Re: exchange being switched to static ports due to firewall

Jason,
Right, this is from memory as I ditched Cisco Pix years ago and I'm
generalising based on your setup. But this is the way I'd do it (and did do
it) for security.

Old fashioned but secure:
LAN: 192.168.0.x/24
Cisco Pix: 192.168.0.1
Exchange box: 192.168.0.2, default gateway is the Pix.

On the Pix:
Name <mail outside> MailOutside
Name <mail on LAN> MailInside
access-list acl_outside permit tcp any host <ip of remote site> host any
access-list acl_outside permit tcp any host MailOutside eq www
access-list acl_outside permit tcp any host MailOutside eq 443
access-list acl_outside permit tcp any host MailOutside eq SMTP
static (inside,outside) MailOutside MailInside netmask 255.255.255.255 5000
1000
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 <external gateway> 1

I THINK that's about it.


New fangled:
Skip the access-list line that finishes with any (which I can't recall if it
will work anyway!)
Then you've only got port 80/443 open but you can use RPC over HTTPs for
Outlook 2003 to Exchange 2003 and use cached mode.

Hope that helps.

Nick

"Jason Goetting" <JasonGoetting@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0D855691-E393-49FB-8348-1C1B7FE285F4@xxxxxxxxxxxxxxxx
Well, the cisco pix will not work with dynamic ports, so my users cannot
send
email, only recieve email. And based on the info I've gotten off of MSKB
and
Cisco, I have to tell exchange to use static ports, and I have to tell my
client stations what ports to use as well. Not sure how this is insecure?

Should I go about this in an entirely different direction? The pix is so
that my mail server is not completely unprotected.

"Nick Gillott [MVP]" wrote:

Why are you doing it that way? Seems a very long way round and rather
insecure. A little more detail please.

"Jason Goetting" <Jason Goetting@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:7FE0AC2F-410A-47EA-9A36-93F921B7A2DC@xxxxxxxxxxxxxxxx
Just wondering if anyone can give me a "best" practices solution to my
situation.

I'm sticking a cisco 506e pix in front of my mail server which is stand
alone, it's not connected to our internal network in any way. Everyone
connects via the internet.

For everything to work properly I have to use static ports. I have to
configure this on the mail server, open the ports on the firewall and I
also
have to make registry entries on the client machines so they connect
properly. I have multiple sites to go to, and we are not on a wan so I
can
not do this remotely. So I want to figure out the best and most
efficient
way to make the changes to my client stations.

Basically for the remote sites, they will have to use OWA while this is
being done.

Any ideas would be of great help!





.

Relevant Pages