can send but not receive email through NAT firewall

I am running a win2k server with exchange and a snapgear SME570 firewall. I can browse the internet and send email through exchange and my firewall, but I can not receive email. How can this be fixed?

here is a little information about how my NAT/rule regarding email is set up:

Descriptive Name NAT type Incoming Interface Source Address Outgoing Interface Destination Address Destination Services To Source Address To Source Service To Destination Address To Destination Service Select

email  1 to 1  Internet Port - Direct Internet 69.x.x.6  N/A  N/A  N/A  N/A  Internet Port - Alias 0 69.x.x.2  N/A  10.x.x.1  N/A  



Descriptive Name Action Incoming Interface Source Address Outgoing Interface Destination Address Services Select

email  Accept  Internet Port - Direct Internet 69.x.x.x  Any  Any  10.x.x.1Any  

LVL 2
sadianAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
hawgpigConnect With a Mentor Commented:
Sadian,
Make sure the DNS is working and properly configured on your DNS go to www.dnsreport.com and type in your mail server domain name....mayber your isp isn't pointing the domain to your ip address yet.....
If that all checks out...
Try this from an external connection (i.e. another ISP, modem, etc)
go to start/run
type
telnet 69.x.x.6 25
enter
if you get a blank black screen your firewall is passing the connection...
If the connection times out.....either your firewall is stopping it or the server is stopping it....
to check your smtp server
do the same above but with the internal address 10.x.x.1
go to start/run
type
telnet 10.x.x.1 25
enter
you should get the blank black screen....
if you don't....... check your smtp server......that is where the issue is
if you get the blank black screen the issue is your firewall....
make sure your port 25 is open on your firewall....
also if you have an internal router make sure the traffic is being sent to the correct location...
Good Luck
0
 
Tim HolmanCommented:
Does your mail.mycompany.com domain name point to 69.x.x.6 ?
I think you also need a rule that allows Any to connect to 69.x.x.6 on TCP port 25.
Don't worry about allowing 69.x.x.6 to connect to 10.x.x.1 - this isn't how NAT works - the access list will be applied first, and then the translation will occur.
0
 
sadianAuthor Commented:
Yep mail.mycompany.com points to 69.x.x.6
0
 
sadianAuthor Commented:
my old firewall works fine, I'm setting up a new one and having the said troubles with it.

Sadian
0
 
Tim HolmanCommented:
From the snapgear support pages..

For firmware version 1.9.0 and later:

To perform 1-to-1 Network Address Translation from real IP addresses to private IP addresses on your LAN, the following needs to be done:

Under the 'Network Setup' page, select the 'Advanced' link to navigate to the Advanced IP Configuration.

Under the 'Interface Aliases', add an alias IP address on the 'Internet Port' for  69.x.x.6 / mailserver public address

Then under the 'Packet Filtering' page, select 'Addresses' and define a 'new' address for 10.x.x.1 / mail server private address

Then again under the 'Packet Filtering' page, select 'NAT" and then '1 to 1'.

Enter a 'Descriptive Name:' and define the 'The public network is on:' correctly, being the interface that has your internet connection.

Then select the appropiate 'Change private address:' selection that was created above, and finally the correct public ip address in the 'Into public address:' field.

Leave the 'Create a corresponding incoming ACCEPT firewall rule ?:' box checked to enable the specified 1 to 1 NAT traffic through the firewall.

This will now create a bi-directional 1 to 1 NAT for the specified addresses.

For firmware version prior to 1.9.0:

To perform 1-to-1 Network Address Translation from multiple real IP addresses to private IP addresses on your LAN, the following needs to be done:

Under the 'IP Configuration' page - 'Configure' the Advanced IP Configuration.
Add an alias IP address on the Internet interface for each real-world IP address you want to configure for 1-to-1 NAT.

Under the 'Rules' page, add the following custom rule to associate outbound connections from the private IP address with the real-world IP address:

iptables -t nat -I POSTROUTING -o $INTERNET_IF -s a.b.c.d -j SNAT --to-source w.x.y.z

Where a.b.c.d is the private address on your LAN, and w.x.y.z is the newly configured Internet interface alias.

Then to allow incoming connections to be forwarded to the LAN IP address, follow the instructions in Knowledge Base article Forwarding all ports (Virtual DMZ).

 
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.