Showing results for 
Search instead for 
Did you mean: 

Allow access to exchange server thru PIX 501

Level 1
Level 1

I am new to the PIX and need to allow a satellite office to access an inside exchange server via Outlook. E2k is currently sitting on my DC, which is on the internet. I want to pull the DC off of the internet, firewall it, and still provide email access to the satellite office.

Please help

19 Replies 19

Be very careful from now, since you are attempting to do two things: set up site-to-site VPN and move the Exchange server.

I suggest de-link the two. First finish your VPN connectivity and test for functionality, since this is the easier of the two tasks.

2 and 3. If you are moving the mail server to the outside of the PIX interface, then that has nothing to do with VPN. Also, there is nothing you need to do on the PIX to allow the requests, again, if the server is going to be on the same subnet as that of the outside interface of the PIX; of-course you need to permit 'smtp' on any router that is on the 'outside' interface of the firewall.

If you are moving mail servers, be sure to follow the best-practices methodology in terms of creating one more MX entry with a higher priority, let it propagate, and then remove the old server etc.,etc.

Hope this is helpful.

Best rgds / Sampath.

1. It depends. It ultimately needs to talk to the internal (behind the firewall) ip address of the exchange server. If you are running WINS and or DNS *internally*, then the hostname of the machine should work.

2&3. You move the exchange box in, you set up a static statement that forwards port 25 from that old, external ip, to the new internal ip. You allow access from everyone to that ip address via an ACL or conduit list, and you should be all set. All inbound internet email connections should travel via the static, and thru the whole from the ACL/conduit, and into the exchange server's smtp service.

Basically, imagine:


Exchange :

Pix outside:

Pix inside:

Move exchange inside. make its ip address

On the pix

static (inside, outside)

then either:

conduit permit tcp host eq 25 any


access-list XXX permit tcp any host eq 25

25 is all you need to receive email. All outbound email goes out via PIX's stateful feature set that allows all tcp and udp outbound connections by default.

If you have users outside of the firewall (meaning not at either site connected via the IPSec tunnel) that need to access email, it depends on how they access it. POP3 is tcp port 110. Imap is rcp 143. If they want to use Outlook in corporate mode, you need to open tons of ports and that is bad - my recommendation is to set them up with the cisco vpn client software and allow them access to outlook that way.

Since I can't see the full thread in this reply window, I am assuming that the exchange and domain controller are the same box, or that you are moving them at the same time.

Yeah, the exchange and domain controller are on the same box as part of SBS2K..

I understand the access-list is prefered over conduit commands these days. Can I number the access-list (xxx) arbitrarily, or should it be a specific number? Also, the access-list you defined is already bound to the outside interface, correct?

Thanks for all of the help, I think I'm about ready to try this.

Now the remote office tech's don't want to create a site to site VPN because of the assoc. overhead, speed and complication. They suggest that I just open up ports 25 and 110 and static them to the new address of the exchange server so that they continue to recieve their email off of the internet.

Current setup:

DC/Exchange external

DC/Exchange internal


PIX External

PIX Internal

DC/Exchange external

DC/Exchange internal

Would this work? And what are the commands to open ports 25 and 110 and route them to the DC/Exchange box?

Thanks again

Tell them to get lost.

using pop3 means that your nt domain usernames and passwords go across the internet in unencrypted clear text.

using pop3 means that all email is kept locally, and not on the server.

As such, I find pop3 inconsistent with a decently secured setup, especially when the user name/passwords being used are nt credentials being passed in clear text.

Review Cisco Networking for a $25 gift card