1 to 1 nat on Firebox 700

[skotman]

I've got a Watchguard Firebox 700 that was installed before I had this job, recently some of our outbound e-mails have been getting rejected by the recieving mail server due to what I consider overly strict Reverse DNS policies. Everything including all my servers go out to the internet as x.x.x.5 even though my exchange server has a public IP for inbound connections of x.x.x.154.
When the recieving mail server does a reverse look up it looks it up on the .5 address. I'd like to have my exchange server go to the internet through my firebox as .154 leaving everything else to go out as .5 thus setting up a 1 to 1 nat for the exchange server only.

Is this possibile with the 700 or should I just setup a strict firewall on the cisco 2600 thats currently functioning as a expensive CSU/DSU?

We have an entire Class C so IP Space isn't an issue here.

Scott Heath

http://www.scottspad.com

AIM: orange7288
SprintPCS ReadyLink? IM ME

 

[coladmin]

yes this is fairly straight forward

open the configuration and select setup..NAT..Advanced..1-1 nat and then add the .154 IP as the NAT base and the internal IP as the real base

then you will need to configure your SMTP and AUTH rule to allow this traffic so add both the internal IP and the .154 IP into the incoming and outgoing rule and you should be all set

let me know if you have any issues

 

[pankajchawla]

Make sure you do dynamic nat exception as
Private ip of mail server->>>external........ in setup..NAT..Advanced....dynamic nat exception

This will make sure whener something goes out from the mail server that will always take .154 as a public ip.

 

[skotman]

Which Interface should I choose? Trusted or External?
When I get a few minutes I'll take some screen shots of the config and post them. It's not a huge issue I just dont want to stick Exchange out with a public IP, and I'd rather use our Cisco 2600 to do this but alas, the gods of time and space just refuse to give me another 6 hours in the day.

Scott Heath

http://www.scottspad.com

AIM: orange7288
SprintPCS ReadyLink? IM ME

 

[TheJolly1]

You must choose the trusted interface.
You've to enable auth (port 113/tcp) to the firebox only. It answer to the request

TheJolly1

 

[skotman]

I dont quite understand what auth has to do with this, or is this some watchguard thing that I dont know about? Anyway, I've uploaded some screen shots of my current config:

http://www.scottspad.com/wghelp/

Hopefully I'm doing something wrong in the config and this is why that server is not going out as it's own public IP.

thanks for all your help!

 

[pankajchawla]

These screen shots are wrong,
1) Fltered SMTP Incoming should be enabled and allowed from ANy to 208.60.113.4
2)Outgoing is perfect
3)DO the same setting for auth
4)In 1-1 mapping Interface WILL be external, nat base will be public ip address 208.60.113.4, real base will be private ip address 192.168.1.154
5)Dynamic nat exception should be from 192.168.1.154-external , NOT THE IP OF THE EXTERNAL


Thanks
Pankaj