PIX 506e reverse lookup MX record with Barracuda

Posted on 2006-05-10
Last Modified: 2013-11-16

We have a Barracuda spam appliance in our network. As you can see from the configuration of our PIX 506e below e-mail is forwarded to the Barracuda (ip and then from there it is sent on to our mail server at That works fine.

The firewall WAN address is
Our MX record for resolves to public ip address
A PTR record exists for address to

But when we send mail from our mail server it is sent via the firewall WAN address of, and as a consequence reverse lookup fails (it should return Therefore many mail servers reject our e-mail because of their policy that reverse lookup must succeed.

How do I configure my PIX so that:
1. Incoming mail will go to the Barracuda at
2. Outgoing mail from will be sent via
3. AND I can still use the https service on the mail server?

This is my current configuration:

access-list outside_access_in permit tcp any host eq smtp
access-list outside_access_in permit tcp any host eq https

static (inside,outside) tcp smtp BARRACUDA smtp netmask 0 0
static (inside,outside) tcp https MAILSERVER https netmask 0 0

Question by:petererik

    Author Comment

    I found out from Cisco that this is not possible because the PIX does not support Policy Based Routing. I would need a router to do this.
    So what I am going to do is change these lines:
    access-list outside_access_in permit tcp any host eq smtp
    access-list outside_access_in permit tcp any host eq https

    static (inside,outside) tcp smtp BARRACUDA smtp netmask 0 0
    static (inside,outside) tcp MAILSERVER https netmask 0 0

    and change my PTR record to

    LVL 51

    Accepted Solution

    Is this call complete then Peter?

    Author Comment

    All set. Thanks!
    LVL 7

    Expert Comment

    by:James Glaubiger
    I am having the same issue with the following configuration on a PIX running OS 4.4.   What commands do i need to change to get Reverse Lookup working?

    I think I want to change my MX record to point to instead of, divert smtp to the Barracuda ( from that IP address?

    WAN / LAN ->  WAN / LAN (Exchange)

    How do i get ->

    PIX Settings:

    static (inside,internet) netmask 0 0
    static (inside,internet) netmask 0 0

    conduit permit tcp host eq smtp any
    conduit permit tcp host eq 143 any
    conduit permit tcp host eq 443 any
    conduit permit tcp host eq 993 any
    conduit permit tcp host eq 587 any

    thanks in advance

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    BGP cluster ID 1 43
    Use VLAN to separate WiFi from everything else 9 58
    Watchguard XTM 2 33
    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now