PurityIT
asked on
How do we configure our Netscreen 5GT for inbound email ?
We have changed our Exchange server and had to create a new rule on the Netscreen 5GT router. We added a rule in but still can't get any email in and we can't telnet in on port 25.
Can anyone offer any advice about how to fix this ? Our internal address of our Exchange server is 10.0.0.2 with a subnet mask of 255.255.255.0
Many thanks in advance
Can anyone offer any advice about how to fix this ? Our internal address of our Exchange server is 10.0.0.2 with a subnet mask of 255.255.255.0
Many thanks in advance
ASKER
Hi and thanks for you reply
Where is this bit set up ? I seen the wizard for it but decided to not use that and tried to edit the current rule but that didn't work
Where is this bit set up ? I seen the wizard for it but decided to not use that and tried to edit the current rule but that didn't work
This is set up from the command line. I'm afraid I don't know the wizard, haven't used that, but if you prefer the GUI it's:
Network > Interfaces > "Edit" on untrust > VIP > New VIP Service
VIP and New VIP Service are both located at the top of the window.
For the new VIP service you select your virtual IP (the outside IP of the NS, this is if you don't have any other public IP addresses assigned, if you have a range of addresses assigned, it's more common to use MIP. Let me know and I'll show you how.)
Virtual port is 25
Map to service is "MAIL (25)".
Map to ip is your inside IP.
When this is done, you add a policy:
Policies > New (select From Untrust to Trust on zones first).
This next screen varies with your software version, but the settings you need are:
Source address: Any
Destination address: VIP::1
Service: MAIL
Action: Permit
To be safe, also click "position at top", and we'll avoid any mistakes with other rules dropping our traffic.
Network > Interfaces > "Edit" on untrust > VIP > New VIP Service
VIP and New VIP Service are both located at the top of the window.
For the new VIP service you select your virtual IP (the outside IP of the NS, this is if you don't have any other public IP addresses assigned, if you have a range of addresses assigned, it's more common to use MIP. Let me know and I'll show you how.)
Virtual port is 25
Map to service is "MAIL (25)".
Map to ip is your inside IP.
When this is done, you add a policy:
Policies > New (select From Untrust to Trust on zones first).
This next screen varies with your software version, but the settings you need are:
Source address: Any
Destination address: VIP::1
Service: MAIL
Action: Permit
To be safe, also click "position at top", and we'll avoid any mistakes with other rules dropping our traffic.
ASKER
That's great, thanks fir you help. I'll try this tomorrow and let you know how I get on
The first thing you should do is check your existing policy. Is destination already VIP::1 or is it MIP(x.x.x.x) (where x.x.x.x is an ip-address)? There are two different ways of doing it, and I've given you one of them. If it's the other, I'll have to give you that as well.
ASKER
Hi again. The destination is VIP. I'm not at the router just now but I did remember seeing this. I wrongly changed this to the 10.0.0.2 address so I'll need to retrace my steps
Ok, as long as the VIP is already there, you can just edit the old one where described. Depending on software you might have to either remove or disable the policy first, though.
ASKER
Hi again,
I looked on the old rule and can't find anywhere which defines what inside IP address the mail should go to.
I created the new one as suggested and that didn't work either. I created it as you suggested above but it never asked me at any stage to define the inside IP. I did see that there was an "Advanced" section so I went into that and it allowed me to use NAT so I defined the Inside IP and port there but that didn't work. From the original rule I see that NAT wasn't used previously so a little bit puzzled about how the trafiic got to the correct destination as we have 4 servers.
I have attached some screenshots for you to see if that helps.
Thanks again
Policies.jpg
I looked on the old rule and can't find anywhere which defines what inside IP address the mail should go to.
I created the new one as suggested and that didn't work either. I created it as you suggested above but it never asked me at any stage to define the inside IP. I did see that there was an "Advanced" section so I went into that and it allowed me to use NAT so I defined the Inside IP and port there but that didn't work. From the original rule I see that NAT wasn't used previously so a little bit puzzled about how the trafiic got to the correct destination as we have 4 servers.
I have attached some screenshots for you to see if that helps.
Thanks again
Policies.jpg
ASKER
Here are two other screenshots also which shows the newly created mail rule and the advanced settings
Mail-rule.jpg
Advanced-Settings-of-mail-rule.jpg
Mail-rule.jpg
Advanced-Settings-of-mail-rule.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You are a star !!!
Managed to find it and now the mail is coming in again
Thanks for all you help
Managed to find it and now the mail is coming in again
Thanks for all you help
set interface untrust vip untrust 25 "MAIL" 10.0.0.2 manual
set policy id 3 from "Untrust" to "Trust" "Any" "VIP::1" "MAIL" permit
If the inside of the netscreen is in the 10.0.0.0/24 network this should work. Might be issues if you're running MIP nat instead of VIP, but we'll handle that if that's a problem.