Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Port forwarding with existing access-list

Status
Not open for further replies.
Hagfish

Hagfish

MIS
Jan 20, 2005
88
US
Ok, gonna try to keep this is short as possible.. Got a mail server at a co-lo site getting throttled with spam so Postini was employed. Postini was effective, but not as effective as it could be without locking down smtp to their IP range. That can be achieved - no problem.

The problem is, the clients still rely on connecting to smtp (as the mail server is on the net, not in house), so once the rule is in place, everyone's smtp stops working.. Also, the archaic email server being used does not allow for smtp to listened on alternate or additional ports.. So, my thought to work around this is to:

1. come up with a random port number, i.e. 61061
2. reconfigure the users email clients to use the default smtp port of 61061
3. configure the pix to redirect all port requests from 61061 to port 25 of the mail server

My question is, can I achieve this while still keeping Postini happy? The current access list for postini is:

access-list outsidein permit tcp 64.x.x.x 255.255.240.0 host 70.x.x.43 eq smtp

What command can I add/modify to keep the above acl happy, while allowing users from the office to hit smtp by being redirected to the same server from the "dummy" port (61061)

Thanks
 
Sort by date Sort by votes
Unless I'm missing something here why couldn't you just add another ACE to your outsidein ACL allowing SMTP access from your IP range(s) also?? Does the messaging application have any type of web interface? Is there any reason that you can't bring the server in house? The spambots may be smart enough to find your open port even if you change it.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Thought about that, but the problem is that there are several sales folks in the field using Outlook, etc who rely on connecting into that server as well (and the webmail is atrocious, might as well not even be one). I know this is a far from ideal situation, just workin with what I got at the moment and trying to provide a workaround for them until they'll let me do something like you're suggesting (switch to Outlook, move the server in house, etc..)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
598
XLNTech1
XLNTech1
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
816
Sameer258
Sameer258
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
816
Shmid
Shmid
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
177
ISDPCMAN
ISDPCMAN
kjurczok
  • Locked
  • Question
ASA 5515 9.2 port forwarding problem
Replies
0
Views
233
kjurczok
kjurczok

Part and Inventory Search

Sponsor

Back
Top