[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


CHECKPOINT: How do I publish the SMTP port to one server and the POP port to another serverwith same external IP address?

Posted on 2004-11-28
Medium Priority
Last Modified: 2013-11-16
We have just installed a Barracuda Networks Anti-Spam appliance and are having issues configuring it with
Checkpoint Firewall 1-NG . Heres the email that our network consultant sent to me to post here.

The Checkpoint Firewall has a host defined as x.y.z.a.  It has a FQDN associated with it.

I have published ports 25,110,3000 and 3389 on that address to forward those protocols to an internal server at

If I now want to split SMTP out and send it to another internal server it seems that the rule defined to do so negates delivery of 110,3000 and 3389 to the original server.

I use a STATIC NAT on each of the hosts.


Any                  SpamServer       SMTP               Allow
Any                  Mailserver          SMTP               Allow

Both Hosts Spamserver and Mailserver have the same NAT translation to the published IP Address
For example

The first rulle seems to negate the effects of the second rule.

How do I publish the SMTP port to one server and the POP port to another server using the same defined external IP address?
Question by:zodiacadm
LVL 13

Accepted Solution

td_miles earned 900 total points
ID: 12693632
I'm not familiar with Checkpoint, but you need to be looking for an option for NAPT or port based NAT or similar. A static NAT is usually a one-to-one mapping that maps ALL ports. You want a one-to-many mapping so that you can map individual ports to indivual port/IP combinations.

You probably already ralised this, but if not, then you need to be looking through your doc for info on this to see if your FW supports it and if so, how you can implement it.

Assisted Solution

Nemesis-Services earned 600 total points
ID: 12695833
I don't think this can be done in checkpoint, as when you give an internal node the external ip address as static nat when an existing internal node is already configured for the external ip address for static nat, then checkpoint through's up a conflict warning.

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month19 days, 11 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question