NAT issues with outbound port 25 on watchguard firebox lll

I have a similar question to a previously posted issue:

I have a watchguard firebox lll. I am having a problem with outgoing email to only a few domains like AOL.  I think the issue is with NAT just not sure where.

I'm using watchguard policy manager 7.5.

My external interface is x.x.x.147
My external SMTP server is x.x.x.148
My internal SMTP server is

I have Enable Dynamic NAT checked with a single Dyamic NAT entry:

Enable Service-Based NAT is NOT checked

For 1-to-1 NAT i have the following entries:
External Interface
# of Hosts = 1
NAT Base = x.x.x.148
Real Base =

When I send a message the header shows the sender's address as x.x.x.147 , shouldn't this be x.x.x.148?

Any sugestions?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You are right the packet should appear as coming from .148 and not .147.

As you are using version 7.5 of WSM, you must make dynamic NAT exceptions for each internal address you use for 1-to-1 NAT. If not, the address changes with dynamic NAT as an alternative to 1-to-1 NAT [with 8.x or higher this step is not needed].
Go to Policy Manager->Setup->NAT->Advanced->Dynamic NAT Exceptions tab:
1. Click Add.
2. In the To box, select interface as external.
3. Click the button adjacent to the From box. Type the IP address .148. Click OK all the way back.

Save to firebox; please implement and update.

Thank you.
ltrcneAuthor Commented:
Thank you for your responce.

I made the entries as you sugested and outbound mail is still reporting as coming from .147.  On the Dynamic NAT Exceptions tab it states "Exceptions do not apply to 1:1 NAT"
Itcne -

A couple questions.  First what is the gateway of your internal SMTP server? Does your outbound SMTP rule denote from trusted to your .148 only? or is it any-external?

Also, you could fix this by setting up a TXT record in DNS to denote that mail from your users can come from either .147 or .148.  This can buy you some time until the issue is resolved.  There is a good chance that you have  TXT record in DNS and that AOL and other big providers are checking for SPF.  If the TXT record does not match up IP addresses correctly then these Mail providers will deny the inbound emails from your users.
Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.

On the server if you go to website:

what address do you see.

Please advice.

Thank you.
ltrcneAuthor Commented:
Our internal gateway address is

Right now my outbound SMTP rule is any-any (once this is working i would make more restrict)

Would the TXT DNS record need to be created by my ISP not my internal Windows DNS correct?
Yes, the TXT record would be created by whoever is hosting your DNS.

Also, you could possibly put a persistent route in your internal mail server that would force all outbound traffic to .148, however, that could mess up other items on your internal mail server.

Open a command prompt and run "nslookup -type=TXT (your domain)"  
If this returns anything, paste it back here, and we'll take a look at it.

ltrcneAuthor Commented:
When I go to from my mail server it returns with the x.x.x.147 address.  All internal address seem to resolve to the single .147 external address even those that I have setup with 1-to-1 NAT.
ltrcneAuthor Commented:
nslookup -type=TXT (

Server: ihrserver.xxxxxx.local

DNS request timed out
timeout was 2 seconds
*** Request to ihrserver.integrityhr.local timed-out
Okay, so you don't have a TXT record.  

In my Opinion, I would have your DNS host create the SPF record for you.  This will take care of your issue.  Or you will have to change the configuration in your mail servers to route SMTP traffic out differently.  This is not something the firewall can easily do and is better to have it setup on the mail server side.
ltrcneAuthor Commented:
Another snag I forgot to mention.  Behind the firewall their are actually (2) mail servers
My server x.x.x.148 that resolves to
Company B's server x.x.x..146 that resolves to

I don't beleve this TXT record method would work in this case.
Are you saying that your Mail server is dual home'd?  Meaning a Private and Public NIC?
Do you still have the .148 IP added as alias under external addresses; if yes, this is the reason; please check and confirm.

Thank you.
ltrcneAuthor Commented:
There are two seperate companies that are sharing the same internet connection.  

Inside the firewall there are two physical Exchange Mail servers.
Company A has an internal address of and an external address of x.x.x.148
Company B has an internal address of and an external address of x.x.x.146

The external Watchguard address is x.x.x.147

x.x.x.146 and x.x.x.148 are listed as an alias on the external Watchguard NIC.
That is the problem; when you configure WG to use 1-1 NAT; then you reserve that IP exclusively for one single internal machine; and hence you must remove the IP from the external NIC [when you would do this the firewall would reboot on saving configuration].

Similary for .246 if it is used for 1-1 NAT translations then it must also be dealt in the same way.

till you do not remove alias the 1-1 NAT would not take effect.

Thank you.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ltrcneAuthor Commented:
I was very hopeful but even after removing all alias from the external NIC my server is still resolving to .147 and not .148.

I have 2 entries on the 1-to-1 Setup tab
Number of hosts to NAT: 1
NAT base x.x.x.148
Real base
Number of hosts to NAT:1
NAT base x.x.x.146
Real base
Why do you have two entries for the same machine; in this way firebox would need to decide which IP to use when sending traffic out. Hence, not using any and overriding all packets with the IP of external interface on the source packet.
ltrcneAuthor Commented:
ok I got it.

On the Dynamic NAT Exceptions I had the entry x.x.x.148 - external.  When I changed it to every thing works.

Thank to all!!!
Ohh I had incorrectly adviced you to add .148; my bad, sorry; I would be careful next time; thank you for the points.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.