CISCO PIX515 and email (exchange) forwarding

Home Forums Networking Cisco Routers & Switches How-to CISCO PIX515 and email (exchange) forwarding

This topic contains 7 replies, has 2 voices, and was last updated by Avatar chief007 12 years, 7 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • Avatar
    chief007
    Member
    #118428

    Hi All,

    First post here so far you’ve helped me out a lot!

    This seems simple but I couldn’t find it anywhere with a search. I’ve got a new domain set up with an exchange server behind a PIX 515 (2 port so no DMZ).

    On the outside of the PIX is a Firebrick bonding 4 ADSL lines.

    I can trace route to the Firebrick’s IP and it is set up (by the ISP) to forward to the outside interface of the PIX.

    PAT is set up and internet works fine from the internal network.

    So to get exchange working I need to
    a) get the email domain name forwarded to the firebricks IP
    b) forward email through the PIX to the exchange sever.

    a) shouldn’t be a problem as head office will sort it
    b) seems simple but CISCO never seem to make it look so!

    So any help with b) would be appreciated.

    Running PIX 6.1(3) and PDM 1.1(2)

    NB I’ve seen lots of command line help out there but would really like to get my head around the PDM.

    Cheers!

    Avatar
    theterranaut
    Member
    #285850

    Re: CISCO PIX515 and email (exchange) forwarding

    Hi Chief,

    I know what you mean re: PDM. The problem with PDM config is:
    you have to describe a series of clicks and text entry, which is a
    bit daunting given the PDM’s nature!

    Can I ask you to do the following:

    -Extract the configuration file from the PDM? I recall that if you click
    on ‘Tools’ its up there somewhere. There’s an option to dump out
    the config.

    If you post it up here (sanitised) we can take a look. This will allow
    us to check access-lists and such like before we give you a bum steer.

    Sound okay?

    regards

    theterranaut

    Avatar
    chief007
    Member
    #289471

    Re: CISCO PIX515 and email (exchange) forwarding

    Apologies for not getting back sooner.

    But I think I’m onto it.

    Basically after lots of fiddling (and stopping the internet working a few times) I resorted to a factory reset of the PIX to use the setup wizard to configure the exchange settings.

    What I’ve discovered is because we only have one external IP address which is being used for PAT and exchange the exchange rule is overiding PAT and cutting off the internet. It also won’t allow me to change the PAT rules priority so I’m forced to delete the exchange translation.

    I’ve asked HQ for another external address but if anyone else has got this working on a single IP please post!

    Avatar
    theterranaut
    Member
    #285863

    Re: CISCO PIX515 and email (exchange) forwarding

    It shouldn’t be a problem, the PIX can handle this with ‘policy nat’.
    One IP is all you need!

    Do me a favour though- dump out your config and let us review it!
    That way, there will be no unexpected gotchas, specifically around
    the access-lists. If you are struggling to so this- let me know.

    regards

    theterranaut

    Avatar
    chief007
    Member
    #289472

    Re: CISCO PIX515 and email (exchange) forwarding

    There’s really not much to it at the mo…
    Internal addresses sanitised to a.b.x
    External to d.e.f

    Building configuration…
    : Saved
    :
    PIX Version 6.1(3)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password zz encrypted
    passwd zz encrypted
    hostname FW
    domain-name rd.com
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    name a.b.c.31 dbyexch01
    name d.e.f.121 Firebrick
    pager lines 24
    interface ethernet0 auto
    interface ethernet1 auto
    mtu outside 1500
    mtu inside 1500
    ip address outside d.e.f.122 255.255.255.252
    ip address inside a.b.c.2 255.255.0.0
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    failover ip address outside 0.0.0.0
    failover ip address inside 0.0.0.0
    pdm location dbyexch01 255.255.255.255 inside
    pdm location a.b.g.1 255.255.255.255 inside
    pdm location Firebrick 255.255.255.255 outside
    pdm location a.b.h.99 255.255.255.255 inside
    pdm history enable
    arp timeout 14400
    global (outside) 200 interface
    nat (inside) 200 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 Firebrick 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    http server enable
    http a.b.g.1 255.255.255.255 inside
    http a.b.h.99 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    no sysopt route dnat
    telnet timeout 5
    ssh timeout 5
    terminal width 80
    Cryptochecksum:zzzz
    : end
    [OK]

    Avatar
    theterranaut
    Member
    #285865

    Re: CISCO PIX515 and email (exchange) forwarding

    OK. Here’s your config: relevant parts remain, I’ve removed the bumf:

    Internal address= a.b.c
    External= d.e.f



    nameif ethernet0 outside security0
    nameif ethernet1 inside security100

    fixup protocol smtp 25

    names
    name a.b.c.31 dbyexch01
    name d.e.f.121 Firebrick

    interface ethernet0 auto
    interface ethernet1 auto

    ip address outside d.e.f.122 255.255.255.252
    ip address inside a.b.c.2 255.255.0.0

    arp timeout 14400

    global (outside) 200 interface
    nat (inside) 200 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 Firebrick 1

    floodguard enable
    no sysopt route dnat
    telnet timeout 5
    ssh timeout 5



    Objectives:
    1)Allow SMTP (tcp 25) in to an internal Exchange server
    2)Allow all outbound traffic originating on the inside outside to ‘the internet’

    Assumptions:

    -I’m doing this from a console cable into the back of a PIX. Not PDM.
    You can enter commands via PDM ‘console’, but I find a console cable the best way to go. All of what follows next assumes you have typed ‘enable’ to get you into enable mode, then ‘configure terminal’ to actually start affecting the configuration.

    -I’ve assumed that the external IP of the PIX is the IP other mail servers will be attempting to connect to on tcp 25 (SMTP). If not, let me know.

    -Your internal mail server is called dbyexch01, and that your ‘name’ command references this.


    The PIX has a fairly straightforward security model, incidentally:

    -each interface has a ‘trust’ level (called security level on PIX.) Highest- most trusted- level= 100. Lowest = 0. (You can have a PIX with a bunch of interfaces, both virtual and physical, so this range can actually prove useful.)

    -traffic is allowed to flow from an higher-security interface to a lower-security interface (ie, from the inside (generally 100) to the outside (generally 0) as long as the appropriate ‘nat’ and ‘global’ statements have been configured.The PIX ‘remembers’ the traffic going from high to low- and when it returns, permits it back in, then closes the connection.

    So, if you hit google from a browser on the inside:

    -the traffic is permitted out, and is natted according to your global and nat statements
    -the pix places an entry in its ‘translation matrix’ to keep track of this traffic
    -when traffic lands on the outside of the PIX, it checks the matrix
    -if an entry exists, the traffic is permitted through and the matrix is updated
    -if it doesnt, traffic is dropped.
    -finally- and most importantly- NO UNSOLICITED TRAFFIC IS ALLOWED TO FLOW FROM LOW TO HIGH-
    -unless the appropriate statements are added



    Steps needed::::

    1)Disable the ‘fixup’ for port 25 (SMTP)
    The PIX will try and interpret invalid commands for SMTP ‘streams’. Exchange is actually ESMTP, so this application inspection (or ‘fixup’ will break SMTP.)

    command:


    no fixup protocol smtp 25

    2)Allow all internal traffic out to the internet
    It needs 2 things to do this:
    i)a ‘pool’ of translatable IP addresses- or just the external interface IP itself (your ‘global’ statement)
    ii)an special nat-specific ‘access-list’ to tell it what to translate (the ‘nat’ statement)

    (If you think of the former as ‘what do I translate these packets into?’ and the latter as ‘what addresses do I actually translate?’ you wont go too far wrong.)

    Commands needed (you’ve done these already, this is just for illustration):

    global (outside) 200 interface
    nat (inside) 200 0.0.0.0 0.0.0.0 0 0

    3)We now want to forward tcp 25 in from the external interface IP address to an internal host, and not break our earlier work.
    Remember what I said earlier about the PIX not allowing unsolicited traffic to go from low to high (outside to inside, in this case) unless the right commands were added? Thats what we’ll do now.

    Commands needed:

    static (inside,outside) tcp interface 25 dbyexch01 25 netmask 255.255.255.255 0

    access-list smtp_in permit tcp any interface outside eq 25

    access-group smtp_in in interface outside

    Explanation:
    -first command tells the pix to statically- ie, in a fixed manner- translate traffic originating on the outside
    interface, on tcp 25, and to translate it to dbyexch01’s IP address on 25.
    -but we still need an access-list to permit our traffic: so the second command tells the PIX whats actually
    allowed.
    -thirdly, we tell the PIX where to apply this access-list to, and in what direction: in this case, our access-list
    (called smtp_in) is applied inbound on the outside interface)

    try this and see if it allows tcp 25 in to your mail server, and still allows your internal hosts to get out.

    regards,

    theterranaut

    Avatar
    chief007
    Member
    #289473

    Re: CISCO PIX515 and email (exchange) forwarding

    Hurrah! Success!

    The only thing is that

    access-list smtp_in permit tcp any interface outside eq 25 didn’t work so I used

    access-list smtp_in permit tcp any host d.e.f.122 eq 25 instead

    And now I’m getting external mail and the internet is still up!

    Many Thanks!

    Avatar
    theterranaut
    Member
    #285866

    Re: CISCO PIX515 and email (exchange) forwarding

    chief007;49182 wrote:
    Hurrah! Success!

    The only thing is that

    access-list smtp_in permit tcp any interface outside eq 25 didn’t work so I used

    access-list smtp_in permit tcp any host d.e.f.122 eq 25 instead

    And now I’m getting external mail and the internet is still up!

    Many Thanks!

    Oops! Typo’d that one, Chief. Sorry about that. Still, you triumphed over my inability to cut and paste correctly!

    Note that the last section: forwarding port 25 in: can be replicated for any port/internal IP address. So you could run an internal web server, for example, or similar. Doing this and running your internal-to-internet traffic is using Policy NAT and PAT (port address translation) which, in theory, means you’ve circa 60,000 possible connections you can play with. In practice its far less, but you should still be okay as long as you dont have several hundred internal users.

    all the best,

    theterranaut

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.