Hello all,
I am trying to setup a NAT for an internal mail server. My existing
policy
covers outbound connections from the mail server out to the internet,
but I cannot reach it from the internet back inside. I followed the
documentation on setting up a static NAT, creating an object for the
internal mail server and also for the external interface. The real IP
is different from the external IP of the firewall, so I was sure to
put in the recommended arp statement so the router upstream will know
how to get to it. So, now I can route to it, but I can't get anything
through the firewall inside to the mail server. Here's what my policy
basically looks like:
1 Source: <mailserver-internal, with static NAT to external>
Destination: Any
Services: Any
Action: accept
Install on: Gateways
2 Source: <entire internal network>
Destination: Any
Services: Any
Action: accept
Install on: Gateways
3 Source: Any
Destination: <mailserver-external, with static NAT to internal>
Services: Any
Action: accept
Install on: Gateways
4 Source: Any
Destination: Any
Services: Any
Action: drop
Install on: Gateways
Is this correct? Of course I'll tighten down the services later, but I
want to make sure it works first. On top of this I have added a route
as such:
route add <external IP of mailserver> <internal IP> 1
and updated the arp table with <external IP of mail server> with
<external MAC
address of fw>. The external IP of the mail server is different from
the
external IP of the firewall.
This ought to be simple, right? Also, I don't have split-DNS on the
firewall
yet, but that shouldn't affect this basic routing/NAT config?
Well, this is driving me nuts, I hope you guys can help.
Thanks!
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
