Solved

IPhone, barracuda spam firewall, and exchange 2010

Posted on 2013-01-20
5
544 Views
Last Modified: 2013-01-21
I've had my Exchange 2010 working fine with the iPhones but too much spam so we got a Barracuda Spam firewall 100. Configured it per directions but now iPhones don't work.

I thought i'd reconfig the Cisco PIX to point inbound port 25 to the Barracuda. Cannot get that to work.

Config like this on Cisco:
PIX Version 6.3(5)
...
access-list inbound permit tcp any host xx.xx.xx.123 eq smtp
...
static (inside,outside) xx.xx.xx.123 192.168.1.7 netmask 255.255.255.255 0 0
Barracuda is at 192.168.1.8
0
Comment
Question by:garyoh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 10

Expert Comment

by:joelsplace
ID: 38799683
Are the iPhones using activesync?  If they are it doesn't use port 25 so the Barracuda shouldn't bother them.
0
 

Author Comment

by:garyoh
ID: 38799711
They are using active sync. I originally pointed the NAT to take xx.xx.xx.123 to the barracuda's 192.168.1.8 address which is interrupting the whole deal. That's when I realized i have to do port redirection but mx points to the public xx.xx.xx.123 address (along with autodiscover, etc.) so I'd like to change the PIX to just send all port 25 to the .barracuda but I cannot get this to work. I want tl allow SMTP on ip 123 but have it go to internal address 8. I cannot seemt o get that to work. Any ideas?
0
 
LVL 10

Expert Comment

by:joelsplace
ID: 38799725
Not really it's been a long time since I've messed with a PIX.
Take a look at this:  https://supportforums.cisco.com/thread/228328
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 500 total points
ID: 38800041
you had a single NAT to exchange, this was for all ports, you moved it to the Barracuda hence not having any external access to exchange

you need to use PAT instead of NAT

PAT forwards individual ports, NAT forwards IP addresses

If you have a spare address, I would use a dedicated address for the barracuda and another dedicated address for exchange, then external users can get to the quarantine etc on the barracuda, otherwise you might want to do something like the below.

create access lists to define the traffic
access-list barracuda_25 permit tcp host 192.168.1.8 eq smtp any 
access-list exchange_80 permit tcp host 192.168.1.7 eq www any 
access-list exchange_443 permit tcp host 192.168.1.7 eq https any 

Open in new window

create NAT rules using the access lists
static (inside,outside) tcp 1.1.1.123 smtp access-list barracuda_25 0 0 
static (inside,outside) tcp 1.1.1.123 www access-list exchange_80 0 0 
static (inside,outside) tcp 1.1.1.123 https access-list exchange_443 0 0 

Open in new window

presuming that you have more than one public IP address

have a pool for the interface and a pool for the barracuda and exchange
global (outside) 1 interface
global (outside) 123 1.1.1.123

Open in new window

use dynamic NAT so that outbound traffic from the barracuda and exchange uses the same address
nat (inside) 123 192.168.1.7 255.255.255.255 0 0
nat (inside) 123 192.168.1.8 255.255.255.255 0 0

Open in new window

put everything else through the interface address
nat (inside) 1 192.168.1.0 255.255.255.0 0 0

Open in new window

0
 

Author Closing Comment

by:garyoh
ID: 38804127
Your first idea of using another IP was the best idea. All done. Works great. and used the original as MX 20. Thanks
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Fortinet FWs backdoor vulnerability 3 97
Firewall Analyzer Reporting Software 4 60
windows 10 being blocked by AVG 3 76
Need assistance with Windows Firewall rules 6 91
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question