Easily explained.
Let's assume two networks. 1.x is publicly accessible,
and 1.1 is the firewall's external interface. This is
also the address that people would SMTP to.
2.1 is the firewall's internal interface.
2.2 is your client.
2.3 is the mail server.
Client sends request
2.1 -> 1.1:25
Firewall does static NAT
2.1 -> 2.3:25
mail server receives and responds
2.3:25 -> 2.1
This gets sent directly over the LAN, and hence
your client gets the response from a different
IP than it originally contacted.
What you need to do (and, to my knowledge, you
cannot do this with FW-1 in a secure manner,
someone else care to elaborate?) is:
Client sends request
2.1 -> 1.1:25
Firewall does static NAT
2.1 -> 2.3:25
Firewall ALSO does NAT-hide
2.1 -> 2.3:25
Mail server receives and responds
2.3:25 -> 2.1
This is received by the firewall, which does the hide reverse
2.3:25 -> 2.2
And also the static translation reverse
1.1:25 -> 2.2
And sends to the client, which happily accepts it!
Yes, people, this is means every packet makes noise
on the internal lan TWICE. No, it's not good, but
the only way to actually make it work.
What you probably can do though, is to set up
a split DNS, that reports mail.mycompany.com as
being 1.1 for external people, and being 2.3
to internal users. (I'm assuming this is where
the problem really lies?)
"Slife, Andrew M., CTR, OSD/P&R" wrote:
>
> Are your internal addresses routable? Even though you are using NAT, if the
> internal addresses are from the private ranges, SMTP no workie workie with
> FW-1 NAT (even though it seems like it should). In a previous incarnation,
> I had NAT for my 10.x internal ranges and it Would Not Work (getting
> inexplicable results like those you describe). When the box was put in the
> DMZ and given a valid public IP address, NAT worked with SMTP.
> Andrew
>
> Jen wrote:
>
> Okay, I've setup NAT lots and lots of times, but this problem is
> driving
> me crazy. I setup an SMTP server on an NT workstation for testing
> purposes. I setup address translation on the FW for that machine.
> However, when I try to telnet to port 25 from the outside world,
> nothing
> happens. I look in the firewall logs, and it says it accepted the
> connection. Furthermore, when I telnet out from the workstation in
> question, the source address is the valid (translated) address. So
> translation seems to be working, at least outgoing.
>
> As a test, I pointed the valid address to another internal IP.
> After I
> did that, I could telnet to port 25 just fine from the outside
> world. I
> switch it back, and nada. The problem might be the workstation,
> except
> ... when I telnet to port 25 from the internal network, it works
> just
> fine.
>
> Any ideas?
>
> Jen
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
