Sonicwall and Exchange 5.5

We are installing a SonicWALL TZ190 Enhanced firewall to replace a Cisco PIX 615. The domain has a Exchange 5.5 server that currently hosts the mail but also uses a spam filtering email service. We can send mail out using the Outlook client but cannot receive mail. Port 25, 143, 135, and 110 have all been opened and forwarded traffic to Exchange server. The outgoing mail goes directly through the Exchange server but the incoming mail goes to the spam service first then to the server. The instructions from the spam service was to open a range of IP's and that has been done but we still seem to not be able to receive. Any suggestions?
Who is Participating?
You need to create a port-forwarding rule to get inbound traffic.

On SonicOS enhanced you need to do 2 things...

1. create a NAT policy that reflects the route that the traffic will take
2. create a firewall rule that allows that specific traffic (SMTP, port 25 in your case unless your spam service says otherwise) along the route created earlier.

I assume your spam service is a hosted service on the internet? Double-check which IP they're sending email traffic to, and make sure your policies and rules are set up accordingly..
Vishal BreedProgram ManagerCommented:
If you try sending email from GMAIL, Yahoo - what NDR is originated??

What if you try excecuting telnet command from internet;
telnet Exchange_server 25.
pagefigaroAuthor Commented:
Sending mail is working. It's the receiving that is not working.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

I know that your problem is with inbound email and that is what my suggestions are trying to troubleshoot. Did you check what I asked?
pagefigaroAuthor Commented:
Sorry my last comment was more for vishal_breed.

As for the Nat policy, i created 1 for the mail server (included 25, 110, and 143) pointing to internal mail server, and then specified the network range that the spam service said to unblock

Creating the NAT policy automatically creates a firewall rule that allows traffic from the specified range to the exchange server using the mail services.
Did you specify an outbound interface on the NAT policy? If so, remove it and leave the Outbound interface on the (inboind) NAT policy to Any.
pagefigaroAuthor Commented:
The interfaces are actually set to inbound: "any", outbound: "any"
OK, can you paste your NAT policy & your firewall access rules here...

Have you ever tried to telnet on port 25 into your exchange server from outside to see what happens? Have you run a packet trace on the sonicwall from your outside source IP?

Can you give me the public IP that you're trying to connect to?
pagefigaroAuthor Commented:
Source: Original: Firewalled Subnets Translated: (specified network range), Destination: Original: WAN Primary IP, Translated: Exchange Private (internal address), Service: Original: Exchange Services (25, 110, 143)

Our Public IP is:
The public IP range of the email service is:

I have tried to telnet from the outside, but I"m not sure that I'm doing it correctly. I went to a command prompt and typed in "telnet 25" and it failed. However SonicWALL tech support says that they can telnet.

I have not run a packet trace because I'm not sure how. Suggestions?

Email filtering tech support can just tell me that connection is refused on their end.
OK your NAT policy looks to be a bit skew-whiff. Did you use the public server wizard to create this or do it manually?

Create a new address object for your spam service IPs. Make sure it's zone is set to WAN and its type is set to Network. If you'd already done this then make sure it is correctly set up. Lets say you call this object SingleFin.

Create 2 more address objects for your Exchange server:

Type host, zone LAN, set it to your Exchange private IP and call it ExchangePrivateIP.
Type host, zone WAN, set it to your Exchange public IP ( I guess) and call it ExchangePublicIP.

Now delete your NAT policy and create a new one that should look like this:

Source                              Destination                                                        Service                        Interface  
Original       Translated       Original                       Translated                     Original          Translated       Inbound       Outbound
Singlefin      Original           ExchangePublicIP         ExchangePrivate IP      SMTP         Original        WAN              Any

Check the box to create a reflexive NAT policy.

Create an inbound firewall rule to accompany the above NAT policy - I assume you know how to do that?

And see if that does the job.
BTW, smtp connections to your IP are being refused, probably by the SonicWALL.
If you want to, while troubleshooting use ANY in the source of your NAT policy and firewall rule instead of Singlefin, that way we can try and connect to see if it's working...
pagefigaroAuthor Commented:
can you telnet now?
Are you now getting email from your spam service?
pagefigaroAuthor Commented:
but alas Spam Service says Connection still refused.

Sonicwall tech opened the ports for me from basically any sending on port 25, 110, 143, and 80 to the exchange server. which is fine. i want to just get it working and then i will filter it only from a range.

So here's the weird thing: the Spam Service delivers mail to, which resolves to Which is not the public IP of my firewall. Then I guess delivers to our server. I don't understand how that part works.

Right now, I'm trying to get the current configuration on the Cisco PIX firewall printed out so that I can see what is going on in there. It has to be something on the SonicWALL that is blocking since the Cisco PIX firewall sends mail right through without a problem, I just don't know where it would be blocking.
So what is the server at and why are you doing it that way? I'm assuming that's your ISPs mail server, but unless you're using a POP connector in Exchange then mail should be delivered directly to Exchange from your spam service.

That is why I asked you to check what IP they were sending email to.

I recommend that unless there is a reason to use your ISPs servers you should either tell your antispam providers to send mail directly to your exchange server or change to point to your Exchange public IP. Either way achieves the same thing.
pagefigaroAuthor Commented:
this is Exchange 5.5, is pop connector available? I do not know why they are doing it this way. the only thing i do know is the way that the spam service has configured is working now with the PIX connected. do you think that the SonicWALL is inherently different in the way that it processes connections?

I will paste the Cisco PIX configuration in here to offer insight into what is currently configured:
rntap# show config
: Saved
: Written by enable_15 at 08:07:27.261 UTC Sat May 31 2008
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1oxeW0KnPBRCSAp2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname rntap
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
static (inside,outside) netmask 0 0

conduit permit icmp any any
conduit permit tcp host eq www any
conduit permit tcp host eq pop3 any
conduit permit tcp host eq smtp any
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe1 request dialout pppoe
vpdn group pppoe1 localname
vpdn group pppoe1 ppp authentication pap
vpdn username password ********
terminal width 80
Aha Exchange 5.5...
but there's a different issue here... if your antispam provider is saying that they get a connection refused when connecting to then that's a separate issue, since that server is not behind the sonicwall. Is that still the case?

Who owns the server at What method is used to deliver mail from there to your Exchange server?
pagefigaroAuthor Commented:
Their ISP owns the server. I do not know what method is being used...I will have to investigate. So you're thinking possibly that if some method is being used, then it is configured in the PIX? The part that confuses me is why would they get a connection refused all of a sudden on the Spam service end when I put the SonicWALL in place? We are not behind that server to my knowledge...
pagefigaroAuthor Commented:
well now I'm getting conflicting information from the internal company. They are saying that they own the IP and host the website. But I don't understand that. How can they host a 74. address when their public IP is a 208. address?
Technically, there's nothing impossible about that - you can have a different subnet routed by your ISP.

As it happens, both IPs are owned by the same company, who own and

OrgName:    Frontier Communications of America, Inc.
OrgID:      FRTR
Address:    180 South Clinton AVE
City:       Rochester
StateProv:  NY
PostalCode: 14646
Country:    US

I think you need to figure out why you're getting conflicting information from the "internal company". Who is the "internal company"? Your company? Your clients?

The setup you need is really simple. MX record pointing to your antispam service, and that service delivering mail to your Exchange server. I recommend you also set up a backup MX service.

It looks like you're getting an SMTP feed from your ISP, which is also an accepted way of doing things. So the question is, where is traffic failing?

Where is the server at Is it on your LAN? If so, then you need to create a NAT policy + access rule set for that IP address. You need to know where that server is...

pagefigaroAuthor Commented:
I need to do some investigation it looks like. Thanks for all of your helpful suggestions today. The "internal company" is our client, yes. And apparently they are not very much aware of what they have going on and I assumed that they did. I should have some better clarification by the end of this week. Thanks again. Will keep you informed.
no problem, i'll be here...
pagefigaroAuthor Commented:
Looks like the 208 address is the one assigned to the PPPoE account. The 74 address is just assigned to their domain name. I'm trying now to get it switched around. So that 74 is assigned to the PPPoe and also to the domain name.
pagefigaroAuthor Commented:
Sorry for taking so long. I have some updated information. I believe what we need to do is use ARP and configure Static IP routing on the Sonicwall. I am not familiar with this, so if anyone has any suggestions, I would greatly appreciate hearing them. The sonicwall needs to be able to act like it can accept communication from 2 static IPs. The 74 address needs to be for the mail and the 208 is just the DSL provided IP.
pagefigaroAuthor Commented:
Solution was to create a static arp address for the 74 IP, then create static routing for the 74 network to route to our internal exchange server.
pagefigaroAuthor Commented:
Thanks for all your help
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.