• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1488
  • Last Modified:

NAT issues with outbound port 25 on watchguard firebox lll

I have a similar question to a previously posted issue:

I have a watchguard firebox lll. I am having a problem with outgoing email to only a few domains like AOL.  I think the issue is with NAT just not sure where.

I'm using watchguard policy manager 7.5.

My external interface is x.x.x.147
My external SMTP server is x.x.x.148
My internal SMTP server is 192.168.1.100

I have Enable Dynamic NAT checked with a single Dyamic NAT entry:
  trusted-external

Enable Service-Based NAT is NOT checked

For 1-to-1 NAT i have the following entries:
External Interface
# of Hosts = 1
NAT Base = x.x.x.148
Real Base = 192.168.1.100

When I send a message the header shows the sender's address as x.x.x.147 , shouldn't this be x.x.x.148?

Any sugestions?
0
ltrcne
Asked:
ltrcne
  • 8
  • 6
  • 4
1 Solution
 
dpk_walCommented:
You are right the packet should appear as coming from .148 and not .147.

As you are using version 7.5 of WSM, you must make dynamic NAT exceptions for each internal address you use for 1-to-1 NAT. If not, the address changes with dynamic NAT as an alternative to 1-to-1 NAT [with 8.x or higher this step is not needed].
Go to Policy Manager->Setup->NAT->Advanced->Dynamic NAT Exceptions tab:
1. Click Add.
2. In the To box, select interface as external.
3. Click the button adjacent to the From box. Type the IP address .148. Click OK all the way back.

Save to firebox; please implement and update.

Thank you.
0
 
ltrcneAuthor Commented:
Thank you for your responce.

I made the entries as you sugested and outbound mail is still reporting as coming from .147.  On the Dynamic NAT Exceptions tab it states "Exceptions do not apply to 1:1 NAT"
0
 
cv790529Commented:
Itcne -

A couple questions.  First what is the gateway of your internal SMTP server? Does your outbound SMTP rule denote from trusted to your .148 only? or is it any-external?

Also, you could fix this by setting up a TXT record in DNS to denote that mail from your users can come from either .147 or .148.  This can buy you some time until the issue is resolved.  There is a good chance that you have  TXT record in DNS and that AOL and other big providers are checking for SPF.  If the TXT record does not match up IP addresses correctly then these Mail providers will deny the inbound emails from your users.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
dpk_walCommented:
On the server if you go to website: http://www.whatismyipaddress.com

what address do you see.

Please advice.

Thank you.
0
 
ltrcneAuthor Commented:
Our internal gateway address is 192.168.1.2

Right now my outbound SMTP rule is any-any (once this is working i would make more restrict)

Would the TXT DNS record need to be created by my ISP not my internal Windows DNS correct?
0
 
cv790529Commented:
Yes, the TXT record would be created by whoever is hosting your DNS.

Also, you could possibly put a persistent route in your internal mail server that would force all outbound traffic to .148, however, that could mess up other items on your internal mail server.

Open a command prompt and run "nslookup -type=TXT (your domain)"  
If this returns anything, paste it back here, and we'll take a look at it.

Thanks!
0
 
ltrcneAuthor Commented:
When I go to http://www.whatismyipaddress.com from my mail server it returns with the x.x.x.147 address.  All internal address seem to resolve to the single .147 external address even those that I have setup with 1-to-1 NAT.
0
 
ltrcneAuthor Commented:
nslookup -type=TXT (DOMAIN.com)

Server: ihrserver.xxxxxx.local
Address: 192.168.1.100

DNS request timed out
timeout was 2 seconds
*** Request to ihrserver.integrityhr.local timed-out
0
 
cv790529Commented:
Okay, so you don't have a TXT record.  

In my Opinion, I would have your DNS host create the SPF record for you.  This will take care of your issue.  Or you will have to change the configuration in your mail servers to route SMTP traffic out differently.  This is not something the firewall can easily do and is better to have it setup on the mail server side.
0
 
ltrcneAuthor Commented:
Another snag I forgot to mention.  Behind the firewall their are actually (2) mail servers
My server x.x.x.148 that resolves to 192.168.1.100
Company B's server x.x.x..146 that resolves to 192.168.1.95

I don't beleve this TXT record method would work in this case.
0
 
cv790529Commented:
Are you saying that your Mail server is dual home'd?  Meaning a Private and Public NIC?
0
 
dpk_walCommented:
Do you still have the .148 IP added as alias under external addresses; if yes, this is the reason; please check and confirm.

Thank you.
0
 
ltrcneAuthor Commented:
There are two seperate companies that are sharing the same internet connection.  

Inside the firewall there are two physical Exchange Mail servers.
Company A has an internal address of 192.168.1.100 and an external address of x.x.x.148
Company B has an internal address of 192.168.1.95 and an external address of x.x.x.146

The external Watchguard address is x.x.x.147

x.x.x.146 and x.x.x.148 are listed as an alias on the external Watchguard NIC.
0
 
dpk_walCommented:
That is the problem; when you configure WG to use 1-1 NAT; then you reserve that IP exclusively for one single internal machine; and hence you must remove the IP from the external NIC [when you would do this the firewall would reboot on saving configuration].

Similary for .246 if it is used for 1-1 NAT translations then it must also be dealt in the same way.

till you do not remove alias the 1-1 NAT would not take effect.

Thank you.
0
 
ltrcneAuthor Commented:
I was very hopeful but even after removing all alias from the external NIC my 192.168.1.100 server is still resolving to .147 and not .148.

I have 2 entries on the 1-to-1 Setup tab
#1
Interface:external
Number of hosts to NAT: 1
NAT base x.x.x.148
Real base 192.168.1.100
#2
Interface:external
Number of hosts to NAT:1
NAT base x.x.x.146
Real base 192.168.1.100
0
 
dpk_walCommented:
Why do you have two entries for the same machine; in this way firebox would need to decide which IP to use when sending traffic out. Hence, not using any and overriding all packets with the IP of external interface on the source packet.
0
 
ltrcneAuthor Commented:
ok I got it.

On the Dynamic NAT Exceptions I had the entry x.x.x.148 - external.  When I changed it to 192.168.1.100-external every thing works.

Thank to all!!!
0
 
dpk_walCommented:
Ohh I had incorrectly adviced you to add .148; my bad, sorry; I would be careful next time; thank you for the points.

Regards.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 8
  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now