I have the following and seem to not be able to get external webmail
working.

a.b.188.160 to a.b.188.167 are our external IP addresses.
172.16.0.x out internal.
172.16.0.200 is our netware server with bordermanager, Groupwise and the
webmail on it. The second nic is the external ip .188.161
Have static NAT setup and this works fine for incoming mail .162
forwarding fine to a internal webshield which then forwards back to the
groupwise server.
Also terminal services works fine on .163 forwarding fine to a another
server.
I have tried setting up .164 to forward back to the server on
172.16.0.200. Internal webmail works fine but cannot get to it from the
outside world.
The problem seems to stem from the fact there was a previous incarnation
of filters that seemed to work but didn't take into account moving the
mail forwarding thus the below proves a bit of a mess.

Any help much appreciated.

Filtcfg rules are as follows

PROTOCOL-SERVICE IP, WEB Response OB, pid=TCP port=1024-65535 srcport=80
ackfilt=0 stfilt=0, Webserver Response Outbound
PROTOCOL-SERVICE IP, WEB Request IB, pid=TCP port=80 srcport=<All>
ackfilt=0 stfilt=0, Webserver requests inbound
PROTOCOL-SERVICE IP, DNS Response In, pid=UDP port=1024-65535 srcport=53
stfilt=0, DNS Response for Webserver
PROTOCOL-SERVICE IP, DNS Query Out, pid=UDP port=53 srcport=1024-65535
stfilt=0, Done for Webserver
PROTOCOL-SERVICE IP, Terminal Svcs, pid=TCP port=3389 srcport=<All>
ackfilt=0 stfilt=1,
PROTOCOL-SERVICE IP, Web test, pid=TCP port=80 srcport=<All> ackfilt=0
stfilt=0, Web Test IB

PACKET-FILTER-LIST IP, ENABLED, DENY
FILTER ENABLED NOLOG, INTRFACE:<Any>, IP:pid=IP, INTRFACE:PUBLIC,
Added by BRDCFG to block all IP packets.
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC, IP:pid=TCP port=443
srcport=<All>, INTRFACE:PRIVATE IP:172.16.0.200,
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC IP:172.16.0.200, IP:pid=TCP
port=1024-65535 srcport=80 ackfilt=0 stfilt=0, INTRFACE:PUBLIC,
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC, IP:pid=TCP port=80
srcport=<All> ackfilt=0 stfilt=0, INTRFACE:PRIVATE IP:172.16.0.200,
Webserver IB
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC, IP:pid=UDP port=1024-65535
srcport=53 stfilt=0, INTRFACE:PRIVATE,
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC, IP:pid=UDP port=53
srcport=1024-65535 stfilt=0, INTRFACE:PUBLIC,
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC, IP:pid=TCP port=80
srcport=<All> ackfilt=0 stfilt=1, INTRFACE:PUBLIC IP:172.16.0.200,
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC, IP:pid=TCP port=3389
srcport=<All> ackfilt=0 stfilt=1, INTRFACE:<Any> IP:172.16.0.201,
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC, IP:pid=TCP port=25
srcport=<All> ackfilt=0 stfilt=1, INTRFACE:<Any> IP:172.16.0.230,
FILTER ENABLED NOLOG, INTRFACE:PUBLIC, IP:pid=IP, INTRFACE:<Any>,
Added by BRDCFG to block all IP packets.
EXCLUDE ENABLED NOLOG, INTRFACE:<Any> IP:a.b.188.161, IP:pid=IP,
INTRFACE:PUBLIC, Added by BRDCFG to allow all outgoing IP packets.
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC, IP:pid=TCP port=1024-65535
srcport=<All>, INTRFACE:<Any> IP:a.b.188.161, Added by BRDCFG to allow
incoming traffic through dynamic ports
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC, IP:pid=TCP port=213
srcport=<All>, INTRFACE:<Any> IP:a.b.188.161, Added by BRDCFG to allow
VPN Master/Slave communication port.
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC, IP:pid=TCP port=353
srcport=<All>, INTRFACE:<Any> IP:a.b.188.161, Added by BRDCFG to allow
VPN Client Authentication.
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC, IP:pid=TCP port=443
srcport=<All>, INTRFACE:PUBLIC IP:a.b.188.164, Added by BRDCFG to allow
accelerator authentication.
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC, IP:pid=UDP port=1024-65535
srcport=<All>, INTRFACE:<Any> IP:a.b.188.161, Added by BRDCFG to allow
incoming traffic through dynamic ports
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC, IP:pid=UDP port=353
srcport=<All>, INTRFACE:<Any> IP:a.b.188.161, Added by BRDCFG to allow
VPN Client Keep-Alive & Disconnect.
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC, IP:pid=57, INTRFACE:<Any>
IP:a.b.188.161, Added by BRDCFG to alloc SKIP Protocol for VPN.