Showing results for 
Search instead for 
Did you mean: 

Allow access to exchange server thru PIX 501

Level 1
Level 1

I am new to the PIX and need to allow a satellite office to access an inside exchange server via Outlook. E2k is currently sitting on my DC, which is on the internet. I want to pull the DC off of the internet, firewall it, and still provide email access to the satellite office.

Please help

19 Replies 19

Level 6
Level 6

What does the satellite office have for a firewall? Can we set up a vpn tunnel between the two? This would be the most secure solution to the problem at hand. You can also set up the pix as a remote access vpn, and deploy the cisco vpn client software. - this would be more work that a point to point vpn tunnel.

Both of the above solutions are much preferrable than opening ports to allow anyone on the internet to connect to your exchange server.

The satellite office is also using a PIX 501 for its firewall. I think that the original ideal was to set up a vpn tunnel between the two offices. What are the steps involved in setting up the point to point tunnel and allowing the satellite outlook clients to reach their email? Thanks


In a point to point vpn tunnel, *everything* (all ip network protocols) can go back and forth between the two networks, just as if there were a physical data circuit between them. Do you know if you have the 3des license key?

"sh ver" should tell you what license key you have , look for the vpn-3des line. You will need to have at least the des key installed. the des key is free from cisco. The 3des key for a 501 should be about $100US for each unit.

You will need to be able to administrate the remote pix by its outside interface, can you do this? You might need to have ssh setup to do so.

I don't believe that I have the 3des key, but I will get the des key installed. I have the ip address of the remote pix and the enable password. I'm sorry, I'm really new to this, but what is ssh setup?

No problem.

SSH is an encrypted telnet replacement. You cannot use unencrypted telnet to admin a pix through its outside interface.

After the (3)des key is installed, you will need to login to the pix,


configure terminal

ca generate rsa key

ca save all

(Those commands generate your rsa encryption key pair, and saves them)

ssh outside

Add ssh lines for as many netblocks as you need.

ssh outside means that the host outside the firewall can admin the pix via ssh.

when you are done, write memory will save the config.

Putty is a free windows ssh/telnet client. Download it, put the ip address in, check ssh, and you should be good to go. You might get a pop up about using only single des, but you should still be able to login. The user name through ssh is "pix"

Thanks for all of the help so far.

Is this procedure just for accessing the PIX from the outside interface, or will it have anything to do with setting up the site to site vpn? Will I need the generated encryption keys from the remote PIX in order to access it via ssh? I am not able to physically access the remote site, so I assume the only way to set up the ssh there is to walk someone on site through the procedure, correct?

Yeah, this is all for remote admin of the remote pix. You only need to generate the RSA keys for SSH, and for IPSec scenarios where you use a certificate authority.

because of the way ipsec tunnels work, you really want to be able to admin the remote pix from the outside ip address/interface. Any solution of controlling the remote pix by the internal interface will not be reliable during ipsec setup and testing (imaging a windows server with terminal services, at your remote site, from which you could telnet to the pix - setting up /testing the tunnel may break the terminal services session, etc).

Thanks for the info. I will get remote admin. setup and get back to you for the next steps. Is there an overview of the steps necessary to implement this available?

One other question. If my exchange server is behind the firewall, will it be able to receive email from the public internet?


You will want to have an access-list attached to the outside interface in the in direction, or use a conduit command to open tcp port 25, smtp, to everyone. This is the only port you need to receive internet email (in the default pix config, all connections outbound are permitted, so your email server originate smtp connections from its high numbered ports to other people's mail servers on port 25)

Is a good link for simple site to site IPSec vpn configuration. I would recommend using ISAKMP with preshared keys.

Hi again,

I've got the remote pix configured so that I can access it via ssh. What are the next steps for setting up the site to site vpn? Thanks

Did you check the link I posted in the post above? That should get you going. Start working with that, and report back if you cannot make it work