Solved

NAT issues with outbound port 25 on watchguard firebox lll

Posted on 2008-10-16
18
1,454 Views
Last Modified: 2013-11-16
I have a similar question to a previously posted issue:

I have a watchguard firebox lll. I am having a problem with outgoing email to only a few domains like AOL.  I think the issue is with NAT just not sure where.

I'm using watchguard policy manager 7.5.

My external interface is x.x.x.147
My external SMTP server is x.x.x.148
My internal SMTP server is 192.168.1.100

I have Enable Dynamic NAT checked with a single Dyamic NAT entry:
  trusted-external

Enable Service-Based NAT is NOT checked

For 1-to-1 NAT i have the following entries:
External Interface
# of Hosts = 1
NAT Base = x.x.x.148
Real Base = 192.168.1.100

When I send a message the header shows the sender's address as x.x.x.147 , shouldn't this be x.x.x.148?

Any sugestions?
0
Comment
Question by:ltrcne
  • 8
  • 6
  • 4
18 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22729005
You are right the packet should appear as coming from .148 and not .147.

As you are using version 7.5 of WSM, you must make dynamic NAT exceptions for each internal address you use for 1-to-1 NAT. If not, the address changes with dynamic NAT as an alternative to 1-to-1 NAT [with 8.x or higher this step is not needed].
Go to Policy Manager->Setup->NAT->Advanced->Dynamic NAT Exceptions tab:
1. Click Add.
2. In the To box, select interface as external.
3. Click the button adjacent to the From box. Type the IP address .148. Click OK all the way back.

Save to firebox; please implement and update.

Thank you.
0
 

Author Comment

by:ltrcne
ID: 22729916
Thank you for your responce.

I made the entries as you sugested and outbound mail is still reporting as coming from .147.  On the Dynamic NAT Exceptions tab it states "Exceptions do not apply to 1:1 NAT"
0
 
LVL 2

Expert Comment

by:cv790529
ID: 22730613
Itcne -

A couple questions.  First what is the gateway of your internal SMTP server? Does your outbound SMTP rule denote from trusted to your .148 only? or is it any-external?

Also, you could fix this by setting up a TXT record in DNS to denote that mail from your users can come from either .147 or .148.  This can buy you some time until the issue is resolved.  There is a good chance that you have  TXT record in DNS and that AOL and other big providers are checking for SPF.  If the TXT record does not match up IP addresses correctly then these Mail providers will deny the inbound emails from your users.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22731358
On the server if you go to website: http://www.whatismyipaddress.com

what address do you see.

Please advice.

Thank you.
0
 

Author Comment

by:ltrcne
ID: 22731362
Our internal gateway address is 192.168.1.2

Right now my outbound SMTP rule is any-any (once this is working i would make more restrict)

Would the TXT DNS record need to be created by my ISP not my internal Windows DNS correct?
0
 
LVL 2

Expert Comment

by:cv790529
ID: 22731505
Yes, the TXT record would be created by whoever is hosting your DNS.

Also, you could possibly put a persistent route in your internal mail server that would force all outbound traffic to .148, however, that could mess up other items on your internal mail server.

Open a command prompt and run "nslookup -type=TXT (your domain)"  
If this returns anything, paste it back here, and we'll take a look at it.

Thanks!
0
 

Author Comment

by:ltrcne
ID: 22731521
When I go to http://www.whatismyipaddress.com from my mail server it returns with the x.x.x.147 address.  All internal address seem to resolve to the single .147 external address even those that I have setup with 1-to-1 NAT.
0
 

Author Comment

by:ltrcne
ID: 22732157
nslookup -type=TXT (DOMAIN.com)

Server: ihrserver.xxxxxx.local
Address: 192.168.1.100

DNS request timed out
timeout was 2 seconds
*** Request to ihrserver.integrityhr.local timed-out
0
 
LVL 2

Expert Comment

by:cv790529
ID: 22732442
Okay, so you don't have a TXT record.  

In my Opinion, I would have your DNS host create the SPF record for you.  This will take care of your issue.  Or you will have to change the configuration in your mail servers to route SMTP traffic out differently.  This is not something the firewall can easily do and is better to have it setup on the mail server side.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:ltrcne
ID: 22732977
Another snag I forgot to mention.  Behind the firewall their are actually (2) mail servers
My server x.x.x.148 that resolves to 192.168.1.100
Company B's server x.x.x..146 that resolves to 192.168.1.95

I don't beleve this TXT record method would work in this case.
0
 
LVL 2

Expert Comment

by:cv790529
ID: 22733000
Are you saying that your Mail server is dual home'd?  Meaning a Private and Public NIC?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22733009
Do you still have the .148 IP added as alias under external addresses; if yes, this is the reason; please check and confirm.

Thank you.
0
 

Author Comment

by:ltrcne
ID: 22733150
There are two seperate companies that are sharing the same internet connection.  

Inside the firewall there are two physical Exchange Mail servers.
Company A has an internal address of 192.168.1.100 and an external address of x.x.x.148
Company B has an internal address of 192.168.1.95 and an external address of x.x.x.146

The external Watchguard address is x.x.x.147

x.x.x.146 and x.x.x.148 are listed as an alias on the external Watchguard NIC.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 22733197
That is the problem; when you configure WG to use 1-1 NAT; then you reserve that IP exclusively for one single internal machine; and hence you must remove the IP from the external NIC [when you would do this the firewall would reboot on saving configuration].

Similary for .246 if it is used for 1-1 NAT translations then it must also be dealt in the same way.

till you do not remove alias the 1-1 NAT would not take effect.

Thank you.
0
 

Author Comment

by:ltrcne
ID: 22733576
I was very hopeful but even after removing all alias from the external NIC my 192.168.1.100 server is still resolving to .147 and not .148.

I have 2 entries on the 1-to-1 Setup tab
#1
Interface:external
Number of hosts to NAT: 1
NAT base x.x.x.148
Real base 192.168.1.100
#2
Interface:external
Number of hosts to NAT:1
NAT base x.x.x.146
Real base 192.168.1.100
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22733713
Why do you have two entries for the same machine; in this way firebox would need to decide which IP to use when sending traffic out. Hence, not using any and overriding all packets with the IP of external interface on the source packet.
0
 

Author Comment

by:ltrcne
ID: 22733722
ok I got it.

On the Dynamic NAT Exceptions I had the entry x.x.x.148 - external.  When I changed it to 192.168.1.100-external every thing works.

Thank to all!!!
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22733804
Ohh I had incorrectly adviced you to add .148; my bad, sorry; I would be careful next time; thank you for the points.

Regards.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now