Solved

PIX 506 Port Forward Issu - Installed a Barracuda and do not want to update my mail record

Posted on 2006-11-19
4
250 Views
Last Modified: 2010-04-08
I added a barracuda spam filter. My MX record points to my static ip. I have a static mapping to my barracuda and all appears to be working. But I can no longer get to my exchange mail @ https://mail.xyz.com/exchange. I get the security alert box about our certifcate need to be trusted . . .

When I click ok, I hit a wall.

Here are the entries I made to adjust my firewall.

no static (inside,outside) xx.41.16.229 barracuda netmask 255.255.255.255 0 0

static (inside,outside) tcp xx.41.16.229 25 barracuda 25
static (inside,outside) tcp xx.41.16.229 https server https

access-list outside_access_in permit tcp any host xx.41.16.229 eq smtp
access-list outside_access_in permit tcp any host xx.41.16.229 eq https

any ideas?
0
Comment
Question by:robsatx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 17976843
Did you have a:

     static (inside,outside) xx.41.16.229 sever netmask 255.255.255.255 0 0

prior to this.  Have you done a "no" for it?  Have you always gottin the security alert about your certificate?
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 17976982
I'm assuming that you only have 1 static IP address since you're using port redirection.

With the adjustments you made, the relevant commands should look like the following on your existing PIX configuration.

static (inside,outside) tcp xx.41.16.229 smtp barracuda smtp
static (inside,outside) tcp xx.41.16.229 443 server 443
access-list outside_access_in permit tcp any host xx.41.16.229 eq smtp
access-list outside_access_in permit tcp any host xx.41.16.229 eq 443
access-group outside_access_in in interface outside

Is this correct?  I added the last statement to verify that you applied the access-list to the outside interface.  Make sure this "access-group" statement is there.

After you made the changes to the translations, did you do a "clear xlate" command?

If you're still stuck after looking at these items, please post your PIX config so we can look at it to get a better idea of what else the issue could be.  Make sure you take out any sensitive data before posting.

Regards...
0
 
LVL 2

Author Comment

by:robsatx
ID: 17977109
Actually I have a number of IPs, but I have a number of PDAs connecting to this dns entry. So I did not wnat to have to change them . . .

I added teh access-group statement and it worked. What is that for? I have never had to forward by port in the past . . .

Thanks!
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 17979505
The access-group command actually applies the access-list to the interface.  So, you had the port redirection statements put in correctly, but you weren't allowing the traffic inbound through the outside interface because you had not applied the access list to the interface.

So you were reeeeeeal close already!

Also, for future reference, if you ever have to negate an access-list with the "no" form of the command, it will also negate the "access-group" command that references that same access-list.  In our example, if you start off with:

access-list outside_access_in permit tcp any host xx.41.16.229 eq smtp
access-list outside_access_in permit tcp any host xx.41.16.229 eq 443
access-group outside_access_in in interface outside

And then you do something like:

no access-list outside_access_in

This will also kill the line that reads:

access-group outside_access_in in interface outside

So, when you recreate the access-list that you want to apply to the outside interface, you will have to re-issue the "access-group" command again to apply that ACL to the interface.  Could this have been what happened here?  Did you perhaps remove the ACL during your changes?

Just a thought...
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

689 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question