Solved

PIX 506 Port Forward Issu - Installed a Barracuda and do not want to update my mail record

Posted on 2006-11-19
4
244 Views
Last Modified: 2010-04-08
I added a barracuda spam filter. My MX record points to my static ip. I have a static mapping to my barracuda and all appears to be working. But I can no longer get to my exchange mail @ https://mail.xyz.com/exchange. I get the security alert box about our certifcate need to be trusted . . .

When I click ok, I hit a wall.

Here are the entries I made to adjust my firewall.

no static (inside,outside) xx.41.16.229 barracuda netmask 255.255.255.255 0 0

static (inside,outside) tcp xx.41.16.229 25 barracuda 25
static (inside,outside) tcp xx.41.16.229 https server https

access-list outside_access_in permit tcp any host xx.41.16.229 eq smtp
access-list outside_access_in permit tcp any host xx.41.16.229 eq https

any ideas?
0
Comment
Question by:robsatx
  • 2
4 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 17976843
Did you have a:

     static (inside,outside) xx.41.16.229 sever netmask 255.255.255.255 0 0

prior to this.  Have you done a "no" for it?  Have you always gottin the security alert about your certificate?
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 17976982
I'm assuming that you only have 1 static IP address since you're using port redirection.

With the adjustments you made, the relevant commands should look like the following on your existing PIX configuration.

static (inside,outside) tcp xx.41.16.229 smtp barracuda smtp
static (inside,outside) tcp xx.41.16.229 443 server 443
access-list outside_access_in permit tcp any host xx.41.16.229 eq smtp
access-list outside_access_in permit tcp any host xx.41.16.229 eq 443
access-group outside_access_in in interface outside

Is this correct?  I added the last statement to verify that you applied the access-list to the outside interface.  Make sure this "access-group" statement is there.

After you made the changes to the translations, did you do a "clear xlate" command?

If you're still stuck after looking at these items, please post your PIX config so we can look at it to get a better idea of what else the issue could be.  Make sure you take out any sensitive data before posting.

Regards...
0
 
LVL 2

Author Comment

by:robsatx
ID: 17977109
Actually I have a number of IPs, but I have a number of PDAs connecting to this dns entry. So I did not wnat to have to change them . . .

I added teh access-group statement and it worked. What is that for? I have never had to forward by port in the past . . .

Thanks!
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 17979505
The access-group command actually applies the access-list to the interface.  So, you had the port redirection statements put in correctly, but you weren't allowing the traffic inbound through the outside interface because you had not applied the access list to the interface.

So you were reeeeeeal close already!

Also, for future reference, if you ever have to negate an access-list with the "no" form of the command, it will also negate the "access-group" command that references that same access-list.  In our example, if you start off with:

access-list outside_access_in permit tcp any host xx.41.16.229 eq smtp
access-list outside_access_in permit tcp any host xx.41.16.229 eq 443
access-group outside_access_in in interface outside

And then you do something like:

no access-list outside_access_in

This will also kill the line that reads:

access-group outside_access_in in interface outside

So, when you recreate the access-list that you want to apply to the outside interface, you will have to re-issue the "access-group" command again to apply that ACL to the interface.  Could this have been what happened here?  Did you perhaps remove the ACL during your changes?

Just a thought...
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now