Pix—> Isa Server ——-> Exchange 2003

Home Forums Networking Cisco Routers & Switches How-to Pix—> Isa Server ——-> Exchange 2003

This topic contains 22 replies, has 2 voices, and was last updated by Avatar ferandres 12 years, 7 months ago.

Viewing 23 posts - 1 through 23 (of 23 total)
  • Author
    Posts
  • Avatar
    ferandres
    Member
    #119082

    hi people.

    im new in this site, but i need if somebody can helpme,

    i have a w2003 domain working perfectly whit a isa server and a exchange. all is ok.mail work fine. but now i install a pix506e in front of my isa. and now i need to know how to make pix allow email pass to the exchange.

    INTERNET


    >PIX—> ISA SERVER


    > EXCHANGE 2003

    i can make user pass isa, pass pix, and go to internet. but email is not working.

    any person can help me?
    i give you de info of mi sh run.


    interface ethernet0 100basetx
    interface ethernet1 100basetx
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password u2uJHHRFFH767KOAZ6 encrypted
    passwd 2KFSDFQnbASNFI.2KYOU encrypted
    hostname PIX
    domain-name PIX.COM
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    access-list ac_out permit tcp any interface outside eq smtp
    access-list ac_out permit tcp any host 200.XXX.XXX.XX3 eq smtp
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 200.XXX.XXX.XX3 255.255.255.255
    ip address inside 172.16.32.1 255.255.255.224
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 172.16.32.0 255.255.255.224 0 0
    access-group ac_out in interface outside
    route outside 0.0.0.0 0.0.0.0 200.XXX.XXX.X93 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 172.16.32.2 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:23225f2d3a73e228a33d03Ac52aE42c8bb115ab7
    : end



    FOR A LITTLE EXPLANITION.

    PIX
    OUTSIDE: 200.XXX.XXX.XX3
    INSIDE: 172.16.32.1

    ISA
    NIC1: 172.16.32.2
    NIC2:192.168.1.2

    EXCHANGE:
    NIC1:172.16.32.5

    INTERNET IS WORKING FINE. BUT NO EMAIL.
    please helpme

    Avatar
    theterranaut
    Member
    #285871

    Re: Pix—> Isa Server


    > Exchange 2003

    Hi Ferandres,

    firstly, have a read here at one of my earlier posts: http://forums.petri.com/showthread.php?t=11619

    I think all that you are lacking is the correct ‘static’ and ‘access-list’ needed
    for translating your external mail address into your internal mail
    address.

    Incidentally, what is ISA doing in all of this? Is it natting? Is this configured correctly?
    What does your 192.x address lead to?

    You said:

    PIX
    OUTSIDE: 200.XXX.XXX.XX3
    INSIDE: 172.16.32.1

    ISA
    NIC1: 172.16.32.2
    NIC2:192.168.1.2

    EXCHANGE:
    NIC1:172.16.32.5

    So, this means Exchange is on the same subnet as the PIX’s inside subnet. I cant see how ISA
    would firewall in this scenario. Is it being used for some sort of front end solution for Exchange?

    regards

    theterranaut

    Avatar
    ferandres
    Member
    #291200

    Re: Pix—> Isa Server


    > Exchange 2003

    hi, and thanks for response.

    today in the morning i read your post, but i dont understand this line:

    static (inside,outside) tcp interface 25 dbyexch01 25 netmask 255.255.255.255 0

    i apply the accesslist but nothing.

    if i make a telnet “public pix ip” 25
    nothing happend, nothing response.

    isa is my first firewall/proxy, but now we buy a pix,
    isa have two nic, one nic1 are in the lan of the inside of the pix, and the other nic is in the lan of the exchange.
    like a wrote in my post.

    Avatar
    ferandres
    Member
    #291201

    Re: Pix—> Isa Server


    > Exchange 2003

    sorry i wrote a mistake, exchange is
    192.168.1.5

    Avatar
    ferandres
    Member
    #291202

    Re: Pix—> Isa Server


    > Exchange 2003

    look, i upload a pic of my past escenary and the new, maybe this help.

    thanks.

    Avatar
    theterranaut
    Member
    #285872

    Re: Pix—> Isa Server


    > Exchange 2003

    OK. First thing: is this ISA doing NAT? If not, why do you need it at all?

    Secondly: if you connect a machine addressed with a 172.x address from your
    range, can you telnet to the Exchange box on port 25?

    ie:

    -set machine up on 172.16.32.5
    -can you telnet on port 25 to the address that ISA is ‘presenting’ the Exchange server on?

    regards

    Thirdly: I have to ask- is this a business-critical installation, or just something you are trying
    out in a lab?

    theterranaut

    Avatar
    ferandres
    Member
    #291203

    Re: Pix—> Isa Server


    > Exchange 2003

    yes, inside network, telnet work fine.

    Avatar
    theterranaut
    Member
    #285873

    Re: Pix—> Isa Server


    > Exchange 2003

    Good stuff. Now, what address did you use to telnet to? This is the address that needs to be added into the ‘static’ statement. Lets call this ‘your mail address’ for now.

    Try this:

    -static (inside,outside) tcp (your external IP address) 25 (your mail address) 25 netmask 255.255.255.255 0 0

    -no fixup smtp 25

    (This disables the PIX interfering with SMTP.)

    Your access lists are:

    access-list ac_out permit tcp any interface outside eq smtp
    access-list ac_out permit tcp any host 200.XXX.XXX.XX3 eq smtp

    These should be okay.

    regards

    theterranaut

    I ask again- is this a ‘production’ device?

    Avatar
    ferandres
    Member
    #291204

    Re: Pix—> Isa Server


    > Exchange 2003

    sorry, not work. =//

    i have a question, you see the pics that i send?

    my confusion is

    static (inside,outside) tcp (your external IP address) 25 (your mail address) 25 netmask 255.255.255.255 0 0

    in the part of the email addres.. i need to put mi 192.168.1.X ???
    ther is no problem that the inside of mi pix interface is 172.16.32.X ??

    this is muy testing device, but i want this work for deploy,
    ther is something bad whit my escenary?

    Avatar
    theterranaut
    Member
    #285874

    Re: Pix—> Isa Server


    > Exchange 2003

    I see.

    OK:

    The IP address you used when you tried the telnet test I asked you to do earlier? That one is what I’m calling “YOUR MAIL ADDRESS”
    Your external IP address is the outside IP of your PIX.

    So:

    -If you used IP address 172.16.32.20 on the telnet test
    -And your external IP address is 200.200.200.1

    Your command is:

    -static (inside,outside) tcp (200.200.200.1) 25 (172.16.3.20) 25 netmask 255.255.255.255 0 0

    You see, you are (I think, you havent confirmed yet) doing ‘double nat’. Both your PIX and ISA are natting. Which is wasteful and unnecessary, but will work. The PIX is the (from the perspective of the internet) the first natting device, ISA is the second.

    regards

    TT

    BTW- how are you conducting this test?

    Avatar
    ferandres
    Member
    #291205

    Re: Pix—> Isa Server


    > Exchange 2003

    hi thanks for your help.

    look, i make the change that you say me, this is my shrun.

    interface ethernet0 100basetx
    interface ethernet1 100basetx
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password uMzAZ6 encrypted
    passwd 2KFI.2KYOU encrypted
    hostname PIX
    domain-name PIX.COM
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.1.2 exchange
    name 172.16.32.2 isa
    access-list ac_out permit tcp any interface outside eq smtp
    access-list ac_out permit tcp any host 200.XXX.XX.XX3 eq smtp
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 200.XXX.XX.XX3 255.255.255.192
    ip address inside 192.168.1.20 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    static (inside,outside) tcp 200.XXX.XXX.XX3 smtp exchange smtp netmask 255.255.255.255 0 0
    access-group ac_out in interface outside
    route outside 0.0.0.0 0.0.0.0 200.XXX.XXX.X93 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http isa 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:dc0e275d5d67bd30daab6780e97f8f34
    : end

    /////////////////////
    ////////////////////

    i can send email. but not receive. why i cant receive….

    i change my configuration, because i remove my isa server for testing, when i see my exchange and pix are working, i install my isa again.
    your tips helpme whit my pix-exchange. but using pix-isa-exchange… don´t really work…=/

    Avatar
    theterranaut
    Member
    #285877

    Re: Pix—> Isa Server


    > Exchange 2003

    Here’s some stuff to check:

    -the earlier telnet test? What was the IP you telnetted to? Was it 192.168.1.2? Or something else?
    Can you confirm this please?

    -Can you telnet from the ‘outside world’ on port 25?

    regards

    theterranaut

    Avatar
    ferandres
    Member
    #291206

    Re: Pix—> Isa Server


    > Exchange 2003

    ok, i can telnet mi public ip, and all is work.
    telnet 200.xxx.xxx.xx3 25

    connect, if i create a telnet session and send a email using mail from and rcpt to, commands all is work. i recive the email in the inbox.

    but if you send me a email from your company or hotmail or anything else, nothing happends, no email arrive to my server.

    Avatar
    theterranaut
    Member
    #285878

    Re: Pix—> Isa Server


    > Exchange 2003

    Right. In that case, your internal network setup looks good, and there’s some external factor thats the problem. The first thing I would check is:
    -Whats the mx for your mail server?

    (Do you know how to check this?)

    regards

    theterranaut

    Avatar
    ferandres
    Member
    #291207

    Re: Pix—> Isa Server


    > Exchange 2003

    ok ok,

    mi email is working good.
    i change mi ip addres of my pix, all is working.
    thanks a lot.

    b……..u……….t.

    if i put a isa in the middle ? =)
    pix


    >isa


    >exchange.
    that is my original idea.

    Avatar
    theterranaut
    Member
    #285879

    Re: Pix—> Isa Server


    > Exchange 2003

    I see.

    So- ISA is not involved in this network at this point? You’ve removed it?
    (Sorry, but if you have its not clear from your posts)

    If its is out, unless there’s a compelling reason for leaving it in, I wouldn’t bother
    putting it back. Is there some reason why you want 2 firewalls?

    regards

    theterranaut

    Avatar
    ferandres
    Member
    #291208

    Re: Pix—> Isa Server


    > Exchange 2003

    hi,
    firs, happy holidays.

    yes, in my working escenari my isa is not involved.

    but i want tu use mi isa in my producction escenari.
    the reason for use two firewalls, is a decesion of my it director, so i just fallow order at this point….

    so, do you know what i need to use mi isa?

    Avatar
    theterranaut
    Member
    #285881

    Re: Pix—> Isa Server


    > Exchange 2003

    Hello Ferandres, happy holidays to you as well.

    In theory, as you have the PIX working, all you should need to get working
    now is ISA. As you’ve already indicated, this will be ISA in “2-leg” mode- a NIC for each network. Obviously, ISA’s ‘outside’ net will be the same as the ‘inside’ for your PIX, and ISA’s ‘inside’ will be your internal LAN. This will mean reconfiging your PIX back similarly to the way you had it initially- and that there really are 3 networks involved in this:

    -your ‘outside’ PUBLIC IP addresess (on the PIX’s outside)
    -your ‘middle’ network (private addreses, on the inside of the PIX AND outside of ISA)
    -your ‘inside’ LAN (private addresses, on the inside of ISA)

    The tricky parts to remember will be:

    -whatever IP address you use on the ‘middle’ for the PIXs ‘static’ statement for SMTP in will be used by ISA to forward in SMTP to the ‘inside’
    -whatever you use to allow Internet access from the Inside to Outside will have to got through the ‘middle’

    I would strip back ISA, rerun the setup wizards, and choose this scenario. Then, create rules to forward traffic from the ‘middle’ SMTP address to the ‘inside’ IP address, while allowing ‘inside’ access to Internet (if desired).

    Easiest way to accomplish all of this is to break it into 2 halves. Get the PIX working first with ‘outside’ and ‘middle’ networks, and use telnets on appropriate ports to test. Then, get ISA up, configed, and do similar testing.

    (BTW: dont know if anyone uses this, but Netcat is a really powerful tool for testing. For example, you could set up most of the above in a lab, no mail server needed on the inside: then run Netcat on a PC on the inside, ‘listening’ on tcp 25. Then, from a machine on the ‘outside’, telnet to the appropriate IP on 25. If you get a response, your firewall is forwarding in on 25. More info here: http://m.nu/program/util/netcat/netcat.html)

    regards

    theterranaut

    Incidentally, and please do not take this in any pejorative way to yourself- but your IT Director should really consider some proper penetration testing after this is installed. You are clearly new to the PIX, and are obviously a capable person, learning fast as you go along. But these devices protect your network from intrusion, and if there is sufficient reason for installing 2 firewalls then there is sufficient reason for making sure they are installed correctly. Advice from strangers on forums cannot be taken as gospel, and will not keep you in a job when its proven that an incorrect firewall install caused the network to get cracked.
    (I dont mean to slander IT Directors with my next comment- some of my best friends are IT Directors!- but I see this happen all too often; realising that the shiny new box they’ve bought may actually need some expensive expertise to install, they shrug, hand it off to the most capable member of their team, who’s always a ‘can-doer’ who will shift heaven and earth to get it working. But what if…?)

    So: keep yourself on the right side here, and make it clear that you are no PIX pro, you are learning on the job, and that you take no responsibility for the configuration until its been signed off by someone else.

    Avatar
    ferandres
    Member
    #291209

    Re: Pix—> Isa Server


    > Exchange 2003

    thanks for your advice, i know that im not a pix expert, even not a pix user. im very new whit this. but in this momento i need to learn this..=/.

    about what you tell me, at this momento i mi esceneari
    pix


    isa


    exchange
    the internet connection for user is ok. all user can use internet.
    but email is not working.

    i have a question. in past messages you tell me to use this line :

    static (inside,outside) tcp 200.XXX.XX.XX3 smtp 192.168.1.5 smtp netmask 255.255.255.0 0 0


    work fine.

    but now. if i have a isa in middle, i need to continue using this line? or change the 192.168.1.5 to use the inside/or/outside isa ip. ?

    thanks for you valios help.

    Avatar
    ferandres
    Member
    #291210

    Re: Pix—> Isa Server


    > Exchange 2003

    im very confused,, in the pix—-isa


    exchange escenari….

    i really apreciaty you help.

    but i still dont understand something.




    -your ‘outside’ PUBLIC IP addresess (on the PIX’s outside): OK
    -your ‘middle’ network (private addreses, on the inside of the PIX AND outside of ISA) OK
    -your ‘inside’ LAN (private addresses, on the inside of ISA) OK




    whatever IP address you use on the ‘middle’ for the PIXs ‘static’ statement for SMTP in will be used by ISA to forward in SMTP to the ‘inside’

    the static statemen is:
    static (inside,outside) tcp 200.xxx.xx.xx2 smtp 192.168.1.2 smtp netmask 255.255.255.255 0 0

    so you say me , that i need to create a rule to foward smtp from 192.168.1.2 to my exchange? but exchange is the same ip that is in the static statement… so i dont uderstant.



    whatever you use to allow Internet access from the Inside to Outside will have to got through the ‘middle’

    mi user in the internal lan have a internet conecction using: isa—>pix.



    Avatar
    ferandres
    Member
    #291211

    Re: Pix—> Isa Server


    > Exchange 2003

    Finally all is working.

    testing and testing..
    make me change the static line.

    static (inside,outside) tcp 200.xxx.xx.xx2 smtp 192.168.1.2 smtp netmask 255.255.255.255 0 0

    and change de 192.168.1.2 for de internal pix ip.
    and all work.

    thanks a lot , a realley apreciety the help in this forum.

    just to know.
    what do you thing of the isa server 2004. is a good firewall in your opinion.
    i work whit isa since 2 years ago, and no secuirty problem.
    what is your opinion?

    Avatar
    ferandres
    Member
    #291212

    Re: Pix—> Isa Server


    > Exchange 2003

    mistake
    and change de 192.168.1.2 for de internal pix ip.
    is external isa ip.

    Avatar
    theterranaut
    Member
    #285882

    Re: Pix—> Isa Server


    > Exchange 2003

    Hi again,

    yes, I like it, it seems pretty stable, easy to configure, seems to be rated by at least some 3rd party security labs, and is finally available in ‘hardware’ models.

    regards

    theterranaut

Viewing 23 posts - 1 through 23 (of 23 total)

You must be logged in to reply to this topic.