Port forwarding for Barracuda and Lotus Notes

Unanswered Question
Mar 21st, 2007

Hello Everyone,

I'm trying to comprehend this situation that I'm in but I see that I'm confused for the most part.

There is a network which has a PIX on the edge point. It has an outside-if, 162.x.z.86, and inside-if, 162.x.x.1.

There is a mail server (lotus) on the inside segment of the PIX with an IP of 162.x.x.6 - the mail server also has an internal IP of 10.0.16.51 -- The external IP is registered with their hosting co as the MX.

A Barracuda spam filter has been installed as well, with an internal of 10.0.16.145

What I'm trying to do is have all SMTP requests that the PIX receives on the external to forward to the Barracuda, which by the way the PIX can ping so I know there's connectivity, and have the Barracuda hand them off to the Notes.

I've already setup the Barracuda to have the mail server as the lotus box.

On the PIX I've configured an access list to:

access-list allow_inbound permit tcp any host 162.x.x.6 eq smtp

access-list allow_inbound permit tcp any host 162.x.x.6 eq lotusnotes

access-list email_nat permit ip host 10.0.16.145

access-list email_nat permit ip host 10.0.16.51

nat (inside) 25 access-list email_nat 0 0

global (outside) 25 162.x.x.6

static (inside,outside) tcp interface smtp 10.0.16.145 smtp netmask 255.255.255.255 0 0

I assume that this configuration will have the internal of the Notes NATed to 162.x.x.6 when leaving PIX, and any SMTP will be routed to the internal of Notes.

I show some hits on the email_nat access list...

But I don't see Barracuda receiving emails, and I get this report as well when I perform a connectivity test from it:

Recipient Verification

Error: Supposedly valid email is being rejected by your mail server. Please verify your test email address, and configure your mail server to receive email for this address from the Barracuda Spam Firewall.

Outside Connectivity

Error: It does not look like the MX record for your default domain resolves to your Barracuda Spam Firewall's IP address. Please verify that your DNS servers are properly configured.

Outside Connectivity

Error: Could not send mail to your Barracuda Spam Firewall. Please verify that your network permissions (firewall) allow SMTP traffic from the Internet to the Barracuda Spam Firewall.

I hope I've provided enough information. Is there anyone who can assist me on this issue?

Many thanks,

Ali

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
suschoud Wed, 03/21/2007 - 09:27

access-list allow_inbound permit tcp any host 162.x.x.6 eq smtp

access-list allow_inbound permit tcp any host 162.x.x.6 eq lotusnotes

do you have the corresponding access-group command.

access-g allow_inbound in interface outside

acomiskey Wed, 03/21/2007 - 13:30

It looks like you are referencing your inside servers in your access-list by their inside ip addresses. You cannot do this. For instance, barracuda would be...

access-list allow_inbound permit tcp any interface outside eq smtp

NOT

access-list allow_inbound permit tcp any host 10.0.16.145 eq smtp

amiralisetoudeh Wed, 03/21/2007 - 14:33

Many thanks for the reply.

The access-list that has the 10.0.16.145 in it is actually for NAT, not for traffic forwarding.

In any case, just a while back, I've asked the guys up there to consider taking the Barracuda outside. I don't see any reason for having it internal.

If the Barracuda is outside, we can have the MX records changed from the Notes server to the Barracuda, and I can static SMTP to it on the PIX.

That way SMTP will be forwarded to Barracuda, and web access requests to mail will still be forwarded to the mail server.

I hope this plan works out.

Ali

acomiskey Wed, 03/21/2007 - 14:54

What lead me to that was this...

access-list allow_inbound permit tcp any host 162.x.x.6 eq smtp

access-list allow_inbound permit tcp any host 162.x.x.6 eq lotusnotes

and your first post you said inside interface of pix was 162.x.x.1. So I assumed 162.x.x.6 was inside address as well. That's what I was talking about.

amiralisetoudeh Wed, 03/21/2007 - 15:05

Precisely...

The inside of the PIX is a Public IP. 162.x.y.1

The Domino (Notes) server has both a Public and Private IP.

162.x.x.6

10.0.16.51

And the Barracuda currently has a private IP.

10.0.16.145

Where I think I messed up was that I have PIX NATing 10.0.16.145 to the Global of 162.x.x.6, where PIX will probably never see that 10.0.16.145 address since it's not directly connected to the internal network. I caught that by reading your previous post.

I'm hoping my new proposal will take care of all the unnecessary headaches:

Having the Barracuda in the same public subnet as the PIX. Having outside DNS MX point to Barracuda. Having Barracuda forward to Domino (Notes).

Ali

Actions

This Discussion