Solved

IPhone, barracuda spam firewall, and exchange 2010

Posted on 2013-01-20
5
546 Views
Last Modified: 2013-01-21
I've had my Exchange 2010 working fine with the iPhones but too much spam so we got a Barracuda Spam firewall 100. Configured it per directions but now iPhones don't work.

I thought i'd reconfig the Cisco PIX to point inbound port 25 to the Barracuda. Cannot get that to work.

Config like this on Cisco:
PIX Version 6.3(5)
...
access-list inbound permit tcp any host xx.xx.xx.123 eq smtp
...
static (inside,outside) xx.xx.xx.123 192.168.1.7 netmask 255.255.255.255 0 0
Barracuda is at 192.168.1.8
0
Comment
Question by:garyoh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 10

Expert Comment

by:joelsplace
ID: 38799683
Are the iPhones using activesync?  If they are it doesn't use port 25 so the Barracuda shouldn't bother them.
0
 

Author Comment

by:garyoh
ID: 38799711
They are using active sync. I originally pointed the NAT to take xx.xx.xx.123 to the barracuda's 192.168.1.8 address which is interrupting the whole deal. That's when I realized i have to do port redirection but mx points to the public xx.xx.xx.123 address (along with autodiscover, etc.) so I'd like to change the PIX to just send all port 25 to the .barracuda but I cannot get this to work. I want tl allow SMTP on ip 123 but have it go to internal address 8. I cannot seemt o get that to work. Any ideas?
0
 
LVL 10

Expert Comment

by:joelsplace
ID: 38799725
Not really it's been a long time since I've messed with a PIX.
Take a look at this:  https://supportforums.cisco.com/thread/228328
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 500 total points
ID: 38800041
you had a single NAT to exchange, this was for all ports, you moved it to the Barracuda hence not having any external access to exchange

you need to use PAT instead of NAT

PAT forwards individual ports, NAT forwards IP addresses

If you have a spare address, I would use a dedicated address for the barracuda and another dedicated address for exchange, then external users can get to the quarantine etc on the barracuda, otherwise you might want to do something like the below.

create access lists to define the traffic
access-list barracuda_25 permit tcp host 192.168.1.8 eq smtp any 
access-list exchange_80 permit tcp host 192.168.1.7 eq www any 
access-list exchange_443 permit tcp host 192.168.1.7 eq https any 

Open in new window

create NAT rules using the access lists
static (inside,outside) tcp 1.1.1.123 smtp access-list barracuda_25 0 0 
static (inside,outside) tcp 1.1.1.123 www access-list exchange_80 0 0 
static (inside,outside) tcp 1.1.1.123 https access-list exchange_443 0 0 

Open in new window

presuming that you have more than one public IP address

have a pool for the interface and a pool for the barracuda and exchange
global (outside) 1 interface
global (outside) 123 1.1.1.123

Open in new window

use dynamic NAT so that outbound traffic from the barracuda and exchange uses the same address
nat (inside) 123 192.168.1.7 255.255.255.255 0 0
nat (inside) 123 192.168.1.8 255.255.255.255 0 0

Open in new window

put everything else through the interface address
nat (inside) 1 192.168.1.0 255.255.255.0 0 0

Open in new window

0
 

Author Closing Comment

by:garyoh
ID: 38804127
Your first idea of using another IP was the best idea. All done. Works great. and used the original as MX 20. Thanks
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question