Announcement

Collapse
No announcement yet.

Exchange2010 w Pix 501 help.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange2010 w Pix 501 help.

    I am trying to stand up a new exchange server, it's internal ip address is 10.0.0.51.
    Here is my show run configs, minus some vpn stuff and external ip address, what am I doing wrong....
    I may go insane. Any anything else you see totally wrong let me know, as I got this network from an idiot who was in my position previously.



    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 10full
    interface ethernet2 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security4
    hostname pix515-wbm
    domain-name **********.net
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    name 10.0.0.168 BarracudaSpamFirewall
    name 10.0.0.51 Exchange2010
    name 68.*.*.* barracuda.********.com
    object-group service Blaster tcp
    port-object eq 135
    port-object eq 445
    port-object eq 5554
    port-object eq 9996
    object-group service netbios-ns udp
    port-object eq netbios-ns
    object-group service mysql tcp
    port-object range 3306 3306
    object-group service sdc tcp
    port-object eq https
    object-group service activant tcp
    port-object eq ssh
    object-group service rivetvpn udp
    port-object range 4500 4500
    object-group service Exchange2010 tcp
    description Exchange2010 Server Rules
    port-object eq www
    port-object range imap4 imap4
    port-object eq sqlnet
    port-object eq https
    port-object eq smtp
    access-list 100 deny tcp any any object-group Blaster
    access-list 100 deny udp any any object-group netbios-ns
    access-list 100 permit tcp any host 10.0.0.15 eq www
    access-list 100 permit tcp any host 10.0.0.17 eq www
    access-list 100 permit tcp any host 10.0.0.18 eq www
    access-list 100 permit tcp any host 10.0.0.239 eq www
    access-list 100 permit udp any host 10.0.0.100 eq domain
    access-list 100 permit tcp any host 10.0.0.18 eq smtp
    access-list 100 permit tcp any host 10.0.0.169 eq www
    access-list 100 permit tcp any host 10.0.0.15 eq smtp
    access-list 100 permit tcp any host 10.0.0.17 eq smtp
    access-list 100 permit tcp any host 10.0.0.239 eq smtp
    access-list 100 permit tcp any host 10.0.0.15 eq https
    access-list 100 permit tcp any host 10.0.0.78 eq www
    access-list 100 permit tcp any host 10.0.0.52 eq www
    access-list 100 permit tcp any host 10.0.0.52 eq smtp
    access-list 100 permit tcp any host 10.0.0.37 eq https
    access-list 100 permit udp any host 10.0.0.101 eq domain
    access-list 100 permit tcp any host 10.0.10.121 eq www
    access-list 100 permit tcp any host 10.0.0.22 eq www
    access-list 100 permit tcp any host 10.0.0.136 eq www
    access-list 100 permit tcp any host BarracudaSpamFirewall eq smtp
    access-list 100 remark Exchange 2010
    access-list 100 permit tcp any object-group Exchange2010 host Exchange2010 object-group Exchange2010
    access-list 100 permit tcp any host 10.0.0.57 eq smtp
    access-list 100 deny ip host 64.*.*.* any
    access-list 100 deny tcp host 64.*.*.* any
    access-list 100 deny udp host 64.*.*.* any
    access-list 100 permit tcp any host 10.0.0.113 eq www
    access-list 100 permit tcp any host 10.0.0.117 eq www
    access-list 100 permit esp host 64.*.*.* any
    access-list 100 permit tcp any host 10.0.0.113 eq smtp
    access-list 100 permit tcp any host 10.0.0.149 eq 8080
    access-list 100 permit tcp any host 10.0.0.84 eq smtp
    access-list 100 permit tcp any host 10.0.0.84 eq www
    access-list 100 permit tcp any host 10.0.0.24 eq www
    access-list 100 permit tcp any host 10.0.0.78 eq talk
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any source-quench
    access-list 100 permit icmp any any unreachable
    access-list 100 permit icmp any any time-exceeded
    access-list 100 deny ip any any
    access-list 110 permit ip 10.0.0.0 255.255.0.0 10.7.0.0 255.255.0.0
    access-list 110 permit ip 10.0.0.0 255.255.0.0 10.5.0.0 255.255.0.0
    access-list 110 permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.0.0
    access-list 110 permit ip 10.0.0.0 255.255.0.0 host 10.0.2.177
    access-list 110 permit ip 10.0.0.0 255.255.0.0 host 10.0.2.178
    access-list 110 permit ip 10.0.0.0 255.255.0.0 host 10.0.2.179
    access-list 110 permit ip 10.0.0.0 255.255.0.0 10.4.0.0 255.255.0.0
    access-list 110 permit ip 10.0.0.0 255.255.0.0 10.6.0.0 255.255.0.0
    access-list 110 permit ip 10.0.0.0 255.255.0.0 10.2.0.0 255.255.0.0
    access-list 110 permit ip 10.0.0.0 255.255.0.0 10.8.0.0 255.255.0.0
    access-list 110 permit tcp any host Exchange2010 eq https
    access-list 103 permit ip 10.0.0.0 255.255.0.0 10.7.0.0 255.255.0.0
    access-list 104 permit ip 10.0.0.0 255.255.0.0 10.5.0.0 255.255.0.0
    access-list 106 permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.0.0
    access-list outside_cryptomap_dyn_70 permit ip any 10.0.2.176 255.255.255.252
    access-list 102 permit ip 10.0.0.0 255.255.0.0 10.4.0.0 255.255.0.0
    access-list 101 permit ip 10.0.0.0 255.255.0.0 10.6.0.0 255.255.0.0
    access-list 105 permit ip 10.0.0.0 255.255.0.0 10.2.0.0 255.255.0.0
    access-list 107 permit ip 10.0.0.0 255.255.0.0 10.8.0.0 255.255.0.0
    pager lines 24
    logging timestamp
    logging trap warnings
    logging history informational
    logging device-id ipaddress inside
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    ip address outside 12.*.*.* 255.255.255.248
    ip address inside 10.0.0.151 255.255.0.0
    no ip address intf2
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip audit name Intrusions attack action alarm drop
    ip audit name Infos info action alarm
    ip audit interface outside Infos
    ip audit interface outside Intrusions
    ip audit interface inside Infos
    ip audit interface inside Intrusions
    ip audit info action alarm
    ip audit attack action alarm drop
    ip local pool conf1 10.0.9.12-10.0.9.16
    ip local pool ********_vpn 10.0.2.177-10.0.2.181
    pdm location 10.0.0.15 255.255.255.255 inside
    pdm location 10.0.0.17 255.255.255.255 inside
    pdm location 10.0.0.18 255.255.255.255 inside
    pdm location 10.0.0.22 255.255.255.255 inside
    pdm location 10.0.0.24 255.255.255.255 inside
    pdm location 10.0.0.37 255.255.255.255 inside
    pdm location 10.0.0.52 255.255.255.255 inside
    pdm location 10.0.0.57 255.255.255.255 inside
    pdm location 10.0.0.78 255.255.255.255 inside
    pdm location 10.0.0.84 255.255.255.255 inside
    pdm location 10.0.0.100 255.255.255.255 inside
    pdm location 10.0.0.101 255.255.255.255 inside
    pdm location 10.0.0.113 255.255.255.255 inside
    pdm location 10.0.0.117 255.255.255.255 inside
    pdm location 10.0.0.136 255.255.255.255 inside
    pdm location 10.0.0.149 255.255.255.255 inside
    pdm location BarracudaSpamFirewall 255.255.255.255 inside
    pdm location 10.0.0.169 255.255.255.255 inside
    pdm location 10.0.0.239 255.255.255.255 inside
    pdm location 10.0.10.121 255.255.255.255 inside
    pdm location 10.0.0.0 255.0.0.0 inside
    pdm location 10.0.2.177 255.255.255.255 outside
    pdm location 10.0.2.178 255.255.255.255 outside
    pdm location 10.0.2.179 255.255.255.255 outside
    pdm location 10.0.2.176 255.255.255.252 outside
    pdm location 10.2.0.0 255.255.0.0 outside
    pdm location 10.3.0.0 255.255.0.0 outside
    pdm location 10.4.0.0 255.255.0.0 outside
    pdm location 10.5.0.0 255.255.0.0 outside
    pdm location 10.6.0.0 255.255.0.0 outside
    pdm location 10.7.0.0 255.255.0.0 outside
    pdm location 10.8.0.0 255.255.0.0 outside
    pdm location 64.*.*.* 255.255.255.255 outside
    pdm location 67.*.*.* 255.255.255.255 outside
    pdm location Exchange2010 255.255.255.255 inside
    pdm location barracuda.********.com 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    nat (inside) 0 access-list 110
    static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
    access-group 100 in interface outside
    route outside 0.0.0.0 0.0.0.0 12.196.211.57 1
    : end
    Last edited by Wired; 31st August 2012, 19:36.

  • #2
    Re: Exchange2010 w Pix 501 help.

    access-list 100 permit tcp any object-group Exchange2010 host Exchange2010 object-group Exchange2010

    change to:


    access-list 100 permit tcp any host Exchange2010 object-group Exchange2010

    Also the host Exchange2010 should reference the public ip address of the server. I assume you changed it to sanitize the config. Also may be a good idea to change your object group name to something other than what you have the host name for the server, just for clarity.


    static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

    Also if this is the static nat for the exchange server it should read:


    static (inside,outside) "public ip address" "internal ip address" netmask " "

    I would also tighten that up to allow only the protocols you need inbound on the outside:


    static (inside,outside) tcp "public ip address" 25 "private ip address" 25 netmask " "
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment

    Working...
    X