robsatx
asked on
PIX 506 Port Forward Issu - Installed a Barracuda and do not want to update my mail record
I added a barracuda spam filter. My MX record points to my static ip. I have a static mapping to my barracuda and all appears to be working. But I can no longer get to my exchange mail @ https://mail.xyz.com/exchange. I get the security alert box about our certifcate need to be trusted . . .
When I click ok, I hit a wall.
Here are the entries I made to adjust my firewall.
no static (inside,outside) xx.41.16.229 barracuda netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.41.16.229 25 barracuda 25
static (inside,outside) tcp xx.41.16.229 https server https
access-list outside_access_in permit tcp any host xx.41.16.229 eq smtp
access-list outside_access_in permit tcp any host xx.41.16.229 eq https
any ideas?
When I click ok, I hit a wall.
Here are the entries I made to adjust my firewall.
no static (inside,outside) xx.41.16.229 barracuda netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.41.16.229 25 barracuda 25
static (inside,outside) tcp xx.41.16.229 https server https
access-list outside_access_in permit tcp any host xx.41.16.229 eq smtp
access-list outside_access_in permit tcp any host xx.41.16.229 eq https
any ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Actually I have a number of IPs, but I have a number of PDAs connecting to this dns entry. So I did not wnat to have to change them . . .
I added teh access-group statement and it worked. What is that for? I have never had to forward by port in the past . . .
Thanks!
I added teh access-group statement and it worked. What is that for? I have never had to forward by port in the past . . .
Thanks!
The access-group command actually applies the access-list to the interface. So, you had the port redirection statements put in correctly, but you weren't allowing the traffic inbound through the outside interface because you had not applied the access list to the interface.
So you were reeeeeeal close already!
Also, for future reference, if you ever have to negate an access-list with the "no" form of the command, it will also negate the "access-group" command that references that same access-list. In our example, if you start off with:
access-list outside_access_in permit tcp any host xx.41.16.229 eq smtp
access-list outside_access_in permit tcp any host xx.41.16.229 eq 443
access-group outside_access_in in interface outside
And then you do something like:
no access-list outside_access_in
This will also kill the line that reads:
access-group outside_access_in in interface outside
So, when you recreate the access-list that you want to apply to the outside interface, you will have to re-issue the "access-group" command again to apply that ACL to the interface. Could this have been what happened here? Did you perhaps remove the ACL during your changes?
Just a thought...
So you were reeeeeeal close already!
Also, for future reference, if you ever have to negate an access-list with the "no" form of the command, it will also negate the "access-group" command that references that same access-list. In our example, if you start off with:
access-list outside_access_in permit tcp any host xx.41.16.229 eq smtp
access-list outside_access_in permit tcp any host xx.41.16.229 eq 443
access-group outside_access_in in interface outside
And then you do something like:
no access-list outside_access_in
This will also kill the line that reads:
access-group outside_access_in in interface outside
So, when you recreate the access-list that you want to apply to the outside interface, you will have to re-issue the "access-group" command again to apply that ACL to the interface. Could this have been what happened here? Did you perhaps remove the ACL during your changes?
Just a thought...
static (inside,outside) xx.41.16.229 sever netmask 255.255.255.255 0 0
prior to this. Have you done a "no" for it? Have you always gottin the security alert about your certificate?