Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
960
Views
3
Helpful
6
Replies

Port forwarding for Barracuda and Lotus Notes

amiralisetoudeh
Level 1
Level 1

‎03-21-2007 09:20 AM - edited ‎03-11-2019 02:50 AM

Hello Everyone,

I'm trying to comprehend this situation that I'm in but I see that I'm confused for the most part.

There is a network which has a PIX on the edge point. It has an outside-if, 162.x.z.86, and inside-if, 162.x.x.1.

There is a mail server (lotus) on the inside segment of the PIX with an IP of 162.x.x.6 - the mail server also has an internal IP of 10.0.16.51 -- The external IP is registered with their hosting co as the MX.

A Barracuda spam filter has been installed as well, with an internal of 10.0.16.145

What I'm trying to do is have all SMTP requests that the PIX receives on the external to forward to the Barracuda, which by the way the PIX can ping so I know there's connectivity, and have the Barracuda hand them off to the Notes.

I've already setup the Barracuda to have the mail server as the lotus box.

On the PIX I've configured an access list to:

access-list allow_inbound permit tcp any host 162.x.x.6 eq smtp

access-list allow_inbound permit tcp any host 162.x.x.6 eq lotusnotes

access-list email_nat permit ip host 10.0.16.145

access-list email_nat permit ip host 10.0.16.51

nat (inside) 25 access-list email_nat 0 0

global (outside) 25 162.x.x.6

static (inside,outside) tcp interface smtp 10.0.16.145 smtp netmask 255.255.255.255 0 0

I assume that this configuration will have the internal of the Notes NATed to 162.x.x.6 when leaving PIX, and any SMTP will be routed to the internal of Notes.

I show some hits on the email_nat access list...

But I don't see Barracuda receiving emails, and I get this report as well when I perform a connectivity test from it:

Recipient Verification

Error: Supposedly valid email is being rejected by your mail server. Please verify your test email address, and configure your mail server to receive email for this address from the Barracuda Spam Firewall.

Outside Connectivity

Error: It does not look like the MX record for your default domain resolves to your Barracuda Spam Firewall's IP address. Please verify that your DNS servers are properly configured.

Outside Connectivity

Error: Could not send mail to your Barracuda Spam Firewall. Please verify that your network permissions (firewall) allow SMTP traffic from the Internet to the Barracuda Spam Firewall.

I hope I've provided enough information. Is there anyone who can assist me on this issue?

Many thanks,

Ali

Labels:
0 Helpful
6 Replies 6

suschoud
Cisco Employee
Cisco Employee

‎03-21-2007 09:27 AM

access-list allow_inbound permit tcp any host 162.x.x.6 eq smtp

access-list allow_inbound permit tcp any host 162.x.x.6 eq lotusnotes

do you have the corresponding access-group command.

access-g allow_inbound in interface outside

0 Helpful

amiralisetoudeh
Level 1
Level 1
In response to suschoud

‎03-21-2007 01:24 PM

Yes, I have

access-group allow_inbound in interface outside

configured.

0 Helpful

acomiskey
Level 10
Level 10
In response to amiralisetoudeh

‎03-21-2007 01:30 PM

It looks like you are referencing your inside servers in your access-list by their inside ip addresses. You cannot do this. For instance, barracuda would be...

access-list allow_inbound permit tcp any interface outside eq smtp

NOT

access-list allow_inbound permit tcp any host 10.0.16.145 eq smtp

amiralisetoudeh
Level 1
Level 1
In response to acomiskey

‎03-21-2007 02:33 PM

Many thanks for the reply.

The access-list that has the 10.0.16.145 in it is actually for NAT, not for traffic forwarding.

In any case, just a while back, I've asked the guys up there to consider taking the Barracuda outside. I don't see any reason for having it internal.

If the Barracuda is outside, we can have the MX records changed from the Notes server to the Barracuda, and I can static SMTP to it on the PIX.

That way SMTP will be forwarded to Barracuda, and web access requests to mail will still be forwarded to the mail server.

I hope this plan works out.

Ali

0 Helpful

acomiskey
Level 10
Level 10
In response to amiralisetoudeh

‎03-21-2007 02:54 PM

What lead me to that was this...

access-list allow_inbound permit tcp any host 162.x.x.6 eq smtp

access-list allow_inbound permit tcp any host 162.x.x.6 eq lotusnotes

and your first post you said inside interface of pix was 162.x.x.1. So I assumed 162.x.x.6 was inside address as well. That's what I was talking about.

0 Helpful

amiralisetoudeh
Level 1
Level 1
In response to acomiskey

‎03-21-2007 03:05 PM

Precisely...

The inside of the PIX is a Public IP. 162.x.y.1

The Domino (Notes) server has both a Public and Private IP.

162.x.x.6

10.0.16.51

And the Barracuda currently has a private IP.

10.0.16.145

Where I think I messed up was that I have PIX NATing 10.0.16.145 to the Global of 162.x.x.6, where PIX will probably never see that 10.0.16.145 address since it's not directly connected to the internal network. I caught that by reading your previous post.

I'm hoping my new proposal will take care of all the unnecessary headaches:

Having the Barracuda in the same public subnet as the PIX. Having outside DNS MX point to Barracuda. Having Barracuda forward to Domino (Notes).

Ali

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card