?
Solved

Need help creating SMTP redirection for Barracuda Spam Firewall

Posted on 2007-10-19
24
Medium Priority
?
1,139 Views
Last Modified: 2012-07-21
After implementing Exchange 2007 and getting OWA working. I decided to use a Barracuda to handle the Spam problem. Well, my problem now is how do I redirect the smtp traffic that was headed to my mail server to the Barracuda. Reassigning the ip address is not an option at this point. the IOS is 12.0 and we are not using NAT. Can anyone give me some hints? Here is my router config. Thanks.
DeltaDiablo#s runn
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname DeltaDiablo
!
enable password 7 0871141A5B41554E44
!
ip subnet-zero
ip tftp source-interface Ethernet0
no ip domain-lookup
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Ethernet_0 tcp
ip inspect name Ethernet_0 ftp
ip inspect name Ethernet_0 udp
ip inspect name Ethernet_0 realaudio
ip inspect name Ethernet_0 smtp
ip inspect name Ethernet_0 vdolive
ip inspect name Serial_0_1 udp
ip inspect name Serial_0_1 smtp
ip inspect name Serial_0_1 ftp
!
no crypto isakmp enable
!
 clock timezone Pacific -8
 clock summer-time PDST recurring 1 Sat Apr 2:00 last Sat Oct 2:00
 !
 !
 !
 interface Ethernet0
 description connected to DDSD DMZ
 ip address 207.xxx.xxx.129 255.255.255.128
 ip access-group 100 in
 no ip directed-broadcast
 ip inspect Ethernet_0 in
!
interface Serial0
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 no ip mroute-cache
 service-module t1 remote-alarm-enable
 frame-relay lmi-type cisco
!
interface Serial0.1 point-to-point
 description connected to Internet
 ip address 209.xxx.xxx.218 255.255.255.128
 ip access-group 101 in
 no ip directed-broadcast
 ip inspect Serial_0_1 in
 frame-relay interface-dlci 16
!
interface BRI0
 no ip address
 no ip directed-broadcast
 shutdown
!
router rip
 version 2
 passive-interface Serial0.1
 network 207.xxx.xxx.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.1
ip http server
!
access-list 100 permit udp any eq rip any eq rip
access-list 100 deny   ip host 207.xxx.xxx.140 any
access-list 100 permit tcp any any eq finger
access-list 100 permit tcp any any range ftp-data ftp
access-list 100 permit tcp any any eq www
access-list 100 permit icmp any any
access-list 100 permit udp any any eq isakmp
access-list 100 permit tcp any any eq nntp
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq 7070
access-list 100 permit tcp any any eq smtp
access-list 100 permit udp any any eq tacacs
access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any any eq 7000
access-list 100 permit ip host 207.xxx.xxx.145 any
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp host 207.xxx.xxx.130 any eq 8100
access-list 100 permit tcp host 207.xxx.xxx.130 host 208.xxx.xxx.83 eq 9000
access-list 100 permit ip host 207.xxx.xxx.150 any
access-list 100 permit tcp any any eq 1755
access-list 100 permit udp any any eq 1755
access-list 100 permit tcp any any eq daytime
access-list 100 permit tcp any any eq 2847
access-list 100 permit tcp any any eq 2848
access-list 100 permit tcp any any eq 537
access-list 100 permit udp any any eq 537
access-list 100 permit tcp host 207.xxx.xxx.145 any eq smtp
access-list 100 permit tcp any any eq domain
access-list 100 permit ip any any
access-list 100 permit ip host 207.xxx.xxx.130 any
access-list 100 permit udp any eq 1755 any
access-list 100 permit tcp any eq 1755 any
access-list 100 permit tcp host 207.xxx.xxx.130 any eq 3101
access-list 100 permit ip host 207.xxx.xxx.185 any
access-list 100 permit tcp host 207.xxx.xxx.145 any eq www
access-list 100 permit tcp host 207.xxx.xxx.145 any eq 443
access-list 100 permit 123 host 207.xxx.xxx.145 any
access-list 100 permit ip host 207.xxx.xxx.144 any
access-list 100 permit tcp any host 207.xxx.xxx.135
access-list 101 deny   ip 207.xxx.xxx.128 0.0.0.127 any
access-list 101 permit icmp any host 207.xxx.xxx.145
access-list 101 permit udp any host 207.xxx.xxx.145 eq isakmp
access-list 101 permit tcp any host 207.xxx.xxx.145 eq smtp
access-list 101 permit tcp any host 207.xxx.xxx.140 range ftp-data ftp
access-list 101 permit tcp any host 207.xxx.xxx.140 eq www
access-list 101 permit tcp any host 207.xxx.xxx.145 eq daytime
access-list 101 permit tcp any host 207.xxx.xxx.145 eq 5631
access-list 101 permit tcp any host 207.xxx.xxx.145 eq 5632
access-list 101 permit udp any host 207.xxx.xxx.145 eq 5631
access-list 101 permit udp any host 207.xxx.xxx.145 eq 5632
access-list 101 permit udp any host 207.xxx.xxx.145 eq 22
access-list 101 permit tcp any host 207.xxx.xxx.145 eq 3389
access-list 101 deny   tcp any any range 137 139
access-list 101 permit tcp any host 207.xxx.xxx.150 eq 1723
access-list 101 permit gre any host 207.xxx.xxx.150
access-list 101 permit icmp 0.0.0.0 255.255.255.0 host 207.xxx.xxx.129
access-list 101 permit tcp any host 207.xxx.xxx.130 eq 1723
access-list 101 permit gre any host 207.xxx.xxx.130
access-list 101 permit tcp any host 207.xxx.xxx.145 eq 1723
access-list 101 permit gre any host 207.xxx.xxx.145
access-list 101 permit tcp any eq 1755 any
access-list 101 permit udp any eq 1755 any
access-list 101 permit icmp 207.xxx.xxx.0 0.0.0.255 any
access-list 101 permit icmp 64.xxx.xxxx.0 0.0.0.255 any
access-list 101 permit icmp 206.xxx.xxx.0 0.0.0.255 any
access-list 101 permit gre any host 207.xxx.xxx.185
access-list 101 permit tcp any host 207.xxx.xxx.185 eq 1723
access-list 101 permit tcp any host 207.xxx.xxx.145 eq www
access-list 101 permit tcp any host 207.xxx.xxx.145 eq 443
access-list 101 permit tcp any host 207.xxx.xxx.144 eq www
access-list 101 permit tcp any host 207.xxx.xxx.144 eq 443
access-list 101 permit tcp any host 207.xxx.xxx.144 eq smtp
access-list 101 permit ip any host 207.xxx.xxx.135
access-list 101 permit tcp any eq smtp host 207.xxx.xxx.135
access-list 102 deny   ip 207.xxx.xxx.128 0.0.0.127 any
access-list 102 permit udp any eq rip any eq rip
snmp-server community public RO
snmp-server community ddsd RW
snmp-server trap-source Ethernet0
snmp-server contact Roger,xxxxxxxxxxxxxxxxxxx
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps rtr
snmp-server host 192.168.0.33 traps ddsd
!
line con 0
 exec-timeout 0 0
 password
 login
 transport input none
line vty 0 4
 password
 login
!
end
0
Comment
Question by:rogerbruchay
  • 11
  • 10
  • 3
24 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 20109112
If you're asking "how do I get mail delivered to the Barracuda instead of my mail server", then change your MX record in DNS to the FQDN of the Barracuda.

Does your Barracuda have its own IP address?

You can use the firewall to block all smtp traffic to servers in your network except to the Barracuda.
0
 

Author Comment

by:rogerbruchay
ID: 20109170
Remote users are attaching to OWA on the mail server, so I cannot change where the MX record points. I guess what I am asking for is how do I block all smtp traffic to servers on our network except to the Barracuda.
Yes the barracuda has it's own IP address. In the config it is listed as 207.xxx.xxx.135
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 1400 total points
ID: 20109497
In your access 101, remove any lines that end in 'eq 25' or 'eq smtp' and add just the line below:

access-list 101 permit tcp any host IP.OF.BARRACUDA eq 25

This will allow sessions to be established outside of the firewall if they're destined to port 25 of the Barracuda.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:rogerbruchay
ID: 20109746
Now we are getting the following,
    permit tcp host 216.117.137.169 eq smtp host 207.xxx.xxx.145 eq 5172
I have gone thru and removed any lines with "smtp" or 25 in them. The only lines with either refer to the Barracuda ip address.
???
0
 

Author Comment

by:rogerbruchay
ID: 20109831
Well, thast was the only entry so far. But we are not receiveing any items on our barracuda ip address for smtp. Should I be using the port number or is "smtp" ok?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 20110068
Either works.  If you enter '25' it will get translated in the acl to 'smtp' anyway.

If the Barracuda sits in the DMZ, you will need to update acl 100 to allow traffic *from* your Barracuda port 25 to talk to other servers.

access-list 100 permit tcp host IP.OF.BARRACUDA eq 25 any
0
 

Author Comment

by:rogerbruchay
ID: 20110374
As before, I still have no matches in the show access-list for smtp to my barracuda. I can start and stop the normal smtp to my mail server but I cannot redirect smtp to the barracuda. Do I have to set up some static mapping? Anyone?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 20110789
The premise is that the IP of the Barracuda is routed to the firewall.

When the packet hits the serial interace, the access-list should allow any packets to the Barracuda port 25.  If this access list shows no hits, then either the ACL entry is incorrect or DNS is cached to send port 25 traffic to the old MX.

If the packet hits and passed the serial interace, the access-list on the DMZ should be allowing packets from the Barracuda port 25 to anywhere.  If packets are coming in to this IP from the serial interface, you should see responding hits on the acl on the DMZ.

If you don't, then check the gateway/netmask on the Barracuda.

Can you tell me: 1) is the packet even reaching the serial interface 2) are return packets coming in from the DMZ 3) have you verified the ip/mask/gateway of the Barracuda?

And would you please post the acl entries for 100 and 101 that pertain to the Barracuda?
0
 

Author Comment

by:rogerbruchay
ID: 20111112
OK where would I find stats on packets to serial interface?
I do have an ip inspect ip name Serial_0_1 smtp on the Serial0.1 point-to-point
Here is the acl for relating to the Barracuda:
ACL 100
   permit tcp any host 207.xxx.xxx.135
   permit tcp host 207.xxx.xxx.135 any eq smtp
ACL 101
    permit ip any host 207.xxx.xxx.135 (103 matches)
    permit tcp any host 207.xxx.xxx.135 eq smtp
    permit tcp any eq 22 host 207.xxx.xxx.135
    permit tcp any eq smtp host 207.xxx.xxx.135

as you can see, no matches for smtp...
I have tested from Barracuda to exchange server and it works....

I guess maybe I can change the IP addresses for the devices and reconfigure the OWA access. UGH.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 20111263
The ACL should read thus:

DMZ inbound -> access-list 100 permit tcp host IP.OF.BARRACUDA eq 25 any
                                                                                                                           ^^^^^^
I don't see where you are allowing the Barracuda packets in the DMZ interface when responding to outside smtp connections.
0
 

Author Comment

by:rogerbruchay
ID: 20111502
Here is my current router config, everything that you have indicated that I should try should be here. Let me know if I am missing something...
DeltaDiablo#s runn
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname DeltaDiablo
!
enable password 7 0871141A5B41554E44
!
ip subnet-zero
ip tftp source-interface Ethernet0
no ip domain-lookup
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Ethernet_0 tcp
ip inspect name Ethernet_0 ftp
ip inspect name Ethernet_0 udp
ip inspect name Ethernet_0 realaudio
ip inspect name Ethernet_0 smtp
ip inspect name Ethernet_0 vdolive
ip inspect name Serial_0_1 udp
ip inspect name Serial_0_1 smtp
ip inspect name Serial_0_1 ftp
!
no crypto isakmp enable
!
 clock timezone Pacific -8
 clock summer-time PDST recurring 1 Sat Apr 2:00 last Sat Oct 2:00
 !
 !
 !
 interface Ethernet0
 description connected to DDSD DMZ
 ip address 207.xxx.xxx.129 255.255.255.128
 ip access-group 100 in
 no ip directed-broadcast
 ip inspect Ethernet_0 in
!
interface Serial0
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 no ip mroute-cache
 service-module t1 remote-alarm-enable
 frame-relay lmi-type cisco
!
interface Serial0.1 point-to-point
 description connected to Internet
 ip address 209.232.130.218 255.255.255.128
 ip access-group 101 in
 no ip directed-broadcast
 ip inspect Serial_0_1 in
 frame-relay interface-dlci 16
!
interface BRI0
 no ip address
 no ip directed-broadcast
 shutdown
!
router rip
 version 2
 passive-interface Serial0.1
 network 207.xxx.xxx.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.1
ip http server
!
access-list 100 permit udp any eq rip any eq rip
access-list 100 deny   ip host 207.xxx.xxx.140 any
access-list 100 permit tcp any any eq finger
access-list 100 permit tcp any any range ftp-data ftp
access-list 100 permit tcp any any eq www
access-list 100 permit icmp any any
access-list 100 permit udp any any eq isakmp
access-list 100 permit tcp any any eq nntp
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq 7070
access-list 100 permit udp any any eq tacacs
access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any any eq 7000
access-list 100 permit ip host 207.xxx.xxx.145 any
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp host 207.xxx.xxx.130 any eq 8100
access-list 100 permit tcp host 207.xxx.xxx.130 host 208.129.35.83 eq 9000
access-list 100 permit ip host 207.xxx.xxx.150 any
access-list 100 permit tcp any any eq 1755
access-list 100 permit udp any any eq 1755
access-list 100 permit tcp any any eq daytime
access-list 100 permit tcp any any eq 2847
access-list 100 permit tcp any any eq 2848
access-list 100 permit tcp any any eq 537
access-list 100 permit udp any any eq 537
access-list 100 permit tcp host 207.xxx.xxx.145 any eq smtp
access-list 100 permit tcp any any eq domain
access-list 100 permit ip any any
access-list 100 permit ip host 207.xxx.xxx.130 any
access-list 100 permit udp any eq 1755 any
access-list 100 permit tcp any eq 1755 any
access-list 100 permit tcp host 207.xxx.xxx.130 any eq 3101
access-list 100 permit ip host 207.xxx.xxx.185 any
access-list 100 permit tcp host 207.xxx.xxx.145 any eq www
access-list 100 permit tcp host 207.xxx.xxx.145 any eq 443
access-list 100 permit 123 host 207.xxx.xxx.145 any
access-list 100 permit ip host 207.xxx.xxx.144 any
access-list 100 permit tcp any host IP.OF.Barracuda
access-list 100 permit tcp host IP.OF.Barracuda any eq smtp
access-list 100 permit tcp host IP.OF.Barracuda eq smtp any
access-list 101 deny   ip 207.xxx.xxx.128 0.0.0.127 any
access-list 101 permit icmp any host 207.xxx.xxx.145
access-list 101 permit udp any host 207.xxx.xxx.145 eq isakmp
access-list 101 permit tcp any host 207.xxx.xxx.140 range ftp-data ftp
access-list 101 permit tcp any host 207.xxx.xxx.140 eq www
access-list 101 permit tcp any host 207.xxx.xxx.145 eq daytime
access-list 101 permit tcp any host 207.xxx.xxx.145 eq 5631
access-list 101 permit tcp any host 207.xxx.xxx.145 eq 5632
access-list 101 permit udp any host 207.xxx.xxx.145 eq 5631
access-list 101 permit udp any host 207.xxx.xxx.145 eq 5632
access-list 101 permit udp any host 207.xxx.xxx.145 eq 22
access-list 101 permit tcp any host 207.xxx.xxx.145 eq 3389
access-list 101 deny   tcp any any range 137 139
access-list 101 permit tcp any host 207.xxx.xxx.150 eq 1723
access-list 101 permit gre any host 207.xxx.xxx.150
access-list 101 permit icmp 0.0.0.0 255.255.255.0 host 207.xxx.xxx.129
access-list 101 permit tcp any host 207.xxx.xxx.130 eq 1723
access-list 101 permit gre any host 207.xxx.xxx.130
access-list 101 permit tcp any host 207.xxx.xxx.145 eq 1723
access-list 101 permit gre any host 207.xxx.xxx.145
access-list 101 permit tcp any eq 1755 any
access-list 101 permit udp any eq 1755 any
access-list 101 permit icmp 207.214.68.0 0.0.0.255 any
access-list 101 permit icmp 64.164.104.0 0.0.0.255 any
access-list 101 permit icmp 206.13.1.0 0.0.0.255 any
access-list 101 permit gre any host 207.xxx.xxx.185
access-list 101 permit tcp any host 207.xxx.xxx.185 eq 1723
access-list 101 permit tcp any host 207.xxx.xxx.145 eq www
access-list 101 permit tcp any host 207.xxx.xxx.145 eq 443
access-list 101 permit ip any host IP.OF.Barracuda
access-list 101 permit tcp any host IP.OF.Barracuda eq smtp
access-list 101 permit tcp any eq 22 host IP.OF.Barracuda
access-list 101 permit tcp any eq smtp host IP.OF.Barracuda
access-list 102 deny   ip 207.xxx.xxx.128 0.0.0.127 any
access-list 102 permit udp any eq rip any eq rip
snmp-server community public RO
snmp-server community ddsd RW
snmp-server trap-source Ethernet0
snmp-server contact Roger,
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps rtr
snmp-server host 192.168.3.33 traps ddsd
!
line con 0
 exec-timeout 0 0
 password 7 14141C180F55
 login
 transport input none
line vty 0 4
 password 7 110A17161443
 login
!
end

DeltaDiablo#
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 20111838
Looks good.  When you do a "show access-list 100" and "show access-list 101", which one(s) shows hits next to the Barracuda IP?
0
 

Author Comment

by:rogerbruchay
ID: 20111932
There are no matches for the s access-l 100

Here are the listings fom s access-l 101
    permit ip any host 207.xxx.xxx.135 (171 matches)
    permit tcp any host 207.xxx.xxx.135 eq smtp
    permit tcp any eq 22 host 207.xxx.xxx.135
    permit tcp any eq smtp host 207.xxx.xxx.135
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 20112057
Ok.  What about these entries in access-list 101:

access-list 101 permit ip any host IP.OF.Barracuda
access-list 101 permit tcp any host IP.OF.Barracuda eq smtp
0
 

Author Comment

by:rogerbruchay
ID: 20112156
access-list 101 permit ip any host IP.OF.Barracuda (171 matches)
access-list 101 permit tcp any host IP.OF.Barracuda eq smtp - nothing
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 20112372
I guess I have to ask, where was your mail server originally located?  Inside the DMZ?  Why would what would seem to be identical access-list configurations with just the IP address of the SMTP server be a problem.

Let's inspect all packets coming into the firewall and allow the inbound acl on the Serial interface to dynamically build the allowed list we need based for returning packets based upon inspection and what we specifically want to let in:

interface Ethernet0
 no ip access-group 100 in

interface Serial0.1 point-to-point
 no ip inspect Serial_0_1 in

After you configure this, what happens?
0
 

Author Comment

by:rogerbruchay
ID: 20112484
When I show access-list 101, I still get several of these entries.
 
  permit tcp host 209.62.20.188 eq smtp host 207.xxx.xxx.145 eq 14847 (1 match)
  permit tcp host 209.181.247.105 eq smtp host 207.xxx.xxx.145 eq 15088
The mail server is inside the DMZ both the Barracuda and the mail server have thier gateways set to the Ethernet 0 interface.

Ok how do I inspect all the packets to build the necessary list?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 20112586
It sounds like the dynamic acl on the outside is not working with the ip inspect on the inside interface and the acl on the outside.

I'd like you to:

1) remove the acl *and* ip inspect off of the DMZ interface
2) put the ip inspect state as 'out' on the serial interface
3) put the acl 101 as 'in" on the serial interface
0
 

Author Comment

by:rogerbruchay
ID: 20112714
OK that didn't work. I don't know. I guess I will give up until Monday. Thanks...
0
 

Expert Comment

by:wlaurant
ID: 21426116
Your users are connecting to a A record not a mx record. MX records are only for delivering mail (smtp port 25) OWA uses port 25 and port 443 .

When you have domain xyz.com then dns looks like

mx 10 "ip/dns name baracuda"
webmail  "ip-adres firewall"
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21430188
We've already been over this.  See my first response :)

And the firewall IP address would not be the IP of the mail server (I would hope) from those behind the firewall.
0
 

Assisted Solution

by:wlaurant
wlaurant earned 600 total points
ID: 21430231
OWA users don't connect to MX records

Your Cuda has outside adress 10.10.10.10
Your firewall has outside adress 10.10.10.11

Mx record points to cuda 10.10.10.10
Cuda points to firewall 10.10.10.11
Webmail points to firewall outside adress 10.10.10.11

Firewall has nat translation
port 25,80,443 outside 10.10.10.11 inside "ip-adres mail server"

We use the cuda by 400 customers in this way , works like a charm
0
 

Expert Comment

by:wlaurant
ID: 21430246
One remark. On the exchange server we block access from al servers exept the cuda and fallback
0
 

Author Closing Comment

by:rogerbruchay
ID: 31408236
I ended up creating a new MX record in DNS that set the barracuda as the first choice for mail. and then denied smtp to the exchange server. And set up OWA as wlaurant suggested. Thanks and sorry for the delay.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question