Announcement

Collapse
No announcement yet.

Pix---> Isa Server -------> Exchange 2003

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Pix---> Isa Server -------> Exchange 2003

    hi people.

    im new in this site, but i need if somebody can helpme,


    i have a w2003 domain working perfectly whit a isa server and a exchange. all is ok.mail work fine. but now i install a pix506e in front of my isa. and now i need to know how to make pix allow email pass to the exchange.

    INTERNET ----->PIX---> ISA SERVER -------> EXCHANGE 2003

    i can make user pass isa, pass pix, and go to internet. but email is not working.

    any person can help me?
    i give you de info of mi sh run.
    --------


    interface ethernet0 100basetx
    interface ethernet1 100basetx
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password u2uJHHRFFH767KOAZ6 encrypted
    passwd 2KFSDFQnbASNFI.2KYOU encrypted
    hostname PIX
    domain-name PIX.COM
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    access-list ac_out permit tcp any interface outside eq smtp
    access-list ac_out permit tcp any host 200.XXX.XXX.XX3 eq smtp
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 200.XXX.XXX.XX3 255.255.255.255
    ip address inside 172.16.32.1 255.255.255.224
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 172.16.32.0 255.255.255.224 0 0
    access-group ac_out in interface outside
    route outside 0.0.0.0 0.0.0.0 200.XXX.XXX.X93 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 172.16.32.2 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:23225f2d3a73e228a33d03Ac52aE42c8bb1 15ab7
    : end

    --------------------

    FOR A LITTLE EXPLANITION.

    PIX
    OUTSIDE: 200.XXX.XXX.XX3
    INSIDE: 172.16.32.1


    ISA
    NIC1: 172.16.32.2
    NIC2:192.168.1.2

    EXCHANGE:
    NIC1:172.16.32.5

    INTERNET IS WORKING FINE. BUT NO EMAIL.
    please helpme
    Last edited by ferandres; 21st December 2006, 16:42.

  • #2
    Re: Pix---> Isa Server -------> Exchange 2003

    Hi Ferandres,

    firstly, have a read here at one of my earlier posts: http://forums.petri.com/showthread.php?t=11619

    I think all that you are lacking is the correct 'static' and 'access-list' needed
    for translating your external mail address into your internal mail
    address.

    Incidentally, what is ISA doing in all of this? Is it natting? Is this configured correctly?
    What does your 192.x address lead to?

    You said:

    PIX
    OUTSIDE: 200.XXX.XXX.XX3
    INSIDE: 172.16.32.1


    ISA
    NIC1: 172.16.32.2
    NIC2:192.168.1.2

    EXCHANGE:
    NIC1:172.16.32.5

    So, this means Exchange is on the same subnet as the PIX's inside subnet. I cant see how ISA
    would firewall in this scenario. Is it being used for some sort of front end solution for Exchange?

    regards

    theterranaut
    Last edited by theterranaut; 21st December 2006, 20:20.

    Comment


    • #3
      Re: Pix---> Isa Server -------> Exchange 2003

      hi, and thanks for response.

      today in the morning i read your post, but i dont understand this line:

      static (inside,outside) tcp interface 25 dbyexch01 25 netmask 255.255.255.255 0

      i apply the accesslist but nothing.

      if i make a telnet "public pix ip" 25
      nothing happend, nothing response.

      isa is my first firewall/proxy, but now we buy a pix,
      isa have two nic, one nic1 are in the lan of the inside of the pix, and the other nic is in the lan of the exchange.
      like a wrote in my post.

      Comment


      • #4
        Re: Pix---> Isa Server -------> Exchange 2003

        sorry i wrote a mistake, exchange is
        192.168.1.5

        Comment


        • #5
          Re: Pix---> Isa Server -------> Exchange 2003

          look, i upload a pic of my past escenary and the new, maybe this help.

          thanks.
          Attached Files

          Comment


          • #6
            Re: Pix---> Isa Server -------> Exchange 2003

            OK. First thing: is this ISA doing NAT? If not, why do you need it at all?

            Secondly: if you connect a machine addressed with a 172.x address from your
            range, can you telnet to the Exchange box on port 25?

            ie:

            -set machine up on 172.16.32.5
            -can you telnet on port 25 to the address that ISA is 'presenting' the Exchange server on?

            regards

            Thirdly: I have to ask- is this a business-critical installation, or just something you are trying
            out in a lab?

            theterranaut
            Last edited by theterranaut; 21st December 2006, 20:51.

            Comment


            • #7
              Re: Pix---> Isa Server -------> Exchange 2003

              yes, inside network, telnet work fine.

              Comment


              • #8
                Re: Pix---> Isa Server -------> Exchange 2003

                Good stuff. Now, what address did you use to telnet to? This is the address that needs to be added into the 'static' statement. Lets call this 'your mail address' for now.

                Try this:


                -static (inside,outside) tcp (your external IP address) 25 (your mail address) 25 netmask 255.255.255.255 0 0

                -no fixup smtp 25


                (This disables the PIX interfering with SMTP.)

                Your access lists are:

                access-list ac_out permit tcp any interface outside eq smtp
                access-list ac_out permit tcp any host 200.XXX.XXX.XX3 eq smtp

                These should be okay.

                regards

                theterranaut

                I ask again- is this a 'production' device?

                Comment


                • #9
                  Re: Pix---> Isa Server -------> Exchange 2003

                  sorry, not work. =//

                  i have a question, you see the pics that i send?

                  my confusion is


                  static (inside,outside) tcp (your external IP address) 25 (your mail address) 25 netmask 255.255.255.255 0 0


                  in the part of the email addres.. i need to put mi 192.168.1.X ???
                  ther is no problem that the inside of mi pix interface is 172.16.32.X ??

                  this is muy testing device, but i want this work for deploy,
                  ther is something bad whit my escenary?

                  Comment


                  • #10
                    Re: Pix---> Isa Server -------> Exchange 2003

                    I see.

                    OK:

                    The IP address you used when you tried the telnet test I asked you to do earlier? That one is what I'm calling "YOUR MAIL ADDRESS"
                    Your external IP address is the outside IP of your PIX.

                    So:

                    -If you used IP address 172.16.32.20 on the telnet test
                    -And your external IP address is 200.200.200.1

                    Your command is:

                    -static (inside,outside) tcp (200.200.200.1) 25 (172.16.3.20) 25 netmask 255.255.255.255 0 0


                    You see, you are (I think, you havent confirmed yet) doing 'double nat'. Both your PIX and ISA are natting. Which is wasteful and unnecessary, but will work. The PIX is the (from the perspective of the internet) the first natting device, ISA is the second.

                    regards

                    TT

                    BTW- how are you conducting this test?
                    Last edited by theterranaut; 21st December 2006, 22:34. Reason: Thought of a question

                    Comment


                    • #11
                      Re: Pix---> Isa Server -------> Exchange 2003

                      hi thanks for your help.

                      look, i make the change that you say me, this is my shrun.

                      interface ethernet0 100basetx
                      interface ethernet1 100basetx
                      nameif ethernet0 outside security0
                      nameif ethernet1 inside security100
                      enable password uMzAZ6 encrypted
                      passwd 2KFI.2KYOU encrypted
                      hostname PIX
                      domain-name PIX.COM
                      fixup protocol dns maximum-length 512
                      fixup protocol ftp 21
                      fixup protocol h323 h225 1720
                      fixup protocol h323 ras 1718-1719
                      fixup protocol http 80
                      fixup protocol rsh 514
                      fixup protocol rtsp 554
                      fixup protocol sip 5060
                      fixup protocol sip udp 5060
                      fixup protocol skinny 2000
                      no fixup protocol smtp 25
                      fixup protocol sqlnet 1521
                      fixup protocol tftp 69
                      names
                      name 192.168.1.2 exchange
                      name 172.16.32.2 isa
                      access-list ac_out permit tcp any interface outside eq smtp
                      access-list ac_out permit tcp any host 200.XXX.XX.XX3 eq smtp
                      pager lines 24
                      mtu outside 1500
                      mtu inside 1500
                      ip address outside 200.XXX.XX.XX3 255.255.255.192
                      ip address inside 192.168.1.20 255.255.255.0
                      ip audit info action alarm
                      ip audit attack action alarm
                      pdm history enable
                      arp timeout 14400
                      global (outside) 1 interface
                      nat (inside) 1 192.168.1.0 255.255.255.0 0 0
                      static (inside,outside) tcp 200.XXX.XXX.XX3 smtp exchange smtp netmask 255.255.255.255 0 0
                      access-group ac_out in interface outside
                      route outside 0.0.0.0 0.0.0.0 200.XXX.XXX.X93 1
                      timeout xlate 3:00:00
                      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
                      timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
                      timeout sip-disconnect 0:02:00 sip-invite 0:03:00
                      timeout uauth 0:05:00 absolute
                      aaa-server TACACS+ protocol tacacs+
                      aaa-server TACACS+ max-failed-attempts 3
                      aaa-server TACACS+ deadtime 10
                      aaa-server RADIUS protocol radius
                      aaa-server RADIUS max-failed-attempts 3
                      aaa-server RADIUS deadtime 10
                      aaa-server LOCAL protocol local
                      http server enable
                      http isa 255.255.255.255 inside
                      no snmp-server location
                      no snmp-server contact
                      snmp-server community public
                      no snmp-server enable traps
                      floodguard enable
                      telnet timeout 5
                      ssh timeout 5
                      console timeout 0
                      terminal width 80
                      Cryptochecksum:dc0e275d5d67bd30daab6780e97f8f34
                      : end

                      /////////////////////
                      ////////////////////

                      i can send email. but not receive. why i cant receive....

                      i change my configuration, because i remove my isa server for testing, when i see my exchange and pix are working, i install my isa again.
                      your tips helpme whit my pix-exchange. but using pix-isa-exchange... donīt really work...=/

                      Comment


                      • #12
                        Re: Pix---> Isa Server -------> Exchange 2003

                        Here's some stuff to check:

                        -the earlier telnet test? What was the IP you telnetted to? Was it 192.168.1.2? Or something else?
                        Can you confirm this please?

                        -Can you telnet from the 'outside world' on port 25?

                        regards

                        theterranaut

                        Comment


                        • #13
                          Re: Pix---> Isa Server -------> Exchange 2003

                          ok, i can telnet mi public ip, and all is work.
                          telnet 200.xxx.xxx.xx3 25

                          connect, if i create a telnet session and send a email using mail from and rcpt to, commands all is work. i recive the email in the inbox.

                          but if you send me a email from your company or hotmail or anything else, nothing happends, no email arrive to my server.

                          Comment


                          • #14
                            Re: Pix---> Isa Server -------> Exchange 2003

                            Right. In that case, your internal network setup looks good, and there's some external factor thats the problem. The first thing I would check is:
                            -Whats the mx for your mail server?

                            (Do you know how to check this?)

                            regards

                            theterranaut

                            Comment


                            • #15
                              Re: Pix---> Isa Server -------> Exchange 2003

                              ok ok,

                              mi email is working good.
                              i change mi ip addres of my pix, all is working.
                              thanks a lot.

                              b........u..........t.


                              if i put a isa in the middle ? =)
                              pix---------->isa------------>exchange.
                              that is my original idea.

                              Comment

                              Working...
                              X