Port 25 traffic through a VPN tunnel

I have a VPN tunnel between 2 remote locations. Each locations have an exchange server running on (SBS 2008). One location, we'll call it "location A" has a barracuda spam firewall. Location B does not have a barracuda. The location A server IP is and the Barracuda address is The location B server is at

I woud like to send all incoming port 25 traffic from the Location B firewall, throught he VPN tunnel to the Barracuda. I already have the Barracuda programmed to filter mail from the Location B domain and then send it to the Location B exchange server.

I can ping back and forth between networks. Is it possible to route port 25 traffic through the firewalls as specified, if so, what commands would I have to enter. I have tried routing port 25 traffic from the location B firewall to the barracuda but it is not reaching the barracuda. I am ussuming it is being blocked by the location A firewall and I am not sure how to allow the traffic.
Who is Participating?
Rob WilliamsConnect With a Mentor Commented:
As I understand it you want e-mail sent to site B, forwarded to the Barracuda at site A, filtered, and sent back to site B? I.e. hair-pinning. This will not work. You could have site B's e-mail received by site A by changing the MX records, and the Barracuda then forward to Site B, but it would forward all SMTP (port 25) traffic and you would have site A's e-mail also being sent to site B. If you really wanted to make it work I believe you would have to use a 3rd party service that would let you change the SMTP port used by site B's domain, to something like 5025.
(such as: http://www.no-ip.com/services/managed_mail/inbound_port_25_unblock.html)
You could then point the MX records for site B to site A, have port 25 forwarded to SBS-A and port 5025 forwarded to site B and SBS-B.

However, without meaning to be rude, this is akin to taking the water from your tap, having the kids take it to the neighbours in a bucket to run through their water filter, and bringing it back. I.e. a very convoluted configuration with lots of room for failure. If you really need filtering, which is understandable, you should purchase an appliance like the Barracuda or subscribe to a 3rd party service like www.exchangedefender.com for site B.
Are you using two domain address? a.com and b.com?  So any mail going to b.com you want to redirect to a.com for filtering then onto b.com?

If that is how I read this then why not just make b.com's MX records the same as A.com?
ksbrettAuthor Commented:
Yes ,I have two domain addresses (a.com and b.com). Within the a.com network, there is a barracuda spam filter. I want to send b.com email (port 25 traffic) to the barracuda within the a.com network for filtering and then back to b.com.

If I make the b.com's mx records the same as a.com, the traffic will reach the barracuda, but then I will still have to redirect it back through the VPN tunnel to the b.com exchange server. Either way, the port 25 traffic will need to pass through the tunnel.
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

At that point you could tell the barracuda the local IP address and it will route over the VPN to the b.com machine. As long as the barracuda doesn't try to reach that exchange server on it's public IP but only it's private IP it will route the traffic over the VPN.
Also the easiest way to verify SMTP traffic is to use telnet and use a.com site to b.com site with the private IP address.

If you have a standard Cisco VPN site-to-site tunnel configured, no traffic is filtered or blocked in the access-lists if it's going through the VPN tunnel.  So if you're unable to connect on a port through the tunnel, the issue is either a configuration issue with the tunnel, the routing, or possibly a protocol issue.  You might try disabling SMTP inspection.  This is a type of filtering on the ASA that actually is enforced on VPN tunnel traffic and can cause issues for traffic between Exchange servers.  

conf t
policy-map global_policy
class inspection_default
no inspect esmtp

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.