Solved

PIX 506 Port Forward Issu - Installed a Barracuda and do not want to update my mail record

Posted on 2006-11-19
4
245 Views
Last Modified: 2010-04-08
I added a barracuda spam filter. My MX record points to my static ip. I have a static mapping to my barracuda and all appears to be working. But I can no longer get to my exchange mail @ https://mail.xyz.com/exchange. I get the security alert box about our certifcate need to be trusted . . .

When I click ok, I hit a wall.

Here are the entries I made to adjust my firewall.

no static (inside,outside) xx.41.16.229 barracuda netmask 255.255.255.255 0 0

static (inside,outside) tcp xx.41.16.229 25 barracuda 25
static (inside,outside) tcp xx.41.16.229 https server https

access-list outside_access_in permit tcp any host xx.41.16.229 eq smtp
access-list outside_access_in permit tcp any host xx.41.16.229 eq https

any ideas?
0
Comment
Question by:robsatx
  • 2
4 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 17976843
Did you have a:

     static (inside,outside) xx.41.16.229 sever netmask 255.255.255.255 0 0

prior to this.  Have you done a "no" for it?  Have you always gottin the security alert about your certificate?
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 17976982
I'm assuming that you only have 1 static IP address since you're using port redirection.

With the adjustments you made, the relevant commands should look like the following on your existing PIX configuration.

static (inside,outside) tcp xx.41.16.229 smtp barracuda smtp
static (inside,outside) tcp xx.41.16.229 443 server 443
access-list outside_access_in permit tcp any host xx.41.16.229 eq smtp
access-list outside_access_in permit tcp any host xx.41.16.229 eq 443
access-group outside_access_in in interface outside

Is this correct?  I added the last statement to verify that you applied the access-list to the outside interface.  Make sure this "access-group" statement is there.

After you made the changes to the translations, did you do a "clear xlate" command?

If you're still stuck after looking at these items, please post your PIX config so we can look at it to get a better idea of what else the issue could be.  Make sure you take out any sensitive data before posting.

Regards...
0
 
LVL 2

Author Comment

by:robsatx
ID: 17977109
Actually I have a number of IPs, but I have a number of PDAs connecting to this dns entry. So I did not wnat to have to change them . . .

I added teh access-group statement and it worked. What is that for? I have never had to forward by port in the past . . .

Thanks!
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 17979505
The access-group command actually applies the access-list to the interface.  So, you had the port redirection statements put in correctly, but you weren't allowing the traffic inbound through the outside interface because you had not applied the access list to the interface.

So you were reeeeeeal close already!

Also, for future reference, if you ever have to negate an access-list with the "no" form of the command, it will also negate the "access-group" command that references that same access-list.  In our example, if you start off with:

access-list outside_access_in permit tcp any host xx.41.16.229 eq smtp
access-list outside_access_in permit tcp any host xx.41.16.229 eq 443
access-group outside_access_in in interface outside

And then you do something like:

no access-list outside_access_in

This will also kill the line that reads:

access-group outside_access_in in interface outside

So, when you recreate the access-list that you want to apply to the outside interface, you will have to re-issue the "access-group" command again to apply that ACL to the interface.  Could this have been what happened here?  Did you perhaps remove the ACL during your changes?

Just a thought...
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now