Re: PIX with Exchange

agoodwin · ‎11-30-2001

Hi,

Would anyone be able to confirm or give me some hints for what I need to do to get an exchange server functioning ok through a pix (I have a 506 but I assume its same for all).

Is it just a case of allowing it access out through nat/global and then having an access-list that allows port 25 traffic to the global ip address the server is using?

Or will I need a nat with a static and the access-list?

Many thanks for your time.

cheers

Andy

s-ariga · ‎11-30-2001

1. static nat Global address to the internal address of the exchange server .

2. Have a access-list allowing port 25 to the global address of the server.

3.disable smtp fixup protocol if running into trouble.

exigent · ‎12-01-2001

Andy,

Three things:

Create a static mapping between the private Ip of the Exchange server and the public Ip that is associated with your MX record:

static (inside,outside) [pubIP] [privIP] netmask [subnetmask] 0 0

Create an access-list to allow port 25 traffic in:

access-list acl_out permit tcp any host [pubIPofMXrecord] eq smtp

Apply the access list to an access-group

access-group acl_out in interface outside

Make sure to disable the fixup protocol for smtp because it does not work with Exchange:

no fixup protocol smtp 25

Do a write mem to save to memory.

Sincerely,

Alex Zaltsman

create an access-list

jniederauer · ‎12-01-2001

I'm running exchange 5.5 and actually looking to switch to a Cisco firewall. I know that when I setup my firewall to allow exchange, I checked the microsoft knowledge base and used the following article to force certain ports for client access. You may want to read:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q148732

-JDN

exigent · ‎12-03-2001

Fyi...This article is referring to making Exchange available to the internet in the context of Outlook access, not transporting e-mail. To send and receive e-mail you only need port 25 open and mapped to the correct private IP address. I don't recommend anyone to allow direct access to Exchange services from the Internet. Instead, a VPN is a better solution.

agoodwin · ‎12-02-2001

Thanks very much for you time at the moment everything looks like its working a treat.

cheers

Andy

thompson · ‎12-03-2001

Here is a list of wee-known ports used by Windows and Exchange. Hope it helps.

Browsing UDP:137,138

DHCP Lease UDP:67,68

DHCP Manager TCP:135

Directory Replication UDP:138 TCP:139

DNS Administration TCP:135

DNS Resolution UDP:53

Event Viewer TCP:139

File Sharing TCP:139

Logon Sequence UDP:137,138 TCP:139

NetLogon UDP:138

Pass Through Validation UDP:137,138 TCP:139

Performance Monitor TCP:139

PPTP TCP:1723 IP Protocol:47 (GRE)

Printing UDP:137,138 TCP:139

Registry Editor TCP:139

Server Manager TCP:139

Trusts UDP:137,138 TCP:139

User Manager TCP:139

WinNT Diagnostics TCP:139

WinNT Secure Channel UDP:137,138 TCP:139

WINS Replication TCP:42

WINS Manager TCP:135

WINS Registration TCP:137

List of Ports Used by WLBS and Convoy for Cluster Control:

Function Static ports

-------- ------------

Convoy UDP:1717

WLBS UDP:2504

List of Ports Used by Microsoft Exchange Server version 5.0:

Function Static ports

-------- ------------

Client/Server Comm. TCP:135

Exchange Administrator TCP:135

IMAP TCP:143

IMAP (SSL) TCP:993

LDAP TCP:389

LDAP (SSL) TCP:636

MTA - X.400 over TCP/IP TCP:102

POP3 TCP:110

POP3 (SSL) TCP:995

RPC TCP:135

SMTP TCP:25

NNTP TCP:119

NNTP (SSL) TCP:563