03-21-2007 09:20 AM - edited 03-11-2019 02:50 AM
Hello Everyone,
I'm trying to comprehend this situation that I'm in but I see that I'm confused for the most part.
There is a network which has a PIX on the edge point. It has an outside-if, 162.x.z.86, and inside-if, 162.x.x.1.
There is a mail server (lotus) on the inside segment of the PIX with an IP of 162.x.x.6 - the mail server also has an internal IP of 10.0.16.51 -- The external IP is registered with their hosting co as the MX.
A Barracuda spam filter has been installed as well, with an internal of 10.0.16.145
What I'm trying to do is have all SMTP requests that the PIX receives on the external to forward to the Barracuda, which by the way the PIX can ping so I know there's connectivity, and have the Barracuda hand them off to the Notes.
I've already setup the Barracuda to have the mail server as the lotus box.
On the PIX I've configured an access list to:
access-list allow_inbound permit tcp any host 162.x.x.6 eq smtp
access-list allow_inbound permit tcp any host 162.x.x.6 eq lotusnotes
access-list email_nat permit ip host 10.0.16.145
access-list email_nat permit ip host 10.0.16.51
nat (inside) 25 access-list email_nat 0 0
global (outside) 25 162.x.x.6
static (inside,outside) tcp interface smtp 10.0.16.145 smtp netmask 255.255.255.255 0 0
I assume that this configuration will have the internal of the Notes NATed to 162.x.x.6 when leaving PIX, and any SMTP will be routed to the internal of Notes.
I show some hits on the email_nat access list...
But I don't see Barracuda receiving emails, and I get this report as well when I perform a connectivity test from it:
Recipient Verification
Error: Supposedly valid email is being rejected by your mail server. Please verify your test email address, and configure your mail server to receive email for this address from the Barracuda Spam Firewall.
Outside Connectivity
Error: It does not look like the MX record for your default domain resolves to your Barracuda Spam Firewall's IP address. Please verify that your DNS servers are properly configured.
Outside Connectivity
Error: Could not send mail to your Barracuda Spam Firewall. Please verify that your network permissions (firewall) allow SMTP traffic from the Internet to the Barracuda Spam Firewall.
I hope I've provided enough information. Is there anyone who can assist me on this issue?
Many thanks,
Ali
03-21-2007 09:27 AM
access-list allow_inbound permit tcp any host 162.x.x.6 eq smtp
access-list allow_inbound permit tcp any host 162.x.x.6 eq lotusnotes
do you have the corresponding access-group command.
access-g allow_inbound in interface outside
03-21-2007 01:24 PM
Yes, I have
access-group allow_inbound in interface outside
configured.
03-21-2007 01:30 PM
It looks like you are referencing your inside servers in your access-list by their inside ip addresses. You cannot do this. For instance, barracuda would be...
access-list allow_inbound permit tcp any interface outside eq smtp
NOT
access-list allow_inbound permit tcp any host 10.0.16.145 eq smtp
03-21-2007 02:33 PM
Many thanks for the reply.
The access-list that has the 10.0.16.145 in it is actually for NAT, not for traffic forwarding.
In any case, just a while back, I've asked the guys up there to consider taking the Barracuda outside. I don't see any reason for having it internal.
If the Barracuda is outside, we can have the MX records changed from the Notes server to the Barracuda, and I can static SMTP to it on the PIX.
That way SMTP will be forwarded to Barracuda, and web access requests to mail will still be forwarded to the mail server.
I hope this plan works out.
Ali
03-21-2007 02:54 PM
What lead me to that was this...
access-list allow_inbound permit tcp any host 162.x.x.6 eq smtp
access-list allow_inbound permit tcp any host 162.x.x.6 eq lotusnotes
and your first post you said inside interface of pix was 162.x.x.1. So I assumed 162.x.x.6 was inside address as well. That's what I was talking about.
03-21-2007 03:05 PM
Precisely...
The inside of the PIX is a Public IP. 162.x.y.1
The Domino (Notes) server has both a Public and Private IP.
162.x.x.6
10.0.16.51
And the Barracuda currently has a private IP.
10.0.16.145
Where I think I messed up was that I have PIX NATing 10.0.16.145 to the Global of 162.x.x.6, where PIX will probably never see that 10.0.16.145 address since it's not directly connected to the internal network. I caught that by reading your previous post.
I'm hoping my new proposal will take care of all the unnecessary headaches:
Having the Barracuda in the same public subnet as the PIX. Having outside DNS MX point to Barracuda. Having Barracuda forward to Domino (Notes).
Ali
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: