PIX525 configuration.

Exchange server is in 'inside'

Outlook clients are in 'outside'

access-group out in interface outside

access-group ins in interface inside

access-list outs permit tcp host 192.168.176.200 host 192.168.176.22 eq 135

access-list outs permit tcp host 192.168.176.200 host 192.168.176.22 eq 139

static (inside,outside) 192.168.176.22 200.200.200.22

There's no UDP 137,138 and 'established permit tcp 135 permitto tcp 1024-65535.'

But the e-mail connection from Outlook clinet to exchange server was successful. PIX525 log shows denied RPC transaction.

BUT, HOWEVER THE EXCHANGE SERVER CONNECTION ESTABLISHED.

WHAT HAPPENED?

what's wrong? It confuse me too much.

Log is like as following.

302001: Built inbound TCP connection 5562 for faddr 192.168.176.200/1049 gaddr 192.168.176.22/135 laddr 200.200.200.22/135

302002: Teardown TCP connection 5562 faddr 192.168.176.200/1049 gaddr 192.168.176.22/135 laddr 200.200.200.22/135 duration 0:00:01 bytes 440 (TCP FINs)

106023: Deny tcp src outside:192.168.176.200/1050 dst inside:192.168.176.22/1102 by access-group "acl_out"

106023: Deny tcp src outside:192.168.176.200/1050 dst inside:192.168.176.22/1102 by access-group "acl_out"

106023: Deny tcp src outside:192.168.176.200/1048 dst inside:192.168.176.22/1072 by access-group "acl_out"

106023: Deny tcp src outside:192.168.176.200/1050 dst inside:192.168.176.22/1102 by access-group "acl_out"

302001: Built inbound TCP connection 5563 for faddr 192.168.176.200/1051 gaddr 192.168.176.22/135 laddr 200.200.200.22/135

302002: Teardown TCP connection 5563 faddr 192.168.176.200/1051 gaddr 192.168.176.22/135 laddr 200.200.200.22/135 duration 0:00:01 bytes 440 (TCP FINs)

106023: Deny tcp src outside:192.168.176.200/1052 dst inside:192.168.176.22/1072 by access-group "acl_out"

106023: Deny tcp src outside:192.168.176.200/1052 dst inside:192.168.176.22/1072 by access-group "acl_out"

106023: Deny tcp src outside:192.168.176.200/1052 dst inside:192.168.176.22/1072 by access-group "acl_out"

302001: Built inbound TCP connection 5564 for faddr 192.168.176.200/1055 gaddr 192.168.176.22/135 laddr 200.200.200.22/135

302002: Teardown TCP connection 5564 faddr 192.168.176.200/1055 gaddr 192.168.176.22/135 laddr 200.200.200.22/135 duration 0:00:01 bytes 440 (TCP FINs)

106023: Deny tcp src outside:192.168.176.200/1056 dst inside:192.168.176.22/1102 by access-group "acl_out"

106023: Deny tcp src outside:192.168.176.200/1056 dst inside:192.168.176.22/1102 by access-group "acl_out"

106023: Deny tcp src outside:192.168.176.200/1056 dst inside:192.168.176.22/1102 by access-group "acl_out"

302001: Built inbound TCP connection 5565 for faddr 192.168.176.200/1057 gaddr 192.168.176.22/135 laddr 200.200.200.22/135

302002: Teardown TCP connection 5565 faddr 192.168.176.200/1057 gaddr 192.168.176.22/135 laddr 200.200.200.22/135 duration 0:00:01 bytes 440 (TCP FINs)

106023: Deny tcp src outside:192.168.176.200/1058 dst inside:192.168.176.22/1102 by access-group "acl_out"

106023: Deny tcp src outside:192.168.176.200/1058 dst inside:192.168.176.22/1102 by access-group "acl_out"

106023: Deny tcp src outside:192.168.176.200/1058 dst inside:192.168.176.22/1102 by access-group "acl_out"

302001: Built inbound TCP connection 5566 for faddr 192.168.176.200/1059 gaddr 192.168.176.22/135 laddr 200.200.200.22/135

302002: Teardown TCP connection 5566 faddr 192.168.176.200/1059 gaddr 192.168.176.22/135 laddr 200.200.200.22/135 duration 0:00:01 bytes 440 (TCP FINs)

106023: Deny tcp src outside:192.168.176.200/1060 dst inside:192.168.176.22/1102 by access-group "acl_out"

106023: Deny tcp src outside:192.168.176.200/1060 dst inside:192.168.176.22/1102 by access-group "acl_out"

106023: Deny tcp src outside:192.168.176.200/1060 dst inside:192.168.176.22/1102 by access-group "acl_out"