For MX65: Only allow SMTP traffic from Barracuda IP Range

HOD-DBQ
Conversationalist

For MX65: Only allow SMTP traffic from Barracuda IP Range

I created a regular case with Cisco/Meraki for this. In 2 comments, I explained exactly what I wanted. Each time the response back clearly showed they didn't understand what seems fairly straight forward. So I'm hoping the forum can help me.

We have an On-Premise Exchange server. In the last month we switched our eMail security from local to Barracuda Cloud Services. The Exchange server is still On-Premise. Everything is working as expected. The way BCS works is our MX records point to Barracuda instead of to us. Now all Incoming email goes through BCS first. Again, that is all working fine. But Spammers can ignore our MX records and send directly to our IP address and thus bypass Barracuda. To stop this, Barracuda recommends locking down our External Firewall by only allowing SMTP traffic to come from the Barracuda IP Range. Here is exactly what they say:

It is recommended to lock down your External Firewall to only allow SMTP Traffic from Barracuda IPs.

    209.222.80.0/21 (255.255.248.0)

    64.235.144.0/20 (255.255.240.0)

This will stop Spammers from hitting your Network Directly and all SMTP Must come from us to be valid.

 

This is what I explained when I opened my case with Meraki/Cisco support. I think I need to use the Traffic Shaping-Flow Preferences-Internet Traffic section to make this happen. Can anyone tell me exactly what I need to enter and where?

On the MX65, if I'm thinking of the correct section, my fields are Protocol, Source, Src port, Destination, Dst Port

If something is not clear let me know and I'll be glad to update the post. Thanks...Dave 

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal

I'm going to assume you are using NAT.  Go:

Security Appliance/Firewall/Scroll down to forwarding rules [for your Exchange server]

There is a field "Allowed Remote IPS".  Change this from Any to your two allowed subnets.

 

It should look something like this:

Screenshot from 2017-10-12 07-50-15.png

HOD-DBQ
Conversationalist

Phillip, your method seems to be working. Meraki got back to me with a different way to do it but that would have required setting 3 rules as opposed to your method. So I went with yours. I already had the SMTP Firewall config so all I needed to do was add the IP ranges. I had someone bypass the Barracuda IP's and send directly to our public IP and it was rejected which is what I wanted. The rest of email is working as before. Thanks so much for your insight. I'm going to investigate the other method as well just to see if there is any difference and I will update the post. Thanks, again...Dave

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels