Port forwarding for Barracuda and Lotus Notes

Unanswered Question
Mar 21st, 2007
User Badges:

Hello Everyone,

I'm trying to comprehend this situation that I'm in but I see that I'm confused for the most part.

There is a network which has a PIX on the edge point. It has an outside-if, 162.x.z.86, and inside-if, 162.x.x.1.

There is a mail server (lotus) on the inside segment of the PIX with an IP of 162.x.x.6 - the mail server also has an internal IP of -- The external IP is registered with their hosting co as the MX.

A Barracuda spam filter has been installed as well, with an internal of

What I'm trying to do is have all SMTP requests that the PIX receives on the external to forward to the Barracuda, which by the way the PIX can ping so I know there's connectivity, and have the Barracuda hand them off to the Notes.

I've already setup the Barracuda to have the mail server as the lotus box.

On the PIX I've configured an access list to:

access-list allow_inbound permit tcp any host 162.x.x.6 eq smtp

access-list allow_inbound permit tcp any host 162.x.x.6 eq lotusnotes

access-list email_nat permit ip host

access-list email_nat permit ip host

nat (inside) 25 access-list email_nat 0 0

global (outside) 25 162.x.x.6

static (inside,outside) tcp interface smtp smtp netmask 0 0

I assume that this configuration will have the internal of the Notes NATed to 162.x.x.6 when leaving PIX, and any SMTP will be routed to the internal of Notes.

I show some hits on the email_nat access list...

But I don't see Barracuda receiving emails, and I get this report as well when I perform a connectivity test from it:

Recipient Verification

Error: Supposedly valid email is being rejected by your mail server. Please verify your test email address, and configure your mail server to receive email for this address from the Barracuda Spam Firewall.

Outside Connectivity

Error: It does not look like the MX record for your default domain resolves to your Barracuda Spam Firewall's IP address. Please verify that your DNS servers are properly configured.

Outside Connectivity

Error: Could not send mail to your Barracuda Spam Firewall. Please verify that your network permissions (firewall) allow SMTP traffic from the Internet to the Barracuda Spam Firewall.

I hope I've provided enough information. Is there anyone who can assist me on this issue?

Many thanks,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
suschoud Wed, 03/21/2007 - 09:27
User Badges:
  • Gold, 750 points or more

access-list allow_inbound permit tcp any host 162.x.x.6 eq smtp

access-list allow_inbound permit tcp any host 162.x.x.6 eq lotusnotes

do you have the corresponding access-group command.

access-g allow_inbound in interface outside

amiralisetoudeh Wed, 03/21/2007 - 13:24
User Badges:

Yes, I have

access-group allow_inbound in interface outside


acomiskey Wed, 03/21/2007 - 13:30
User Badges:
  • Green, 3000 points or more

It looks like you are referencing your inside servers in your access-list by their inside ip addresses. You cannot do this. For instance, barracuda would be...

access-list allow_inbound permit tcp any interface outside eq smtp


access-list allow_inbound permit tcp any host eq smtp

amiralisetoudeh Wed, 03/21/2007 - 14:33
User Badges:

Many thanks for the reply.

The access-list that has the in it is actually for NAT, not for traffic forwarding.

In any case, just a while back, I've asked the guys up there to consider taking the Barracuda outside. I don't see any reason for having it internal.

If the Barracuda is outside, we can have the MX records changed from the Notes server to the Barracuda, and I can static SMTP to it on the PIX.

That way SMTP will be forwarded to Barracuda, and web access requests to mail will still be forwarded to the mail server.

I hope this plan works out.


acomiskey Wed, 03/21/2007 - 14:54
User Badges:
  • Green, 3000 points or more

What lead me to that was this...

access-list allow_inbound permit tcp any host 162.x.x.6 eq smtp

access-list allow_inbound permit tcp any host 162.x.x.6 eq lotusnotes

and your first post you said inside interface of pix was 162.x.x.1. So I assumed 162.x.x.6 was inside address as well. That's what I was talking about.

amiralisetoudeh Wed, 03/21/2007 - 15:05
User Badges:


The inside of the PIX is a Public IP. 162.x.y.1

The Domino (Notes) server has both a Public and Private IP.


And the Barracuda currently has a private IP.

Where I think I messed up was that I have PIX NATing to the Global of 162.x.x.6, where PIX will probably never see that address since it's not directly connected to the internal network. I caught that by reading your previous post.

I'm hoping my new proposal will take care of all the unnecessary headaches:

Having the Barracuda in the same public subnet as the PIX. Having outside DNS MX point to Barracuda. Having Barracuda forward to Domino (Notes).



This Discussion