sadian
asked on
can send but not receive email through NAT firewall
I am running a win2k server with exchange and a snapgear SME570 firewall. I can browse the internet and send email through exchange and my firewall, but I can not receive email. How can this be fixed?
here is a little information about how my NAT/rule regarding email is set up:
Descriptive Name NAT type Incoming Interface Source Address Outgoing Interface Destination Address Destination Services To Source Address To Source Service To Destination Address To Destination Service Select
email 1 to 1 Internet Port - Direct Internet 69.x.x.6 N/A N/A N/A N/A Internet Port - Alias 0 69.x.x.2 N/A 10.x.x.1 N/A
Descriptive Name Action Incoming Interface Source Address Outgoing Interface Destination Address Services Select
email Accept Internet Port - Direct Internet 69.x.x.x Any Any 10.x.x.1Any
here is a little information about how my NAT/rule regarding email is set up:
Descriptive Name NAT type Incoming Interface Source Address Outgoing Interface Destination Address Destination Services To Source Address To Source Service To Destination Address To Destination Service Select
email 1 to 1 Internet Port - Direct Internet 69.x.x.6 N/A N/A N/A N/A Internet Port - Alias 0 69.x.x.2 N/A 10.x.x.1 N/A
Descriptive Name Action Incoming Interface Source Address Outgoing Interface Destination Address Services Select
email Accept Internet Port - Direct Internet 69.x.x.x Any Any 10.x.x.1Any
ASKER
Yep mail.mycompany.com points to 69.x.x.6
ASKER
my old firewall works fine, I'm setting up a new one and having the said troubles with it.
Sadian
Sadian
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
From the snapgear support pages..
For firmware version 1.9.0 and later:
To perform 1-to-1 Network Address Translation from real IP addresses to private IP addresses on your LAN, the following needs to be done:
Under the 'Network Setup' page, select the 'Advanced' link to navigate to the Advanced IP Configuration.
Under the 'Interface Aliases', add an alias IP address on the 'Internet Port' for 69.x.x.6 / mailserver public address
Then under the 'Packet Filtering' page, select 'Addresses' and define a 'new' address for 10.x.x.1 / mail server private address
Then again under the 'Packet Filtering' page, select 'NAT" and then '1 to 1'.
Enter a 'Descriptive Name:' and define the 'The public network is on:' correctly, being the interface that has your internet connection.
Then select the appropiate 'Change private address:' selection that was created above, and finally the correct public ip address in the 'Into public address:' field.
Leave the 'Create a corresponding incoming ACCEPT firewall rule ?:' box checked to enable the specified 1 to 1 NAT traffic through the firewall.
This will now create a bi-directional 1 to 1 NAT for the specified addresses.
For firmware version prior to 1.9.0:
To perform 1-to-1 Network Address Translation from multiple real IP addresses to private IP addresses on your LAN, the following needs to be done:
Under the 'IP Configuration' page - 'Configure' the Advanced IP Configuration.
Add an alias IP address on the Internet interface for each real-world IP address you want to configure for 1-to-1 NAT.
Under the 'Rules' page, add the following custom rule to associate outbound connections from the private IP address with the real-world IP address:
iptables -t nat -I POSTROUTING -o $INTERNET_IF -s a.b.c.d -j SNAT --to-source w.x.y.z
Where a.b.c.d is the private address on your LAN, and w.x.y.z is the newly configured Internet interface alias.
Then to allow incoming connections to be forwarded to the LAN IP address, follow the instructions in Knowledge Base article Forwarding all ports (Virtual DMZ).
For firmware version 1.9.0 and later:
To perform 1-to-1 Network Address Translation from real IP addresses to private IP addresses on your LAN, the following needs to be done:
Under the 'Network Setup' page, select the 'Advanced' link to navigate to the Advanced IP Configuration.
Under the 'Interface Aliases', add an alias IP address on the 'Internet Port' for 69.x.x.6 / mailserver public address
Then under the 'Packet Filtering' page, select 'Addresses' and define a 'new' address for 10.x.x.1 / mail server private address
Then again under the 'Packet Filtering' page, select 'NAT" and then '1 to 1'.
Enter a 'Descriptive Name:' and define the 'The public network is on:' correctly, being the interface that has your internet connection.
Then select the appropiate 'Change private address:' selection that was created above, and finally the correct public ip address in the 'Into public address:' field.
Leave the 'Create a corresponding incoming ACCEPT firewall rule ?:' box checked to enable the specified 1 to 1 NAT traffic through the firewall.
This will now create a bi-directional 1 to 1 NAT for the specified addresses.
For firmware version prior to 1.9.0:
To perform 1-to-1 Network Address Translation from multiple real IP addresses to private IP addresses on your LAN, the following needs to be done:
Under the 'IP Configuration' page - 'Configure' the Advanced IP Configuration.
Add an alias IP address on the Internet interface for each real-world IP address you want to configure for 1-to-1 NAT.
Under the 'Rules' page, add the following custom rule to associate outbound connections from the private IP address with the real-world IP address:
iptables -t nat -I POSTROUTING -o $INTERNET_IF -s a.b.c.d -j SNAT --to-source w.x.y.z
Where a.b.c.d is the private address on your LAN, and w.x.y.z is the newly configured Internet interface alias.
Then to allow incoming connections to be forwarded to the LAN IP address, follow the instructions in Knowledge Base article Forwarding all ports (Virtual DMZ).
I think you also need a rule that allows Any to connect to 69.x.x.6 on TCP port 25.
Don't worry about allowing 69.x.x.6 to connect to 10.x.x.1 - this isn't how NAT works - the access list will be applied first, and then the translation will occur.