Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

IPhone, barracuda spam firewall, and exchange 2010

Posted on 2013-01-20
5
543 Views
Last Modified: 2013-01-21
I've had my Exchange 2010 working fine with the iPhones but too much spam so we got a Barracuda Spam firewall 100. Configured it per directions but now iPhones don't work.

I thought i'd reconfig the Cisco PIX to point inbound port 25 to the Barracuda. Cannot get that to work.

Config like this on Cisco:
PIX Version 6.3(5)
...
access-list inbound permit tcp any host xx.xx.xx.123 eq smtp
...
static (inside,outside) xx.xx.xx.123 192.168.1.7 netmask 255.255.255.255 0 0
Barracuda is at 192.168.1.8
0
Comment
Question by:garyoh
  • 2
  • 2
5 Comments
 
LVL 10

Expert Comment

by:joelsplace
ID: 38799683
Are the iPhones using activesync?  If they are it doesn't use port 25 so the Barracuda shouldn't bother them.
0
 

Author Comment

by:garyoh
ID: 38799711
They are using active sync. I originally pointed the NAT to take xx.xx.xx.123 to the barracuda's 192.168.1.8 address which is interrupting the whole deal. That's when I realized i have to do port redirection but mx points to the public xx.xx.xx.123 address (along with autodiscover, etc.) so I'd like to change the PIX to just send all port 25 to the .barracuda but I cannot get this to work. I want tl allow SMTP on ip 123 but have it go to internal address 8. I cannot seemt o get that to work. Any ideas?
0
 
LVL 10

Expert Comment

by:joelsplace
ID: 38799725
Not really it's been a long time since I've messed with a PIX.
Take a look at this:  https://supportforums.cisco.com/thread/228328
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 500 total points
ID: 38800041
you had a single NAT to exchange, this was for all ports, you moved it to the Barracuda hence not having any external access to exchange

you need to use PAT instead of NAT

PAT forwards individual ports, NAT forwards IP addresses

If you have a spare address, I would use a dedicated address for the barracuda and another dedicated address for exchange, then external users can get to the quarantine etc on the barracuda, otherwise you might want to do something like the below.

create access lists to define the traffic
access-list barracuda_25 permit tcp host 192.168.1.8 eq smtp any 
access-list exchange_80 permit tcp host 192.168.1.7 eq www any 
access-list exchange_443 permit tcp host 192.168.1.7 eq https any 

Open in new window

create NAT rules using the access lists
static (inside,outside) tcp 1.1.1.123 smtp access-list barracuda_25 0 0 
static (inside,outside) tcp 1.1.1.123 www access-list exchange_80 0 0 
static (inside,outside) tcp 1.1.1.123 https access-list exchange_443 0 0 

Open in new window

presuming that you have more than one public IP address

have a pool for the interface and a pool for the barracuda and exchange
global (outside) 1 interface
global (outside) 123 1.1.1.123

Open in new window

use dynamic NAT so that outbound traffic from the barracuda and exchange uses the same address
nat (inside) 123 192.168.1.7 255.255.255.255 0 0
nat (inside) 123 192.168.1.8 255.255.255.255 0 0

Open in new window

put everything else through the interface address
nat (inside) 1 192.168.1.0 255.255.255.0 0 0

Open in new window

0
 

Author Closing Comment

by:garyoh
ID: 38804127
Your first idea of using another IP was the best idea. All done. Works great. and used the original as MX 20. Thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question