• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1738
  • Last Modified:

ASA 5510 configuration with Barracuda 200

We have currently an ASA5510 as VPN Firewall and a software base anti-spam for email and everything is working alright.

We are putting a Barracuda 200 anti-spam to replace the software base one.  We want to put it inside the firewall.  We would like to divert incoming email destined to Email Server Public address to the internal IP of Barracuda instead of the Email Server.  Also leave the outgoing emails from the email Server to its Public address.  I am using ASDM to configure the ASA and have tried both static policy nat and dynamic policy nat with all possible convination I could think of but can't get it to work.
All inputs are welcome.
Thanks
1
AstralWind
Asked:
AstralWind
  • 9
  • 5
  • 3
2 Solutions
 
egyptcoCommented:
in your static entry you need to change only the ip address of your mail server to be the ip address of the spam blocker... and thats it
0
 
AstralWindAuthor Commented:
thanks egyptco

Static is fine when the outgoing and incoming emails will both be diverted to the Barracuda.  But in our case we need only the incoming be filtered out by Baracuda not the outgoing which will go directly to the firewall and not pass barracuda.  How is this later case be configured.
0
 
egyptcoCommented:
- incoming mail (presumabling your spam filter is on dmz)

static (dmz,outside) tcp <ip_of_spam_blocker > smtp <public_ip_of_your_mail server> smtp netmask 255.255.255.255

- outgoing mail (presumabling your mail server is on inside)

access-list outgoing_mail extended permit tcp host <internal_ip_of_mail_server> eq smtp any eq smtp

nat (inside) 2 access-list outgoing_mail
global (outside) 2 <public_ip_of_your_mail_server>
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
AstralWindAuthor Commented:
Thanks again egyptco.

In our case the spam filter is in the inside network not in the dmz zone.  what do I need to configure just that.

Thanks
0
 
egyptcoCommented:
change the "dmz" keyword to "inside";)
0
 
AstralWindAuthor Commented:
I will try that and post you back.
thanks
0
 
AstralWindAuthor Commented:
I have tested it but with interchanged ip on the static command.  I used the ASDM packet tracer to do the testing.  I am getting the right translation for the incoming traffic but the outgoing traffic is being translated into the IP of the outside port which is not right.  Somehow, the dynamic policy nat that you have suggested is being bypassed and the one applied is my dynamic inside outside NAT which is actually a PAT.

What could be happening
0
 
AstralWindAuthor Commented:
could it be that the problem is on ASDM packet tracer?  I it is currently in lab environment.  I wouldn't want to risk changing the ASA on production as much as possible.
0
 
Texas_BillyCommented:
I wouldn't worry about setting up the new NAT statements, pointing to new global, etc.

I'd just map your barracuda appliance through your ASA to an available static IP (provided you have one).  In your WAn access-list (the one permitting traffic into the firewall), open the needed ports, then change the MX record for your exchange server to point to this particular static IP, the one that new xlates to your barracuda box.  

Set up the barracuda box to forward accepted emails to your exchange server, and then the exchange server, for it's outbound email, will continue to use the same WAN ip it's been using.  --TX
0
 
egyptcoCommented:
hm your global mail address (in your MX record) should be translated to your the internal address of the barracuda for the incoming mails. in the outgoing direction your internal mail server is translated with the policy nat which use of course the same global address. isn't it how it is suppose to be? are you able to sent mails with this configuration.
0
 
AstralWindAuthor Commented:
I am currently using an evaluation unit of Barracuda that is why I don't want to make alot of changes for now that is why it is being setup on the inside network.

I also thought that it should work but using just the ASDM packet tracer in lab environment, no actual exchange server, the policy nat Marked#1 is being bypassed in favor of dynamic nat  Marked#2 see below partial config.

iinterface Ethernet0/0
 nameif Outside
 security-level 0
 ip address X.X.X.242 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.8.1 255.255.255.0
!
interface Ethernet0/2
 nameif Resources
 security-level 50
 ip address 192.168.255.1 255.255.255.0
!
interface Ethernet0/3
 nameif Trunk
 security-level 80
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
dns server-group DefaultDNS
 domain-name example.local
access-list inside_access_in extended permit ip 192.168.8.0 255.255.255.0 any
access-list Outside_access_in extended permit icmp any any inactive
access-list Outside_access_in extended permit tcp any host X.X.X.243 eq smtp
access-list outgoing_mail extended permit tcp host 192.168.8.10 eq smtp any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu inside 1500
mtu Resources 1500
mtu Trunk 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
global (Outside) 2 X.X.X.243
global (inside) 1 192.168.8.15 netmask 255.255.255.255
**Mark #1 nat (inside) 2 access-list outgoing_mail
**Mark #2 nat (inside) 101 192.168.8.0 255.255.255.0
static (inside,Outside) tcp X.X.X.243 smtp 192.168.8.15 smtp netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group inside_access_in in interface inside
route Outside 0.0.0.0 0.0.0.0 X.X.X.241 1
timeout xlate 3:00:00
0
 
AstralWindAuthor Commented:
The response of this current config is

Incoming Mail
X.X.X.243  - - - ->>  192.168.8.15     (right)

Outgoing Mail
192.168.8.10 - - - ->> X.X.X.242       (wrong, it should be .243)

192.168.8.10 - is the Exchange server (imaginary)
192.168.8.15 - is the Barracuda Spam firewall

Any though on this?
0
 
egyptcoCommented:
192.168.8.10 should be translated to X.X.X.243 by meeting the conditions- tcp packet on inside from your mail server source port 25 destened to any on port 25. are you testing in packet tracer giving the same conditions?
0
 
Texas_BillyCommented:
Don't use a global to specify that your exchange server at .10 should be xlated out to x.x.x.243.  

Create a static NAT statement for that.

static (inside,outside) x.x.x.243 192.168.8.10 netmask 255.255.255.255

If you do that, all outbound traffic from .10 will be xlated to x.x.x.243, no matter what else is on the firewall.

--TX
0
 
AstralWindAuthor Commented:
Texas Billy,
If static nat as you suggest is used the incoming also is translated ot 0.10 not 0.17
0
 
AstralWindAuthor Commented:
I have put it in production network and the test response is confirmed.  I use ASA capture on outside interface and yes outgoing are translated to the int IP rather than the Email Server designated static IP

So what is the right config then.. .
Please give it a though
0
 
Texas_BillyCommented:
No, the incoming traffic won't be translated to 0.17 if you change the MX record to point to the barracuda appliance.  That's what I'm saying; create a static NAT for the barracuda appliance as well, change the mx record to point to the barracuda appliance, leave the exchange server static NAT to .10, and it'll work the way you want it to.  --TX
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 9
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now