable into the back of a PIX. Not PDM.
            You can enter commands via PDM 'console', but I find a console cable the best way to go. All of what follows next assumes you have typed 'enable' to get you into enable mode, then 'configure terminal' to actually start affecting the configuration.

            -I've assumed that the external IP of the PIX is the IP other mail servers will be attempting to connect to on tcp 25 (SMTP). If not, let me know.

            -Your internal mail server is called dbyexch01, and that your 'name' command references this.


            ------------------------------------------------------------------------------------
            The PIX has a fairly straightforward security model, incidentally:

            -each interface has a 'trust' level (called security level on PIX.) Highest- most trusted- level= 100. Lowest = 0. (You can have a PIX with a bunch of interfaces, both virtual and physical, so this range can actually prove useful.)

            -traffic is allowed to flow from an higher-security interface to a lower-security interface (ie, from the inside (generally 100) to the outside (generally 0) as long as the appropriate 'nat' and 'global' statements have been configured.The PIX 'remembers' the traffic going from high to low- and when it returns, permits it back in, then closes the connection.

            So, if you hit google from a browser on the inside:

            -the traffic is permitted out, and is natted according to your global and nat statements
            -the pix places an entry in its 'translation matrix' to keep track of this traffic
            -when traffic lands on the outside of the PIX, it checks the matrix
            -if an entry exists, the traffic is permitted through and the matrix is updated
            -if it doesnt, traffic is dropped.
            -finally- and most importantly- NO UNSOLICITED TRAFFIC IS ALLOWED TO FLOW FROM LOW TO HIGH-
            -unless the appropriate statements are added

            ------------------------------------------------------------------------------------

            Steps needed::::

            1)Disable the 'fixup' for port 25 (SMTP)
            The PIX will try and interpret invalid commands for SMTP 'streams'. Exchange is actually ESMTP, so this application inspection (or 'fixup' will break SMTP.)

            command:


            no fixup protocol smtp 25


            2)Allow all internal traffic out to the internet
            It needs 2 things to do this:
            i)a 'pool' of translatable IP addresses- or just the external interface IP itself (your 'global' statement)
            ii)an special nat-specific 'access-list' to tell it what to translate (the 'nat' statement)

            (If you think of the former as 'what do I translate these packets into?' and the latter as 'what addresses do I actually translate?' you wont go too far wrong.)

            Commands needed (you've done these already, this is just for illustration):

            global (outside) 200 interface
            nat (inside) 200 0.0.0.0 0.0.0.0 0 0


            3)We now want to forward tcp 25 in from the external interface IP address to an internal host, and not break our earlier work.
            Remember what I said earlier about the PIX not allowing unsolicited traffic to go from low to high (outside to inside, in this case) unless the right commands were added? Thats what we'll do now.

            Commands needed:


            static (inside,outside) tcp interface 25 dbyexch01 25 netmask 255.255.255.255 0

            access-list smtp_in permit tcp any interface outside eq 25


            access-group smtp_in in interface outside


            Explanation:
            -first command tells the pix to statically- ie, in a fixed manner- translate traffic originating on the outside
            interface, on tcp 25, and to translate it to dbyexch01's IP address on 25.
            -but we still need an access-list to permit our traffic: so the second command tells the PIX whats actually
            allowed.
            -thirdly, we tell the PIX where to apply this access-list to, and in what direction: in this case, our access-list
            (called smtp_in) is applied inbound on the outside interface)


            try this and see if it allows tcp 25 in to your mail server, and still allows your internal hosts to get out.

            regards,

            theterranaut
            Last edited by theterranaut; 13th December 2006, 21:59.

            Comment


            • #7
              Re: CISCO PIX515 and email (exchange) forwarding

              Hurrah! Success!

              The only thing is that

              access-list smtp_in permit tcp any interface outside eq 25 didn't work so I used

              access-list smtp_in permit tcp any host d.e.f.122 eq 25 instead

              And now I'm getting external mail and the internet is still up!

              Many Thanks!

              Comment


              • #8
                Re: CISCO PIX515 and email (exchange) forwarding

                Originally posted by chief007 View Post
                Hurrah! Success!

                The only thing is that

                access-list smtp_in permit tcp any interface outside eq 25 didn't work so I used

                access-list smtp_in permit tcp any host d.e.f.122 eq 25 instead

                And now I'm getting external mail and the internet is still up!

                Many Thanks!
                Oops! Typo'd that one, Chief. Sorry about that. Still, you triumphed over my inability to cut and paste correctly!

                Note that the last section: forwarding port 25 in: can be replicated for any port/internal IP address. So you could run an internal web server, for example, or similar. Doing this and running your internal-to-internet traffic is using Policy NAT and PAT (port address translation) which, in theory, means you've circa 60,000 possible connections you can play with. In practice its far less, but you should still be okay as long as you dont have several hundred internal users.

                all the best,

                theterranaut

                Comment

                Working...
                X