topic Re: Allow access to exchange server thru PIX 501 in Network Security

Allow access to exchange server thru PIX 501

footsandersen — Fri, 21 Feb 2020 06:43:41 GMT

I am new to the PIX and need to allow a satellite office to access an inside exchange server via Outlook. E2k is currently sitting on my DC, which is on the internet. I want to pull the DC off of the internet, firewall it, and still provide email access to the satellite office.

Please help

Re: Allow access to exchange server thru PIX 501

mostiguy — Wed, 07 May 2003 14:46:05 GMT

What does the satellite office have for a firewall? Can we set up a vpn tunnel between the two? This would be the most secure solution to the problem at hand. You can also set up the pix as a remote access vpn, and deploy the cisco vpn client software. - this would be more work that a point to point vpn tunnel.

Both of the above solutions are much preferrable than opening ports to allow anyone on the internet to connect to your exchange server.

Re: Allow access to exchange server thru PIX 501

footsandersen — Wed, 07 May 2003 14:56:08 GMT

The satellite office is also using a PIX 501 for its firewall. I think that the original ideal was to set up a vpn tunnel between the two offices. What are the steps involved in setting up the point to point tunnel and allowing the satellite outlook clients to reach their email? Thanks

Re: Allow access to exchange server thru PIX 501

mostiguy — Wed, 07 May 2003 15:06:59 GMT

Sweet!

In a point to point vpn tunnel, *everything* (all ip network protocols) can go back and forth between the two networks, just as if there were a physical data circuit between them. Do you know if you have the 3des license key?

"sh ver" should tell you what license key you have , look for the vpn-3des line. You will need to have at least the des key installed. the des key is free from cisco. The 3des key for a 501 should be about $100US for each unit.

You will need to be able to administrate the remote pix by its outside interface, can you do this? You might need to have ssh setup to do so.

Re: Allow access to exchange server thru PIX 501

footsandersen — Wed, 07 May 2003 15:22:33 GMT

I don't believe that I have the 3des key, but I will get the des key installed. I have the ip address of the remote pix and the enable password. I'm sorry, I'm really new to this, but what is ssh setup?

Re: Allow access to exchange server thru PIX 501

mostiguy — Wed, 07 May 2003 16:52:23 GMT

No problem.

SSH is an encrypted telnet replacement. You cannot use unencrypted telnet to admin a pix through its outside interface.

After the (3)des key is installed, you will need to login to the pix,

enable

configure terminal

ca generate rsa key

ca save all

(Those commands generate your rsa encryption key pair, and saves them)

ssh outside

Add ssh lines for as many netblocks as you need.

ssh 1.2.3.4 255.255.255.255 outside means that the host 1.2.3.4 outside the firewall can admin the pix via ssh.

when you are done, write memory will save the config.

http://www.chiark.greenend.org.uk/~sgtatham/putty/

Putty is a free windows ssh/telnet client. Download it, put the ip address in, check ssh, and you should be good to go. You might get a pop up about using only single des, but you should still be able to login. The user name through ssh is "pix"

Re: Allow access to exchange server thru PIX 501

footsandersen — Wed, 07 May 2003 17:06:03 GMT

Thanks for all of the help so far.

Is this procedure just for accessing the PIX from the outside interface, or will it have anything to do with setting up the site to site vpn? Will I need the generated encryption keys from the remote PIX in order to access it via ssh? I am not able to physically access the remote site, so I assume the only way to set up the ssh there is to walk someone on site through the procedure, correct?

Re: Allow access to exchange server thru PIX 501

mostiguy — Wed, 07 May 2003 17:42:24 GMT

Yeah, this is all for remote admin of the remote pix. You only need to generate the RSA keys for SSH, and for IPSec scenarios where you use a certificate authority.

because of the way ipsec tunnels work, you really want to be able to admin the remote pix from the outside ip address/interface. Any solution of controlling the remote pix by the internal interface will not be reliable during ipsec setup and testing (imaging a windows server with terminal services, at your remote site, from which you could telnet to the pix - setting up /testing the tunnel may break the terminal services session, etc).

Re: Allow access to exchange server thru PIX 501

footsandersen — Thu, 08 May 2003 16:58:57 GMT

Thanks for the info. I will get remote admin. setup and get back to you for the next steps. Is there an overview of the steps necessary to implement this available?

One other question. If my exchange server is behind the firewall, will it be able to receive email from the public internet?

Thanks

Re: Allow access to exchange server thru PIX 501

mostiguy — Thu, 08 May 2003 18:51:24 GMT

You will want to have an access-list attached to the outside interface in the in direction, or use a conduit command to open tcp port 25, smtp, to everyone. This is the only port you need to receive internet email (in the default pix config, all connections outbound are permitted, so your email server originate smtp connections from its high numbered ports to other people's mail servers on port 25)

Re: Allow access to exchange server thru PIX 501

mostiguy — Thu, 08 May 2003 19:43:16 GMT

http://www.cisco.com/warp/public/110/38.html

Is a good link for simple site to site IPSec vpn configuration. I would recommend using ISAKMP with preshared keys.

Re: Allow access to exchange server thru PIX 501

footsandersen — Mon, 19 May 2003 15:25:14 GMT

Hi again,

I've got the remote pix configured so that I can access it via ssh. What are the next steps for setting up the site to site vpn? Thanks

Re: Allow access to exchange server thru PIX 501

mostiguy — Tue, 20 May 2003 12:13:06 GMT

Did you check the link I posted in the post above? That should get you going. Start working with that, and report back if you cannot make it work

Re: Allow access to exchange server thru PIX 501

footsandersen — Tue, 20 May 2003 13:54:49 GMT

Thanks, I'll try and work with the link and get back if I have problems. I plan on attempting it this fri night.

Re: Allow access to exchange server thru PIX 501

footsandersen — Tue, 20 May 2003 18:29:04 GMT

I think that I will be able to set up the site to site, but I have 3 more questions for you if you don't mind.

1. After the VPN is set up, how does the remote office configure Eudora to pull email off of the local Exchange server? Is it by IP address of the exchange server or DNS name?

2. The local Exchange server is currently sitting on the internet @ x.x.x.x (mail.domain.com) which is our only registered IP address. After moving x.x.x.x to the outside interface of the PIX 501, how are mail requests from the remote office routed to the exchange server/domain controller. This box has 2 NICs, 1 internal and 1 external that currently has the IP address that will be moved to the outside interface of the PIX.

3. After firewalling the network, including the Exchanger server/Domain Controller, how does email cross the PIX to get to the server? I know that I need to open port 25 through the pix, but how do I route it to the server.

Thanks for all of your help!

Re: Allow access to exchange server thru PIX 501

sampathsr — Tue, 20 May 2003 19:33:32 GMT

Be very careful from now, since you are attempting to do two things: set up site-to-site VPN and move the Exchange server.

I suggest de-link the two. First finish your VPN connectivity and test for functionality, since this is the easier of the two tasks.

2 and 3. If you are moving the mail server to the outside of the PIX interface, then that has nothing to do with VPN. Also, there is nothing you need to do on the PIX to allow the requests, again, if the server is going to be on the same subnet as that of the outside interface of the PIX; of-course you need to permit 'smtp' on any router that is on the 'outside' interface of the firewall.

If you are moving mail servers, be sure to follow the best-practices methodology in terms of creating one more MX entry with a higher priority, let it propagate, and then remove the old server etc.,etc.

Hope this is helpful.

Best rgds / Sampath.

Re: Allow access to exchange server thru PIX 501

mostiguy — Tue, 20 May 2003 20:51:23 GMT

1. It depends. It ultimately needs to talk to the internal (behind the firewall) ip address of the exchange server. If you are running WINS and or DNS *internally*, then the hostname of the machine should work.

2&3. You move the exchange box in, you set up a static statement that forwards port 25 from that old, external ip, to the new internal ip. You allow access from everyone to that ip address via an ACL or conduit list, and you should be all set. All inbound internet email connections should travel via the static, and thru the whole from the ACL/conduit, and into the exchange server's smtp service.

Basically, imagine:

Current:

Exchange :1.2.3.4

Pix outside: 1.2.3.5

Pix inside: 192.168.0.1

Move exchange inside. make its ip address 192.168.0.254.

On the pix

static (inside, outside) 1.2.3.4 192.168.0.154

then either:

conduit permit tcp host 1.2.3.4 eq 25 any

access-list XXX permit tcp any host 1.2.3.5 eq 25

25 is all you need to receive email. All outbound email goes out via PIX's stateful feature set that allows all tcp and udp outbound connections by default.

If you have users outside of the firewall (meaning not at either site connected via the IPSec tunnel) that need to access email, it depends on how they access it. POP3 is tcp port 110. Imap is rcp 143. If they want to use Outlook in corporate mode, you need to open tons of ports and that is bad - my recommendation is to set them up with the cisco vpn client software and allow them access to outlook that way.

Since I can't see the full thread in this reply window, I am assuming that the exchange and domain controller are the same box, or that you are moving them at the same time.

Re: Allow access to exchange server thru PIX 501

footsandersen — Wed, 21 May 2003 00:13:20 GMT

Yeah, the exchange and domain controller are on the same box as part of SBS2K..

I understand the access-list is prefered over conduit commands these days. Can I number the access-list (xxx) arbitrarily, or should it be a specific number? Also, the access-list you defined is already bound to the outside interface, correct?

Thanks for all of the help, I think I'm about ready to try this.

Re: Allow access to exchange server thru PIX 501

footsandersen — Thu, 22 May 2003 15:48:35 GMT

Now the remote office tech's don't want to create a site to site VPN because of the assoc. overhead, speed and complication. They suggest that I just open up ports 25 and 110 and static them to the new address of the exchange server so that they continue to recieve their email off of the internet.

Current setup:

DC/Exchange external 1.2.3.4

DC/Exchange internal 10.0.0.1

Proposed:

PIX External 1.2.3.4

PIX Internal 10.0.0.2

DC/Exchange external 10.0.0.3

DC/Exchange internal 10.0.0.1

Would this work? And what are the commands to open ports 25 and 110 and route them to the DC/Exchange box?

Thanks again

Re: Allow access to exchange server thru PIX 501

mostiguy — Thu, 22 May 2003 20:43:47 GMT

Tell them to get lost.

using pop3 means that your nt domain usernames and passwords go across the internet in unencrypted clear text.

using pop3 means that all email is kept locally, and not on the server.

As such, I find pop3 inconsistent with a decently secured setup, especially when the user name/passwords being used are nt credentials being passed in clear text.