Solved

IPhone, barracuda spam firewall, and exchange 2010

Posted on 2013-01-20
5
539 Views
Last Modified: 2013-01-21
I've had my Exchange 2010 working fine with the iPhones but too much spam so we got a Barracuda Spam firewall 100. Configured it per directions but now iPhones don't work.

I thought i'd reconfig the Cisco PIX to point inbound port 25 to the Barracuda. Cannot get that to work.

Config like this on Cisco:
PIX Version 6.3(5)
...
access-list inbound permit tcp any host xx.xx.xx.123 eq smtp
...
static (inside,outside) xx.xx.xx.123 192.168.1.7 netmask 255.255.255.255 0 0
Barracuda is at 192.168.1.8
0
Comment
Question by:garyoh
  • 2
  • 2
5 Comments
 
LVL 10

Expert Comment

by:joelsplace
ID: 38799683
Are the iPhones using activesync?  If they are it doesn't use port 25 so the Barracuda shouldn't bother them.
0
 

Author Comment

by:garyoh
ID: 38799711
They are using active sync. I originally pointed the NAT to take xx.xx.xx.123 to the barracuda's 192.168.1.8 address which is interrupting the whole deal. That's when I realized i have to do port redirection but mx points to the public xx.xx.xx.123 address (along with autodiscover, etc.) so I'd like to change the PIX to just send all port 25 to the .barracuda but I cannot get this to work. I want tl allow SMTP on ip 123 but have it go to internal address 8. I cannot seemt o get that to work. Any ideas?
0
 
LVL 10

Expert Comment

by:joelsplace
ID: 38799725
Not really it's been a long time since I've messed with a PIX.
Take a look at this:  https://supportforums.cisco.com/thread/228328
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 500 total points
ID: 38800041
you had a single NAT to exchange, this was for all ports, you moved it to the Barracuda hence not having any external access to exchange

you need to use PAT instead of NAT

PAT forwards individual ports, NAT forwards IP addresses

If you have a spare address, I would use a dedicated address for the barracuda and another dedicated address for exchange, then external users can get to the quarantine etc on the barracuda, otherwise you might want to do something like the below.

create access lists to define the traffic
access-list barracuda_25 permit tcp host 192.168.1.8 eq smtp any 
access-list exchange_80 permit tcp host 192.168.1.7 eq www any 
access-list exchange_443 permit tcp host 192.168.1.7 eq https any 

Open in new window

create NAT rules using the access lists
static (inside,outside) tcp 1.1.1.123 smtp access-list barracuda_25 0 0 
static (inside,outside) tcp 1.1.1.123 www access-list exchange_80 0 0 
static (inside,outside) tcp 1.1.1.123 https access-list exchange_443 0 0 

Open in new window

presuming that you have more than one public IP address

have a pool for the interface and a pool for the barracuda and exchange
global (outside) 1 interface
global (outside) 123 1.1.1.123

Open in new window

use dynamic NAT so that outbound traffic from the barracuda and exchange uses the same address
nat (inside) 123 192.168.1.7 255.255.255.255 0 0
nat (inside) 123 192.168.1.8 255.255.255.255 0 0

Open in new window

put everything else through the interface address
nat (inside) 1 192.168.1.0 255.255.255.0 0 0

Open in new window

0
 

Author Closing Comment

by:garyoh
ID: 38804127
Your first idea of using another IP was the best idea. All done. Works great. and used the original as MX 20. Thanks
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now