Link to home
Start Free TrialLog in
Avatar of sadian
sadian

asked on

can send but not receive email through NAT firewall

I am running a win2k server with exchange and a snapgear SME570 firewall. I can browse the internet and send email through exchange and my firewall, but I can not receive email. How can this be fixed?

here is a little information about how my NAT/rule regarding email is set up:

Descriptive Name NAT type Incoming Interface Source Address Outgoing Interface Destination Address Destination Services To Source Address To Source Service To Destination Address To Destination Service Select

email  1 to 1  Internet Port - Direct Internet 69.x.x.6  N/A  N/A  N/A  N/A  Internet Port - Alias 0 69.x.x.2  N/A  10.x.x.1  N/A  



Descriptive Name Action Incoming Interface Source Address Outgoing Interface Destination Address Services Select

email  Accept  Internet Port - Direct Internet 69.x.x.x  Any  Any  10.x.x.1Any  

Avatar of Tim Holman
Tim Holman
Flag of United Kingdom of Great Britain and Northern Ireland image

Does your mail.mycompany.com domain name point to 69.x.x.6 ?
I think you also need a rule that allows Any to connect to 69.x.x.6 on TCP port 25.
Don't worry about allowing 69.x.x.6 to connect to 10.x.x.1 - this isn't how NAT works - the access list will be applied first, and then the translation will occur.
Avatar of sadian
sadian

ASKER

Yep mail.mycompany.com points to 69.x.x.6
Avatar of sadian

ASKER

my old firewall works fine, I'm setting up a new one and having the said troubles with it.

Sadian
ASKER CERTIFIED SOLUTION
Avatar of hawgpig
hawgpig

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
From the snapgear support pages..

For firmware version 1.9.0 and later:

To perform 1-to-1 Network Address Translation from real IP addresses to private IP addresses on your LAN, the following needs to be done:

Under the 'Network Setup' page, select the 'Advanced' link to navigate to the Advanced IP Configuration.

Under the 'Interface Aliases', add an alias IP address on the 'Internet Port' for  69.x.x.6 / mailserver public address

Then under the 'Packet Filtering' page, select 'Addresses' and define a 'new' address for 10.x.x.1 / mail server private address

Then again under the 'Packet Filtering' page, select 'NAT" and then '1 to 1'.

Enter a 'Descriptive Name:' and define the 'The public network is on:' correctly, being the interface that has your internet connection.

Then select the appropiate 'Change private address:' selection that was created above, and finally the correct public ip address in the 'Into public address:' field.

Leave the 'Create a corresponding incoming ACCEPT firewall rule ?:' box checked to enable the specified 1 to 1 NAT traffic through the firewall.

This will now create a bi-directional 1 to 1 NAT for the specified addresses.

For firmware version prior to 1.9.0:

To perform 1-to-1 Network Address Translation from multiple real IP addresses to private IP addresses on your LAN, the following needs to be done:

Under the 'IP Configuration' page - 'Configure' the Advanced IP Configuration.
Add an alias IP address on the Internet interface for each real-world IP address you want to configure for 1-to-1 NAT.

Under the 'Rules' page, add the following custom rule to associate outbound connections from the private IP address with the real-world IP address:

iptables -t nat -I POSTROUTING -o $INTERNET_IF -s a.b.c.d -j SNAT --to-source w.x.y.z

Where a.b.c.d is the private address on your LAN, and w.x.y.z is the newly configured Internet interface alias.

Then to allow incoming connections to be forwarded to the LAN IP address, follow the instructions in Knowledge Base article Forwarding all ports (Virtual DMZ).