Jump to content


Photo

HELP Setting up Barracuda 400 with PIX firewall


  • This topic is locked This topic is locked
3 replies to this topic

#1 Xanathar

Xanathar
  • Members
  • 2 posts

Posted 17 February 2010 - 08:44 AM

We are adding a Barracuda spam filter to our email system. We are also running Exchange 2003 and have all of our users accessing webmail through MAIL.AAA.com in addition to devices which require imap support pointing to the same mail.AAA.com� which also happens to be where our mx record points to.Because of webmail support and the imap devices we need to maintain the MAIL.AAA.COM to allow our users to continue to access the webmail, etc. without changing the address they are currently using.Now BARRACUDA says we need to do a port forward on our INBOUND MAIL to the BARRACUDA, but that forward in our firewall points to the external address for MAIL.AAA.COM as well as Directly to our mail server.Here is a sample of the config of our cisco PIXaccess-list acl_outside permit icmp any any echo-replyaccess-list acl_outside permit icmp any any time-exceededaccess-list acl_outside permit icmp any any unreachableaccess-list acl_outside permit tcp any host XXX.XXX.XXX.139 eq smtp access-list acl_outside permit tcp any host XXX.XXX.XXX.139 eq pop3 <---------------------------- access-list acl_outside permit tcp any host XXX.XXX.XXX.139 eq wwwaccess-list acl_outside permit tcp any host XXX.XXX.XXX.139 eq httpsaccess-list acl_outside permit tcp any host XXX.XXX.XXX.139 eq imap4access-list acl_outside permit tcp any host XXX.XXX.XXX.139 eq 993static (inside,outside) XXX.XXX.XXX.139 XXX.XXX.XXX.4 netmask 255.255.255.255 0 0Here is my thought process...am i overthinking it,? is there a better way? I am assuming the entry above with the arrow is my current port forward.1. Add a new dns record (perhaps MAIL2.AAAA.com) which points to a different external ip address2. Add new NAT translations to our network so the new external ip address points to our Barracuda3. Change our mx record to point the new external address (MAIL2.AAAA.com) instead of the existing MAIL.AAAAA.com4. Keep MAIL.AAAA.com and existing NAT translations the same so webamail and IMAP still workIs my thought process correct? Will people still be able to get to thier webmail? Will our normal external email still flow past the BARRACUDA first if we make this change? Is there something simple I am missing? Any thoughts would be greatful.Thank you for

#2 Xanathar

Xanathar
  • Members
  • 2 posts

Posted 18 February 2010 - 04:39 PM

Can ANYBODY Help me with this? We made the firewall changes and still no mail flows thru the barracuda.Thanks

#3 DavidG

DavidG
  • Members
  • 2 posts

Posted 18 February 2010 - 05:43 PM

FYI this is an community support forum, urgent issues should be done through email / phone support.Changes in MX / DNS records can take days to reflect externally, new records tend to take hours.I would suggest the following but it is not a rule or anythingKeep IMAP and webmail access on the current IP.Create a second MX record for your domain on a new IP.Forward the new IP to your Barracuda, wait a day for the NEW dns record to spred.Block External SMTP access to your original IP on your firewall, servers connecting should fail and try your second address that points to the barracudatest mail flow and if all works, remove the original MX record.

#4 wgtech

wgtech
  • Members
  • 19 posts

Posted 19 February 2010 - 01:48 PM

You need to perform an extended static on your pix to allow your IMAP and WWW traffic to go the correct server(s) but send 25 SMTP to your barracuda. Same static entry but add the ports at the end of the statement. This can be done instead of a true 1 to 1 static. static (inside,outside) tcp XXX.XXX.XXX.139 SMTP XXX.XXX.XXX.4 SMTP netmask 255.255.255.255 0 0Hope this helps you.