Solved

forward Packets on Firewall

Posted on 2009-05-12
2
320 Views
Last Modified: 2015-01-05
All....a question for the ages?
 
have a customer with an exchange server, domain is  abc-america.com, .
We forward the MX records to an offsite email scrubber, IE, Postini, SpamSoap etc. The mail comes in great.
 
The company HQ is in Europe, they required all users to get have an email  user@xyz-europe.com. Currently that mail is
foward via a VPN to the local exhange server, all works okay. The European IT dept generates a list via LDAP query and fowards to the private IP of the exchange server. The particular European server foward can ONLY foward to 1 IP address.
 
We would like to foward these emails to the offsite SPAM site, but there is an issue, we can only use 1 IP address, most of these sites use a rotating IPs in their records. If we had Europe select 1 IP address, then if was rotated, users may get NDR or mail may hang in the sending queue.
 
Our best solution we thought was to use an available public IP (not our exchange server, not currently being used) also on a 2nd ISP provider.  Then Have Europe point to that IP, then foward any traffic on that IP to the offsite Spam washer site (postini, or egivs).

to that end, we have tried to set up a firewall rule redirecting any packets on that Public IP to the SpamWasher site, on the sonicwall NSA3500 we have setup a WAN/WAN rule, that did not work, when I telnet to the PublicIP we provide on port 25, I am not redirected. Sonicwall logs provide no info. When I do a packet capture the packets are arrived and them dropped.

I also have done/tried a NAT Rule under the advice of Sonicwall, that also did not work, same thing.
 
I cannot redirect the entire MX for xyz-europe.com, as I am only concerned with perhaps 60-70 email address.

Has anyone ecountered this problem before, and what was your solution? ISA? Cisco/ Watchguard? a better sonicwall rule?
Looking foward to your replies.
 
0
Comment
Question by:FITFSC
2 Comments
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 24387292
I am not sure if this would be possible with any firewall product; a router might help. Firewalls are designed with specific design where they keep state of the sessions when the communicating parties go through the firewall [from one physical port to another]; in this case the sessions do not go through the firewall.

If a possibility configure a server on the internal network which would first receive mail from Europe and then redirect the mails to your mail service provider.

Thank you.
0
 

Author Comment

by:FITFSC
ID: 24388941
I think that is what it is comming to,,, a small virtual server to foward the packets on, but kinda of messes with part of the diaster recovery we were hoping with the offsite spam/av provider.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now