How do we configure our Netscreen 5GT for inbound email ?

We have changed our Exchange server and had to create a new rule on the Netscreen 5GT router. We added a rule in but still can't get any email in and we can't telnet in on port 25.

Can anyone offer any advice about how to fix this ?  Our internal address of our Exchange server is 10.0.0.2 with a subnet mask of 255.255.255.0

Many thanks in advance
PurityITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

HodepineCommented:
Try this:

set interface untrust vip untrust 25 "MAIL" 10.0.0.2 manual
set policy id 3 from "Untrust" to "Trust"  "Any" "VIP::1" "MAIL" permit

If the inside of the netscreen is in the 10.0.0.0/24 network this should work. Might be issues if you're running MIP nat instead of VIP, but we'll handle that if that's a problem.
PurityITAuthor Commented:
Hi and thanks for you reply

Where is this bit set up ?  I seen the wizard for it but decided to not use that and tried to edit the current rule but that didn't work
HodepineCommented:
This is set up from the command line. I'm afraid I don't know the wizard, haven't used that, but if you prefer the GUI it's:

Network > Interfaces > "Edit" on untrust > VIP > New VIP Service

VIP and New VIP Service are both located at the top of the window.

For the new VIP service you select your virtual IP (the outside IP of the NS, this is if you don't have any other public IP addresses assigned, if you have a range of addresses assigned, it's more common to use MIP. Let me know and I'll show you how.)

Virtual port is 25

Map to service is "MAIL (25)".

Map to ip is your inside IP.

When this is done, you add a policy:

Policies > New (select From Untrust to Trust on zones first).

This next screen varies with your software version, but the settings you need are:

Source address: Any
Destination address: VIP::1
Service: MAIL
Action: Permit

To be safe, also click "position at top", and we'll avoid any mistakes with other rules dropping our traffic.







Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

PurityITAuthor Commented:
That's great, thanks fir you help. I'll try this tomorrow and let you know how I get on
HodepineCommented:
The first thing you should do is check your existing policy. Is destination already VIP::1 or is it MIP(x.x.x.x) (where x.x.x.x is an ip-address)? There are two different ways of doing it, and I've given you one of them. If it's the other, I'll have to give you that as well.
PurityITAuthor Commented:
Hi again. The destination is VIP. I'm not at the router just now but I did remember seeing this. I wrongly changed this to the 10.0.0.2 address so I'll need to retrace my steps
HodepineCommented:
Ok, as long as the VIP is already there, you can just edit the old one where described. Depending on software you might have to either remove or disable the policy first, though.
PurityITAuthor Commented:
Hi again,

I looked on the old rule and can't find anywhere which defines what inside IP address the mail should go to.

I created the new one as suggested and that didn't work either.  I created it as you suggested above but it never asked me at any stage to define the inside IP.  I did see that there was an "Advanced" section so I went into that and it allowed me to use NAT so I defined the Inside IP and port there but that didn't work.  From the original rule I see that NAT wasn't used previously so a little bit puzzled about how the trafiic got to the correct destination as we have 4 servers.

I have attached some screenshots for you to see if that helps.

Thanks again
Policies.jpg
PurityITAuthor Commented:
Here are two other screenshots also which shows the newly created mail rule and the advanced settings
Mail-rule.jpg
Advanced-Settings-of-mail-rule.jpg
HodepineCommented:
No, the NAT you're looking for isn't on the rule.

It's under "Network > Interfaces > "Edit" on Untrust > VIP.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PurityITAuthor Commented:
You are a star !!!

Managed to find it and now the mail is coming in again

Thanks for all you help
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.