Should I block inbound port 25 on the PIX 515?

Discussion in 'Cisco' started by Corbin O'Reilly, Apr 20, 2005.

  1. Hi everyone. OK here is our situation. We currently have an Exchange 5.5
    server. Port 25 is open inbound and outbound to the Exchange Server. We
    recently setup an anti-spam server, added a MX record for it, and opened
    inbound port 25 to it. We then removed the Exchange Server's MX record. Now
    mail coming to our company from the outside first comes to the anti-spam
    server and then is routed internally to the Exchange Server. The Exchange
    Server still sends mail out through port 25. My question is since e-mail is
    now coming to the anti-spam server first and never directly to the Exchange
    Server, can I close inbound port 25 to the Exchange? Will this cause any
    problems sending e-mail out of our company? I would appreciate any advice.
    Thanks.
    Corbin O'Reilly, Apr 20, 2005
    #1
    1. Advertising

  2. Corbin O'Reilly

    Chad Mahoney Guest

    Corbin O'Reilly wrote:
    > Hi everyone. OK here is our situation. We currently have an Exchange 5.5
    > server. Port 25 is open inbound and outbound to the Exchange Server. We
    > recently setup an anti-spam server, added a MX record for it, and opened
    > inbound port 25 to it. We then removed the Exchange Server's MX record. Now
    > mail coming to our company from the outside first comes to the anti-spam
    > server and then is routed internally to the Exchange Server. The Exchange
    > Server still sends mail out through port 25. My question is since e-mail is
    > now coming to the anti-spam server first and never directly to the Exchange
    > Server, can I close inbound port 25 to the Exchange? Will this cause any
    > problems sending e-mail out of our company? I would appreciate any advice.
    > Thanks.
    >
    >

    Based on what you just wrote I would see no reason why you could NOT
    close SMTP to your exchnage server **Only** of course you would still
    need SMTP access to your anti-spam/relay server. A good way to test this
    would be to go ahead and remove the ACL for SMTP to exchange then from
    outside your firewall telnet to the mx record hostname on port 25. You
    should see the SMTP banner of your anti-spam/relay server.
    Chad Mahoney, Apr 20, 2005
    #2
    1. Advertising

  3. Corbin O'Reilly

    Guest

    I'm working on a site with a similar configuration. Are you perchance
    using the same IP incoming and outgoing? I'm wondering what command
    you are using to bring mail to your anti-spam server.

    cos
    , Apr 20, 2005
    #3
  4. Corbin O'Reilly

    Brad Guest

    On what port does the spam server talk to the exchange server? If it's
    25 you'll need to keep it open. Based on your description I'm assuming
    the spam server is outside the firewall and the exchange server is
    inside the firewall. If you're limiting the inbound port 25 traffic to
    only originate from the spam server's IP address you should be ok
    unless the spam server gets compromised.
    Brad, Apr 20, 2005
    #4
  5. Hey cos. The anti-spam server has a different public/private IP Address than
    the Exchange Server. What I did was setup the anti-spam software on another
    server, put in a static (inside,outside) command in my PIX, opened port 25
    to the anti-spam server, removed my Exchange Server's MX record from my
    ISP's DNS Servers, and replaced it with a new MX record pointing to the
    anti-spam server. Now mail from the outside comes into the anti-spam server
    and is routed internally to the Exchange Server. The Exchange Server still
    sends mail out through port 25 to the rest of the world. I still have
    inbound port 25 open to the Exchange Server but it looks like I can safely
    remove that entry from the PIX because e-mail from the outside world is now
    coming directly to the anti-spam server and not to the Exchange Server.

    <> wrote in message
    news:...
    > I'm working on a site with a similar configuration. Are you perchance
    > using the same IP incoming and outgoing? I'm wondering what command
    > you are using to bring mail to your anti-spam server.
    >
    > cos
    >
    Corbin O'Reilly, Apr 20, 2005
    #5
  6. Both the anti-spam server and Exchange Server are on the same internal
    subnet. I have NAT setup on the PIX. Both servers have their public IPs
    translating to internal private IPs.

    "Brad" <> wrote in message
    news:...
    > On what port does the spam server talk to the exchange server? If it's
    > 25 you'll need to keep it open. Based on your description I'm assuming
    > the spam server is outside the firewall and the exchange server is
    > inside the firewall. If you're limiting the inbound port 25 traffic to
    > only originate from the spam server's IP address you should be ok
    > unless the spam server gets compromised.
    >
    Corbin O'Reilly, Apr 20, 2005
    #6
  7. Corbin O'Reilly

    Guest

    Corbin,

    You shouldn't have a problem shutting down port 25 to the exchange
    server, if it's INSIDE. I'm having issues myself, but I'm attempting
    to use the same IP for both servers. The traffic is similar to yours,
    but I need the same global IP outside to forward to the antispam
    server, and then allow the exchange server to send out via the very
    same IP.

    Are you using nat (inside) for the exchange server?

    cos
    , Apr 20, 2005
    #7
  8. Hey cosmicspin. Yes I have the following command in my PIX 515 config:

    nat (inside) 10 0.0.0.0 0.0.0.0 0 0

    You may want to start a new post since what you are trying to do is a little
    different from what I am trying to do. There is a guy on this board named
    Walter Roberson that has helped a lot of us out in the past. He really knows
    his stuff. Create a new post and hopefully he or another expert will help
    you out. These boards are great. I learn so much here. Take care. Corbin.

    <> wrote in message
    news:...
    > Corbin,
    >
    > You shouldn't have a problem shutting down port 25 to the exchange
    > server, if it's INSIDE. I'm having issues myself, but I'm attempting
    > to use the same IP for both servers. The traffic is similar to yours,
    > but I need the same global IP outside to forward to the antispam
    > server, and then allow the exchange server to send out via the very
    > same IP.
    >
    > Are you using nat (inside) for the exchange server?
    >
    > cos
    >
    Corbin O'Reilly, Apr 20, 2005
    #8
  9. In article <KNt9e.84665$f%>,
    Corbin O'Reilly <> wrote:
    :You may want to start a new post since what you are trying to do is a little
    :different from what I am trying to do. There is a guy on this board named
    :Walter Roberson that has helped a lot of us out in the past. He really knows
    :his stuff. Create a new post and hopefully he or another expert will help
    :you out.

    Answer already given... he didn't follow up to say how well it had
    worked.

    http://groups.google.ca/groups?selm=d3mq5e$htf$
    --
    "Mathematics? I speak it like a native." -- Spike Milligan
    Walter Roberson, Apr 20, 2005
    #9
  10. Corbin O'Reilly

    Guest

    Walter,

    No, it unfortunetly doesn't work. The outgoing mail works fine with
    the answer you told me (it now shows the proper IP), but now an issue
    has arisen with incoming mail. After changing the static
    (inside,outside) line to the one you suggested, it seems like incoming
    mail doesn't reach the anti-spam server any longer. The configuration
    you gave me seems quite logical, yet there's something going wrong.

    The PIX in question is running 6.1. I tried various other methods,
    like an access list for the static (inside,outside) command, but
    incoming mail simply doesn't work until I disable the nat statment that
    forces a global IP to the exchange server. I was going to try logging
    into their anti-spam server, to see if maybe it's rejecting incoming
    SMTP traffic for one reason or another.

    cos
    , Apr 20, 2005
    #10
  11. In article <>,
    <> wrote:

    [static PAT]

    :The PIX in question is running 6.1.

    PIX 6.1 had known bugs with static PAT, particularily 6.1(1) and 6.1(2).

    Which exact release are you using? And is there a reason you haven't
    updated to 6.2 or 6.3? If you google Cisco's site for
    "PIX security advisories" and newest one or two, you can usually find
    a security-related excuse to convince Cisco to give you a free update
    from 6.1 to the latest 6.3. (Doesn't work for 6.2 to 6.3, as they are still
    producing 6.2 patches.)
    --
    This signature intentionally left... Oh, darn!
    Walter Roberson, Apr 20, 2005
    #11
  12. Corbin O'Reilly

    Guest

    There's no reason why I haven't updated the PIX, but it belongs to a
    company I configured routers for... I figured I'd help them out with a
    'quick' problem at their other site, and it turned out to be more than
    'quick'. Most of the other issues were easily resolved by just using
    my router know-how and reading documentation, but this one issue just
    seems unable to be fixed.

    What you said about there being a possible 'bug', is VERY probable.
    I'll have to see if I can find a reason for them to get a free update,
    and possibly fix this for once.

    Thanks for your help once again, if you think of anything in the
    meantime be sure to let me know. I'm going to try and see if any of my
    ideas work this afternoon, and then start worrying about updating.

    cos
    , Apr 20, 2005
    #12
  13. Corbin O'Reilly

    Guest

    The PIX has version 6.1(1) on it. This might be the source of the
    'broken' static function.

    I wonder if there's a way around this problem... In the meantime, I
    asked the PIX owners to see if they still have an active contract (I
    believe they do). They probably can upgrade to the newest version.

    cos
    , Apr 20, 2005
    #13
  14. In article <>,
    <> wrote:
    :The PIX has version 6.1(1) on it.

    They need an update, then -- there are a number of known attacks
    on that version. Even if you just get them through to the last 6.1
    they would be better off.
    --
    'ignorandus (Latin): "deserving not to be known"'
    -- Journal of Self-Referentialism
    Walter Roberson, Apr 20, 2005
    #14
  15. Corbin O'Reilly

    Guest

    I'll let everyone know what the outcome is. Hopefully if anyone else
    runs into an issue similar than mine with 6.1(1) ir (2) they will have
    a lead for an upgrade, and thus not have to deal with a strange bug.
    :0)

    cos
    , Apr 20, 2005
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. scada
    Replies:
    1
    Views:
    4,270
    Walter Roberson
    Feb 24, 2004
  2. Corbin O'Reilly
    Replies:
    6
    Views:
    7,081
    Corbin O'Reilly
    Apr 28, 2005
  3. Scott Townsend
    Replies:
    8
    Views:
    678
    Roman Nakhmanson
    Feb 22, 2006
  4. Replies:
    2
    Views:
    7,807
  5. tartar813

    Pix 515 and inbound services

    tartar813, Mar 18, 2006, in forum: Cisco
    Replies:
    5
    Views:
    486
    tartar813
    Mar 19, 2006
Loading...

Share This Page