Port 25 traffic through a VPN tunnel

I have a VPN tunnel between 2 remote locations. Each locations have an exchange server running on (SBS 2008). One location, we'll call it "location A" has a barracuda spam firewall. Location B does not have a barracuda. The location A server IP is and the Barracuda address is The location B server is at

I woud like to send all incoming port 25 traffic from the Location B firewall, throught he VPN tunnel to the Barracuda. I already have the Barracuda programmed to filter mail from the Location B domain and then send it to the Location B exchange server.

I can ping back and forth between networks. Is it possible to route port 25 traffic through the firewalls as specified, if so, what commands would I have to enter. I have tried routing port 25 traffic from the location B firewall to the barracuda but it is not reaching the barracuda. I am ussuming it is being blocked by the location A firewall and I am not sure how to allow the traffic.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are you using two domain address? a.com and b.com?  So any mail going to b.com you want to redirect to a.com for filtering then onto b.com?

If that is how I read this then why not just make b.com's MX records the same as A.com?
ksbrettAuthor Commented:
Yes ,I have two domain addresses (a.com and b.com). Within the a.com network, there is a barracuda spam filter. I want to send b.com email (port 25 traffic) to the barracuda within the a.com network for filtering and then back to b.com.

If I make the b.com's mx records the same as a.com, the traffic will reach the barracuda, but then I will still have to redirect it back through the VPN tunnel to the b.com exchange server. Either way, the port 25 traffic will need to pass through the tunnel.
At that point you could tell the barracuda the local IP address and it will route over the VPN to the b.com machine. As long as the barracuda doesn't try to reach that exchange server on it's public IP but only it's private IP it will route the traffic over the VPN.
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

Also the easiest way to verify SMTP traffic is to use telnet and use a.com site to b.com site with the private IP address.

If you have a standard Cisco VPN site-to-site tunnel configured, no traffic is filtered or blocked in the access-lists if it's going through the VPN tunnel.  So if you're unable to connect on a port through the tunnel, the issue is either a configuration issue with the tunnel, the routing, or possibly a protocol issue.  You might try disabling SMTP inspection.  This is a type of filtering on the ASA that actually is enforced on VPN tunnel traffic and can cause issues for traffic between Exchange servers.  

conf t
policy-map global_policy
class inspection_default
no inspect esmtp

Rob WilliamsCommented:
As I understand it you want e-mail sent to site B, forwarded to the Barracuda at site A, filtered, and sent back to site B? I.e. hair-pinning. This will not work. You could have site B's e-mail received by site A by changing the MX records, and the Barracuda then forward to Site B, but it would forward all SMTP (port 25) traffic and you would have site A's e-mail also being sent to site B. If you really wanted to make it work I believe you would have to use a 3rd party service that would let you change the SMTP port used by site B's domain, to something like 5025.
(such as: http://www.no-ip.com/services/managed_mail/inbound_port_25_unblock.html)
You could then point the MX records for site B to site A, have port 25 forwarded to SBS-A and port 5025 forwarded to site B and SBS-B.

However, without meaning to be rude, this is akin to taking the water from your tap, having the kids take it to the neighbours in a bucket to run through their water filter, and bringing it back. I.e. a very convoluted configuration with lots of room for failure. If you really need filtering, which is understandable, you should purchase an appliance like the Barracuda or subscribe to a 3rd party service like www.exchangedefender.com for site B.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.