08-02-2007 04:06 AM - edited 03-11-2019 03:52 AM
hi,
inside have a AD Server.
dmz have a exchange mail Server.
problem:
1.exchange service not start.
2.asa access-list allow all ip.
access-list temp permit ip any any
access-group temp in interface dmz
access-group temp in interface inside
access-group temp in interface outside
3.exchange Server can ping AD server.
4.AD server can ping exchange Server.
5.exchange Server can access AD server port 80 and AD server access exchange Server port 80.
08-02-2007 11:15 AM
Hi,
I'm not sure what Exchange topology you use but here are the ports required for an Exchange FE - BE topology:
If you are using a front-end server in a perimeter network open TCP ports on the firewall for the protocols you are using:
80 for HTTP
143 for IMAP
110 for POP
25 for SMTP
691 for Link State Algorithm routing protocol
Open ports for Active Directory Communication:
TCP port 389 for LDAP to Directory Service
UDP port 389 for LDAP to Directory Service
TCP port 3268 for LDAP to Global Catalog Server
TCP port 88 for Kerberos authentication
UDP port 88 for Kerberos authentication
Open the ports required for access to the DNS server:
TCP port 53
UDP port 53
Open the appropriate ports for RPC communication:
TCP port 135 - RPC endpoint mapper
TCP ports 1024+ - random RPC service ports
(Optional) To limit RPCs across the intranet firewall, edit the registry on servers in the intranet to specify RPC traffic to a specific non random port. Then, open the appropriate ports on the internal firewall:
TCP port 135 ? RPC endpoint mapper
TCP port 1600 (example) ? RPC service port
If you use IPSec between the front-end and back-end, open the appropriate ports. If the policy you configure only uses AH, you do not need to allow ESP, and vice versa.
UDP port 500 ? IKE
IP protocol 51 ? AH
IP protocol 50 ? ESP
UDP port 88 and TCP port 88 ? Kerberos
Hope this helps,
stefan
08-02-2007 09:12 PM
asa config:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.248
!
interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 10.44.99.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 10.44.88.1 255.255.255.0
!
access-list temp extended permit ip any any
access-list temp extended permit icmp any any
global (outside) 1 interface
global (dmz) 1 interface
nat (dmz) 1 10.44.99.0 255.255.255.0
nat (inside) 1 10.44.0.0 255.255.0.0
static (dmz,outside) 202.107.226.106 10.44.99.254 netmask 255.255.255.255 dns
static (inside,dmz) 10.44.65.0 10.44.65.0 netmask 255.255.255.0
tatic (dmz,inside) 10.44.99.254 10.44.99.254 netmask 255.255.255.255
access-group temp in interface outside
access-group temp in interface dmz
access-group temp out interface inside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
sysopt noproxyarp inside
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
exchange ip address:10.44.99.254
active directory ip add:10.44.65.55
08-02-2007 10:17 PM
Hi,
Between the Exchange and the DC the NAT statement might be a problem. Try routing the traffic between them.
Cheers,
stefan
08-03-2007 06:04 AM
AD can access exchange 80;
exchange can access AD 80;
from cisco:
In addition, add an established command statement to permit RPC back connections
from the outside host on all high ports (1024 through 65535) to deliver mail:
"established tcp 135 permitto tcp 1024-65535"
what's means?
08-08-2007 04:44 PM
Hi,
1) Exchange RPC traffic: http://support.microsoft.com/kb/159298
2) Alternative for opening the high-port numbers:
http://support.microsoft.com/kb/224196
3) RPC MS overview:
HTH
Stefan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide