IPhone, barracuda spam firewall, and exchange 2010

I've had my Exchange 2010 working fine with the iPhones but too much spam so we got a Barracuda Spam firewall 100. Configured it per directions but now iPhones don't work.

I thought i'd reconfig the Cisco PIX to point inbound port 25 to the Barracuda. Cannot get that to work.

Config like this on Cisco:
PIX Version 6.3(5)
...
access-list inbound permit tcp any host xx.xx.xx.123 eq smtp
...
static (inside,outside) xx.xx.xx.123 192.168.1.7 netmask 255.255.255.255 0 0
Barracuda is at 192.168.1.8
garyohAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

joelsplaceCommented:
Are the iPhones using activesync?  If they are it doesn't use port 25 so the Barracuda shouldn't bother them.
0
garyohAuthor Commented:
They are using active sync. I originally pointed the NAT to take xx.xx.xx.123 to the barracuda's 192.168.1.8 address which is interrupting the whole deal. That's when I realized i have to do port redirection but mx points to the public xx.xx.xx.123 address (along with autodiscover, etc.) so I'd like to change the PIX to just send all port 25 to the .barracuda but I cannot get this to work. I want tl allow SMTP on ip 123 but have it go to internal address 8. I cannot seemt o get that to work. Any ideas?
0
joelsplaceCommented:
Not really it's been a long time since I've messed with a PIX.
Take a look at this:  https://supportforums.cisco.com/thread/228328
0
ArneLoviusCommented:
you had a single NAT to exchange, this was for all ports, you moved it to the Barracuda hence not having any external access to exchange

you need to use PAT instead of NAT

PAT forwards individual ports, NAT forwards IP addresses

If you have a spare address, I would use a dedicated address for the barracuda and another dedicated address for exchange, then external users can get to the quarantine etc on the barracuda, otherwise you might want to do something like the below.

create access lists to define the traffic
access-list barracuda_25 permit tcp host 192.168.1.8 eq smtp any 
access-list exchange_80 permit tcp host 192.168.1.7 eq www any 
access-list exchange_443 permit tcp host 192.168.1.7 eq https any 

Open in new window

create NAT rules using the access lists
static (inside,outside) tcp 1.1.1.123 smtp access-list barracuda_25 0 0 
static (inside,outside) tcp 1.1.1.123 www access-list exchange_80 0 0 
static (inside,outside) tcp 1.1.1.123 https access-list exchange_443 0 0 

Open in new window

presuming that you have more than one public IP address

have a pool for the interface and a pool for the barracuda and exchange
global (outside) 1 interface
global (outside) 123 1.1.1.123

Open in new window

use dynamic NAT so that outbound traffic from the barracuda and exchange uses the same address
nat (inside) 123 192.168.1.7 255.255.255.255 0 0
nat (inside) 123 192.168.1.8 255.255.255.255 0 0

Open in new window

put everything else through the interface address
nat (inside) 1 192.168.1.0 255.255.255.0 0 0

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
garyohAuthor Commented:
Your first idea of using another IP was the best idea. All done. Works great. and used the original as MX 20. Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.