09-24-2004 03:42 PM
I hope you can give me an advice re: the commands I need to implement this situation...
We have several extra static IP Address, so what I wanted to do was to use the extra IP to route to the exchange server.
for example...
my current IP for everything is XXX.XXX.XXX.21
that's the one configured to my cisco pix.
now I also own XXX.XXX.XXX.22
Subnet: 255.255.255.248
now the internal IP for my exchange is 192.168.0.122
subnet 255.255.255.0
and I wanted to open up just TCP port 25 for that IP Add.
So can anybody help me with the command lines?
09-25-2004 08:45 AM
access-list inbound permit tcp any host xxx.xxx.xxx.22 eq smtp
static (inside, outside) xxx.xxx.xxx.22 192.168.0.122 netmask 255.255.255.255 0 0
access-group inbound in interface outside
09-25-2004 09:56 AM
thanks...btw, should i disable mail guard to make exchange to work?
09-25-2004 04:36 PM
yes
09-26-2004 04:36 PM
I use..
no fixup protocol smtp 25
I hope this helps.
09-26-2004 05:23 PM
thanks again, i'll try to implement this monday when i get back at work.
09-27-2004 08:15 AM
do i need the NAT command as well?
09-27-2004 08:48 AM
Dominic,
Here's an example config from my lab pix for a MS Exchange server on the inside network (I'm using Pix OS 6.2(1)) - Hope this helps you out:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname your-pix
domain-name your-domian
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list smtp permit tcp any host 213.xx.xx.xx eq smtp
pager lines 24
logging on
logging timestamp
logging console notifications
logging trap warnings
logging history warnings
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 213.xx.xx.xx 255.255.255.240
ip address inside 10.xx.xx.xx 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 213.xx.xx.xx smtp 10.xx.xx.xx smtp dns netmask 2
55.255.255.255 0 0
access-group smtp in interface outside
route outside 0.0.0.0 0.0.0.0 213.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt noproxyarp inside
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Hope this helps - Jay
09-27-2004 10:43 AM
Maybe, you can print your pix config here then we'll be able to tell you what you need.
Vincent.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide