Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

MailGw in DMZ question

Status
Not open for further replies.
systimax

systimax

MIS
May 1, 2002
6
US
Hello, I’m pretty new to checkpoint and have a basic question that I thought would take me no time.


I have a DMZ network with a address of 192.168.1.x
Internal network 10.5.1.X

I have a mail filter in the DMZ

In Smart Dash

I have a node for the Mail Filter in the dmz and a node for the email server in the lan.

My very first rule is

Source {EmailFilter} (Node) Destination {EmailServer} (Node) port 25 allow log.

When I try to telnet to it using 25 it never connects. There are no logs at all giving me a deny error.

Im I missing somethign fundemental with checkpoint verse other firewalls?

thanks for any tips
 
Sort by date Sort by votes
Did you create a NAT rule? also which way where you telneting? In this environment I'd create a by directional NAT rule. Create a group that has the internal network object and the DMZ network into this object name eg. No_NAT. Then create the following rule, No_NAT to No_NAT keep origional. Then create your email rule, as follows:
email_svr, email_filter to email_svr, email_filter, smtp, allow, log. This should allow you to telnet from your email server to the email filter server and back. However, in order to allow for email to come in from the internet, you'd need to create another NAT and Security rule for smtp to get to your email filter server.

hope this helps
 
Upvote 0 Downvote


Im sorry i dont quite understand.

I really dont want any Nat...let alone dont know how to set up a bi directional nat.

When someone on the internal lan acsesses something in the dmz i want to see the source Ip from the lan and not a nated adress from the lan interdace on the FW.

I also dont quite understand when you say i need to creat a nat and another security rule.. arnt they the same when you select the port you want to get nated and choose advance then

SRV_REDIRECT(25,10.5.1.x,25)
 
Upvote 0 Downvote
Is this email server for internal use only, meaning no emails will go to any other network? If not, you'll need to NAT your email filter server to the Public internet using a public IP.
 
Upvote 0 Downvote
I agree from wht has been said so far in that what seems to be happening is that the dmz network is NAT'ing.

Has the DMZ network got Hide NAT or the Filter server got static NAT set?

If this is the case, as RN4IT says, create a nat rule i.e:

Orginal Packet Translated Packet
Source Destination Service Source Destination Service

Filter MailServer Any =Original =Original =Original
MailServer Filter Any =Original =Original =Original



Akiwondo (MCSE, CCSE)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
315
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
217
AllenH12
AllenH12
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
108
kythri
kythri
NoCoolHandle
  • Locked
  • Question
TLS 1.0 vrs TLS 1.1 vrs 1.2 connection strategy question
Replies
1
Views
82
ChrisHirst
ChrisHirst
basball
  • Locked
  • Question
Punching a whole in DMZ
Replies
1
Views
70
joepc
joepc

Part and Inventory Search

Sponsor

Back
Top