Re: One more Time

CARLA.GONZALEZ · ‎11-15-2001

I have 515r, and I added next line in my configuration

because without it, exchange doesn´t work, inside client´s can´t connect with it.

access-list aclout permit ip any any

but some of you told me that is a big hole, in my security.

My question is:

What do you recommended me?

I´m not an expert, is my first time in Pix!

Gdl. Mex.

Thanks a lot, in advance for time!

turnbull · ‎11-15-2001

check the port assignments in the following link

http://cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/msexchng.htm

If the inside hosts are making the connection, the netbios ports should be OK but perhaps the established for 135 will be required for rpc

I assume there has been no acl applied to the inside

bdube · ‎11-17-2001

Having Exchange in the DMZ or outside isn't the best way to do things.

You can keep exchange inside & place a SMTP relay in the DMZ. Inbound & outbound mail are passing through this SMTP relay. Some good commercial products are available like Mail Essentials Ref.: http://www.techarts.com/products/mailessentials2000/default.htm

If you want to keep Exchange outside or in the DMZ, you should open RPC ports because Outlook/exchange communications are using those ports. But i don't know if it's only Outlook who are initiating communications to Exchange or both.

msim68 · ‎11-18-2001

hi

can you please explain where is the exchange is it in dmz zone or in the outside zone if its in the dmz zone i will tell you perfect solution that i have done with my exchange 5.5 and the pix firewall

cause as u tell you open secuirity hole on your network and even if you use the the ports to be opened inbetween the zones the the internal zone secuirity will be less than 100% ....

best regards