cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1096
Views
0
Helpful
4
Replies

PIX/MS Exchange 2000 front-end/back-end problem

fembsen
Level 1
Level 1

Hi,

I have a problem with a front-end/back-end Windows2000/Exchange2000 configuration. The front- and back-end servers are on seperate interfaces of a PIX 515 UR, where the back-end server is on the higher security level. The servers are in the same domain.

All the communication between the servers works fine (like domain logons, accessing shares, etc.) but the information store on the front-end server won't start. I tried replacing the PIX with a router and everything worked fine so its something in the PIX that causes the problem.

In networktraces made, it looks like there's a packet being passed to the Target DC which the Target DC cannot understand, whether the data is truncated, missing, etc... The traces show that the front end server is trying to bind to the DC however the DC comes back with a status of UNBIND. I lookes like something in the firewall is stripping data back to the DC or at least data passing the firewall is somehow getting changed.

Can anyone help me.

Thanks.

Frank

4 Replies 4

thong.do
Level 1
Level 1

- Remember the Global address of the outsite interface.

Add the following commands:

- static (inside,outside) Global_IP_Address IP_ExchangeSrv_InSide

- conduit permit tcp host Global_IP_Address eq 139 host ExchngSrv_Out

- conduit permit udp host Global_IP_Address eq 137 host ExchngSrv_Out

- conduit permit udp host Global_IP_Address eq 138 host ExchngSrv_Out

- conduit permit udp host Global_IP_Address eq 135 host ExchngSrv_Out

and add the following command :

establish tcp 135 permitto tcp 1024-65535

Good Luck

fembsen
Level 1
Level 1

Thanx for the info but I allready tried all those things. Here are some parts of the config (the servers 10.10.1.1-3 are all the DC's and the 10.10.1.2 is the exchange back-end, the 10.11.3.10 is the exchange front-end):

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 exnet security80

nameif ethernet3 wlan security60

nameif ethernet4 dmz security40

ip address outside 99.99.99.99 255.255.255.0

ip address inside 10.11.1.254 255.255.255.0

ip address exnet 10.10.1.254 255.255.0.0

ip address wlan 10.11.2.254 255.255.255.0

ip address dmz 10.11.3.254 255.255.255.0

access-list acl-ex permit ip host 10.10.1.1 host 10.11.3.10

access-list acl-ex permit ip host 10.10.1.2 host 10.11.3.10

access-list acl-ex permit ip host 10.10.1.3 host 10.11.3.10

access-list acl-dmz permit ip host 10.11.3.10 host 10.10.1.1

access-list acl-dmz permit ip host 10.11.3.10 host 10.10.1.2

access-list acl-dmz permit ip host 10.11.3.10 host 10.10.1.3

access-group acl-ex in interface exnet

access-group acl-dmz in interface dmz

global (dmz) 1 10.11.3.11-10.11.3.200 netmask 255.255.255.0

nat (exnet) 1 0.0.0.0 0.0.0.0 0 0

static (exnet,dmz) 10.10.1.2 10.10.1.2 netmask 255.255.255.255 0 0

static (exnet,dmz) 10.10.1.1 10.10.1.1 netmask 255.255.255.255 0 0

static (exnet,dmz) 10.10.1.3 10.10.1.3 netmask 255.255.255.255 0 0

Furthermore, DNS is ok, mail to and from the internet works ok, the front-end and back-end can communicate on all levels (shares, domain logons, rpc-pings, normal pings, telnet etc.). All that fails is the Exchange information store on the front-end. When I put in a router it works so it look like the the PIX causes the problem.

I have tried the established command but it didn't help, I have tried clearing all access-lists and put in access-lists with 'permit ip any any' on all interfaces but that also didn't work, I have looked at traces etc. All that strikes me as odd is that, when starting the information store, the rpc communication doesn't even start. All I see is DNS, LDAP, ICMP and Kerebos traffic.

Please let me know if you have any more suggestions. It becoming a rather urgent problem now.

Thankx, Frank

Have you ever try this yet ?

At the DMZ subnet:

- What are the primary & secondary WIN servers that Exchange server 10.11.3.10 use ?

- Does Exchange server 10.11.3.10 is installed with Win service ?

- Do you define static mapping for the inside domain controler, and the server name within the WIN servers in the DMZ subnet ?

At the Exnet subnet, do the same thing with WIN service & static mapping.

Good Luck Frank,

Hi,

We don't use WINS, we only use DNS as naming service. Do I Have to use WINS to make it work? Because when I replace the PIX with a router it works. This would mean that WINS is not needed.

All the DC's are staticly mapped from the exnet subnet to the dmz subnet with their own addresses:

static (llnet,dmz) 10.10.1.2 10.10.1.2 netmask 255.255.255.255 0 0

static (llnet,dmz) 10.10.1.1 10.10.1.1 netmask 255.255.255.255 0 0

static (llnet,dmz) 10.10.1.3 10.10.1.3 netmask 255.255.255.255 0 0

So, the front-end 10.11.3.10 can ping the 10.10.1.1/2/3 on ip-address, hostname and FQDN. Also the DC's (10.10.1.1/2/3) can ping the front-end 10.11.3.10 using the ip-address, hostname or FQDN. DNS forward and reverse lookups show the correct info.

Outbound traffic from the exnet subnet to the dmz subnet uses NAT and a GLOBAL:

nat (exnet) 1 0.0.0.0 0.0.0.0 0 0

global (dmz) 1 10.11.3.11-10.11.3.200 netmask 255.255.255.0

Could the problem be something else? Would the installation of WINS be the best suggestion?

Thanx, Frank

Review Cisco Networking for a $25 gift card