Should I block inbound port 25 on the PIX 515?

Based on what you just wrote I would see no reason why you could NOT close SMTP to your exchnage server **Only** of course you would still need SMTP access to your anti-spam/relay server. A good way to test this would be to go ahead and remove the ACL for SMTP to exchange then from outside your firewall telnet to the mx record hostname on port 25. You should see the SMTP banner of your anti-spam/relay server.

I'm working on a site with a similar configuration. Are you perchance using the same IP incoming and outgoing? I'm wondering what command you are using to bring mail to your anti-spam server.

cos

On what port does the spam server talk to the exchange server? If it's

25 you'll need to keep it open. Based on your description I'm assuming the spam server is outside the firewall and the exchange server is inside the firewall. If you're limiting the inbound port 25 traffic to only originate from the spam server's IP address you should be ok unless the spam server gets compromised.

Hey cos. The anti-spam server has a different public/private IP Address than the Exchange Server. What I did was setup the anti-spam software on another server, put in a static (inside,outside) command in my PIX, opened port 25 to the anti-spam server, removed my Exchange Server's MX record from my ISP's DNS Servers, and replaced it with a new MX record pointing to the anti-spam server. Now mail from the outside comes into the anti-spam server and is routed internally to the Exchange Server. The Exchange Server still sends mail out through port 25 to the rest of the world. I still have inbound port 25 open to the Exchange Server but it looks like I can safely remove that entry from the PIX because e-mail from the outside world is now coming directly to the anti-spam server and not to the Exchange Server.

Both the anti-spam server and Exchange Server are on the same internal subnet. I have NAT setup on the PIX. Both servers have their public IPs translating to internal private IPs.

Corbin,

You shouldn't have a problem shutting down port 25 to the exchange server, if it's INSIDE. I'm having issues myself, but I'm attempting to use the same IP for both servers. The traffic is similar to yours, but I need the same global IP outside to forward to the antispam server, and then allow the exchange server to send out via the very same IP.

Are you using nat (inside) for the exchange server?

cos

Hey cosmicspin. Yes I have the following command in my PIX 515 config:

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

You may want to start a new post since what you are trying to do is a little different from what I am trying to do. There is a guy on this board named Walter Roberson that has helped a lot of us out in the past. He really knows his stuff. Create a new post and hopefully he or another expert will help you out. These boards are great. I learn so much here. Take care. Corbin.

In article , Corbin O'Reilly wrote: :You may want to start a new post since what you are trying to do is a little :different from what I am trying to do. There is a guy on this board named :Walter Roberson that has helped a lot of us out in the past. He really knows :his stuff. Create a new post and hopefully he or another expert will help :you out.

Answer already given... he didn't follow up to say how well it had worked.

Walter,

No, it unfortunetly doesn't work. The outgoing mail works fine with the answer you told me (it now shows the proper IP), but now an issue has arisen with incoming mail. After changing the static (inside,outside) line to the one you suggested, it seems like incoming mail doesn't reach the anti-spam server any longer. The configuration you gave me seems quite logical, yet there's something going wrong.

The PIX in question is running 6.1. I tried various other methods, like an access list for the static (inside,outside) command, but incoming mail simply doesn't work until I disable the nat statment that forces a global IP to the exchange server. I was going to try logging into their anti-spam server, to see if maybe it's rejecting incoming SMTP traffic for one reason or another.

cos

[static PAT]

:The PIX in question is running 6.1.

PIX 6.1 had known bugs with static PAT, particularily 6.1(1) and 6.1(2).

Which exact release are you using? And is there a reason you haven't updated to 6.2 or 6.3? If you google Cisco's site for "PIX security advisories" and newest one or two, you can usually find a security-related excuse to convince Cisco to give you a free update from 6.1 to the latest 6.3. (Doesn't work for 6.2 to 6.3, as they are still producing 6.2 patches.)

There's no reason why I haven't updated the PIX, but it belongs to a company I configured routers for... I figured I'd help them out with a 'quick' problem at their other site, and it turned out to be more than 'quick'. Most of the other issues were easily resolved by just using my router know-how and reading documentation, but this one issue just seems unable to be fixed.

What you said about there being a possible 'bug', is VERY probable. I'll have to see if I can find a reason for them to get a free update, and possibly fix this for once.

Thanks for your help once again, if you think of anything in the meantime be sure to let me know. I'm going to try and see if any of my ideas work this afternoon, and then start worrying about updating.

cos

The PIX has version 6.1(1) on it. This might be the source of the 'broken' static function.

I wonder if there's a way around this problem... In the meantime, I asked the PIX owners to see if they still have an active contract (I believe they do). They probably can upgrade to the newest version.

cos

In article , wrote: :The PIX has version 6.1(1) on it.

They need an update, then -- there are a number of known attacks on that version. Even if you just get them through to the last 6.1 they would be better off.

I'll let everyone know what the outcome is. Hopefully if anyone else runs into an issue similar than mine with 6.1(1) ir (2) they will have a lead for an upgrade, and thus not have to deal with a strange bug. :0)

cos