PIX 501 to 506 upgrade causes exchange email problems.

Discussion in 'Cisco' started by RPS13, Dec 8, 2007.

  1. RPS13

    RPS13

    Joined:
    Dec 8, 2007
    Messages:
    1
    Likes Received:
    0
    Hello,

    I'm sure it's an easy fix but I don't see it, maybe someone can help me out. I'm running into a problem when I tried to upgrade from a pix 501 to pix 506 firewall. Everything works great with the current pix 501 configuration, so what I did was use the exact same config in the 506. With the 506 plugged in everything works but email. I'm running an Exchange 2003 server and it can't ping any outside address, send or receive email. It can ping the 506 firewall. Of course with the 501 plugged in there is no problems.

    Some background on my network.

    Separate static ip for lan accessing the Internet.
    Separate static ip for exchange server and OWA setup.

    This is the pix 501 config, which everything works with no problems:

    _________________________________________________________________
    PIX Version 6.1(4)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password n3MMasdcj2sryt encrypted
    passwd FDA2Q4b2NdI.sdWU encrypted
    hostname main1
    domain-name main1.local
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    name XXX.XXX.XX.XX exchange
    access-list ACL_inside_in permit ip any any
    access-list ACL_inside_in permit icmp any any
    access-list ACL_outside_in permit tcp any host XXX.XXX.XXX.2 eq smtp
    access-list ACL_outside_in permit tcp any host XXX.XXX.XXX.2 eq www
    access-list ACL_outside_in permit tcp any host XXX.XXX.XXX.2 eq 443
    access-list ACL_outside_in permit icmp any any echo-reply
    access-list ACL_outside_in permit icmp any any time-exceeded
    pager lines 24
    logging on
    interface ethernet0 10baset
    interface ethernet1 10full
    mtu outside 1500
    mtu inside 1500
    ip address outside XXX.XXX.XXX.3 255.255.255.0
    ip address inside XXX.XXX.XX.XX 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location XXX.XXX.XX.X 255.255.255.255 inside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 XXX.XXX.XX.X 255.255.255.0 0 0
    static (inside,outside) XXX.XXX.XXX.2 exchange netmask 255.255.255.255 0 0
    access-group ACL_outside_in in interface outside
    access-group ACL_inside_in in interface inside
    route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.X 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:03:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    http server enable
    http XXX.XXX.XX.X 255.255.255.255 inside
    http XXX.XXX.XX.X 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    no sysopt route dnat
    telnet XXX.XXX.XX.X 255.255.255.0 inside
    telnet timeout 5
    terminal width 80
    _________________________________________________________________


    pix 506 config inported from the above working 501 config but exchange can't ping any outside addresses, send or receive email:

    _________________________________________________________________
    PIX Version 6.3(5)
    interface ethernet0 10baset
    interface ethernet1 10full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password n3MMasdcj2sryt encrypted
    passwd FDA2Q4b2NdI.sdWU encrypted
    hostname main1
    domain-name main1.local
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    no fixup protocol smtp 25
    names
    name XXX.XXX.XX.X exchange
    access-list ACL_inside_in permit ip any any
    access-list ACL_inside_in permit icmp any any
    access-list ACL_outside_in permit tcp any host XXX.XXX.XXX.2 eq smtp
    access-list ACL_outside_in permit tcp any host XXX.XXX.XXX.2 eq www
    access-list ACL_outside_in permit tcp any host XXX.XXX.XXX.2 eq https
    access-list ACL_outside_in permit icmp any any echo-reply
    access-list ACL_outside_in permit icmp any any time-exceeded
    pager lines 24
    logging on
    mtu outside 1500
    mtu inside 1500
    ip address outside XXX.XXX.XXX.3 255.255.255.0
    ip address inside XXX.XXX.XX.X 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location XXX.XXX.XX.X 255.255.255.255 inside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 XXX.XXX.XX.X 255.255.255.0 0 0
    static (inside,outside) XXX.XXX.XXX.2 exchange netmask 255.255.255.255 0 0
    access-group ACL_outside_in in interface outside
    access-group ACL_inside_in in interface inside
    route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.X 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:03:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http XXX.XXX.XX.X 255.255.255.255 inside
    http XXX.XXX.XX.X 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet XXX.XXX.XX.X 255.255.255.0 inside
    telnet timeout 5
    terminal width 80
    _________________________________________________________________

    There are a few differences I see but I don't think they would cause the problem. Version 6.1(4) to 6.3(5) and the 501 config having 443 and the 506 config https.

    I don't think this would cause any problems with the exchange server.

    Thanks for any help you can provide!
     
    RPS13, Dec 8, 2007
    #1
    1. Advertisements

  2. RPS13

    BoBraxton

    Joined:
    Jul 6, 2006
    Messages:
    11
    Likes Received:
    0
    Exchange server problem resolved?

    No help (yet)? Still a problem?
     
    BoBraxton, Dec 19, 2007
    #2
    1. Advertisements

  3. RPS13

    Greeley

    Joined:
    Dec 16, 2007
    Messages:
    67
    Likes Received:
    0
    From the FW can you ping the exchanges internal ip address? Have you tried to d oa packet capture on the pix?
     
    Last edited: Dec 20, 2007
    Greeley, Dec 20, 2007
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.