Resolution
To configure MS-Exchange connectivity through a PIX Firewall, perform the following steps:
- Create the static translation for the MS-Exchange server inside address so it can be seen by its public routable address from the outside. Traffic received by the PIX on the outside address of the MS-Exchange server is translated by the PIX and passed to the inside network.
- Create an Access Control List (ACL) on the PIX to allow all devices (or a specific machine) on the outside to access the MS-Exchange server. The MS-Exchange server uses ports 135, 137, 138, and 139.
- Apply the ACL to the outside interface in the inbound direction.
The following is an example configuration:
static (inside,outside) 64.1.1.1 10.1.1.1
!---This creates the static entry.
!---Map the inside address of 10.1.1.1 to the public address of 64.1.1.1.
access-list 101 permit tcp any host 64.1.1.1 eq 139
access-list 101 permit tcp any host 64.1.1.1 eq 135
!--- Access-list 101 permits TCP traffic from any device to host 64.1.1.1.
!--- This is the outside address of the Exchange server ports 139 and 135.
access-list 101 permit udp any host 64.1.1.1 eq 137
access-list 101 permit udp any host 64.1.1.1 eq 138
!--- Access-list 101 permits UDP traffic from any device to host 64.1.1.1.
!--- This is the outside address of the Exchange server ports 137 and 138.
access-group 101 in interface outside
!---Apply the access-list to the outside interface.
Third Party Software
Exchange
