Solved

PIX 506 Port Forward Issu - Installed a Barracuda and do not want to update my mail record

Posted on 2006-11-19
4
246 Views
Last Modified: 2010-04-08
I added a barracuda spam filter. My MX record points to my static ip. I have a static mapping to my barracuda and all appears to be working. But I can no longer get to my exchange mail @ https://mail.xyz.com/exchange. I get the security alert box about our certifcate need to be trusted . . .

When I click ok, I hit a wall.

Here are the entries I made to adjust my firewall.

no static (inside,outside) xx.41.16.229 barracuda netmask 255.255.255.255 0 0

static (inside,outside) tcp xx.41.16.229 25 barracuda 25
static (inside,outside) tcp xx.41.16.229 https server https

access-list outside_access_in permit tcp any host xx.41.16.229 eq smtp
access-list outside_access_in permit tcp any host xx.41.16.229 eq https

any ideas?
0
Comment
Question by:robsatx
  • 2
4 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 17976843
Did you have a:

     static (inside,outside) xx.41.16.229 sever netmask 255.255.255.255 0 0

prior to this.  Have you done a "no" for it?  Have you always gottin the security alert about your certificate?
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 17976982
I'm assuming that you only have 1 static IP address since you're using port redirection.

With the adjustments you made, the relevant commands should look like the following on your existing PIX configuration.

static (inside,outside) tcp xx.41.16.229 smtp barracuda smtp
static (inside,outside) tcp xx.41.16.229 443 server 443
access-list outside_access_in permit tcp any host xx.41.16.229 eq smtp
access-list outside_access_in permit tcp any host xx.41.16.229 eq 443
access-group outside_access_in in interface outside

Is this correct?  I added the last statement to verify that you applied the access-list to the outside interface.  Make sure this "access-group" statement is there.

After you made the changes to the translations, did you do a "clear xlate" command?

If you're still stuck after looking at these items, please post your PIX config so we can look at it to get a better idea of what else the issue could be.  Make sure you take out any sensitive data before posting.

Regards...
0
 
LVL 2

Author Comment

by:robsatx
ID: 17977109
Actually I have a number of IPs, but I have a number of PDAs connecting to this dns entry. So I did not wnat to have to change them . . .

I added teh access-group statement and it worked. What is that for? I have never had to forward by port in the past . . .

Thanks!
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 17979505
The access-group command actually applies the access-list to the interface.  So, you had the port redirection statements put in correctly, but you weren't allowing the traffic inbound through the outside interface because you had not applied the access list to the interface.

So you were reeeeeeal close already!

Also, for future reference, if you ever have to negate an access-list with the "no" form of the command, it will also negate the "access-group" command that references that same access-list.  In our example, if you start off with:

access-list outside_access_in permit tcp any host xx.41.16.229 eq smtp
access-list outside_access_in permit tcp any host xx.41.16.229 eq 443
access-group outside_access_in in interface outside

And then you do something like:

no access-list outside_access_in

This will also kill the line that reads:

access-group outside_access_in in interface outside

So, when you recreate the access-list that you want to apply to the outside interface, you will have to re-issue the "access-group" command again to apply that ACL to the interface.  Could this have been what happened here?  Did you perhaps remove the ACL during your changes?

Just a thought...
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Linksys LRT 224 forward 3 42
firewall inside of network 9 76
Palo Alto Networks Global Protect 2 125
SSH over http/https 8 125
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

823 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question