Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PIX 506 Port Forward Issu - Installed a Barracuda and do not want to update my mail record

Posted on 2006-11-19
4
Medium Priority
?
254 Views
Last Modified: 2010-04-08
I added a barracuda spam filter. My MX record points to my static ip. I have a static mapping to my barracuda and all appears to be working. But I can no longer get to my exchange mail @ https://mail.xyz.com/exchange. I get the security alert box about our certifcate need to be trusted . . .

When I click ok, I hit a wall.

Here are the entries I made to adjust my firewall.

no static (inside,outside) xx.41.16.229 barracuda netmask 255.255.255.255 0 0

static (inside,outside) tcp xx.41.16.229 25 barracuda 25
static (inside,outside) tcp xx.41.16.229 https server https

access-list outside_access_in permit tcp any host xx.41.16.229 eq smtp
access-list outside_access_in permit tcp any host xx.41.16.229 eq https

any ideas?
0
Comment
Question by:robsatx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 17976843
Did you have a:

     static (inside,outside) xx.41.16.229 sever netmask 255.255.255.255 0 0

prior to this.  Have you done a "no" for it?  Have you always gottin the security alert about your certificate?
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 1000 total points
ID: 17976982
I'm assuming that you only have 1 static IP address since you're using port redirection.

With the adjustments you made, the relevant commands should look like the following on your existing PIX configuration.

static (inside,outside) tcp xx.41.16.229 smtp barracuda smtp
static (inside,outside) tcp xx.41.16.229 443 server 443
access-list outside_access_in permit tcp any host xx.41.16.229 eq smtp
access-list outside_access_in permit tcp any host xx.41.16.229 eq 443
access-group outside_access_in in interface outside

Is this correct?  I added the last statement to verify that you applied the access-list to the outside interface.  Make sure this "access-group" statement is there.

After you made the changes to the translations, did you do a "clear xlate" command?

If you're still stuck after looking at these items, please post your PIX config so we can look at it to get a better idea of what else the issue could be.  Make sure you take out any sensitive data before posting.

Regards...
0
 
LVL 2

Author Comment

by:robsatx
ID: 17977109
Actually I have a number of IPs, but I have a number of PDAs connecting to this dns entry. So I did not wnat to have to change them . . .

I added teh access-group statement and it worked. What is that for? I have never had to forward by port in the past . . .

Thanks!
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 17979505
The access-group command actually applies the access-list to the interface.  So, you had the port redirection statements put in correctly, but you weren't allowing the traffic inbound through the outside interface because you had not applied the access list to the interface.

So you were reeeeeeal close already!

Also, for future reference, if you ever have to negate an access-list with the "no" form of the command, it will also negate the "access-group" command that references that same access-list.  In our example, if you start off with:

access-list outside_access_in permit tcp any host xx.41.16.229 eq smtp
access-list outside_access_in permit tcp any host xx.41.16.229 eq 443
access-group outside_access_in in interface outside

And then you do something like:

no access-list outside_access_in

This will also kill the line that reads:

access-group outside_access_in in interface outside

So, when you recreate the access-list that you want to apply to the outside interface, you will have to re-issue the "access-group" command again to apply that ACL to the interface.  Could this have been what happened here?  Did you perhaps remove the ACL during your changes?

Just a thought...
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question