Nokia IP120 and Checkpoint NG FP3

[LeedsUnitedAFC]

Basic config al I want to do is allow email to flow to an internal mail server on the internal LAN.
Created the mail server object with private ip address and Static NAT to a public ip address. Created a smtp-resource referencing the internal ip address of the mail server unchecked DNS/MX option. In Voyager added a proxy-arp for the public ip address of the mail server to the MAC address of the external interface of the Nokia device.
But nothing no mail comes in, What does the MX record and corresponding A record reference the Nokia device or the Mail Servers public ip address??
What should the smtp-resource rule look like ???
Any Firewall smtp-resource accept

Have noticed when I do ps -aux I do not see 'in smtpd wait 0' process running, can this be a problem it is specified in $FWDIR/conf/fwauthd.conf ???

Any Help is more than welcome

 

[rn4it]

In voyager have you created a static router from your NAT address to the private address, this and you will need to create a NAT rule. You don't need to use DNS on the Nokia's, unless you want them doing DNS service for your network. The security rule could be Any -> email_NAT using smtp accept.

that should do it.

 

[LeedsUnitedAFC]

I was under the understanding that you do not need to create a static route in NG if you have the option set in Global Properties which I do. Can you confirm that for me please.

 

[rn4it]

Nope, we have always put the static route in. Which option are you referring to? NAT one, client side translation?

 

[LeedsUnitedAFC]

Yes I believe so I have all of them check mark the 3 for automatic NAT and the 1 for Manual NAT. It came set as these and I haven,t changed any of them. Is that what it should look like or should I be playing with these or just and the Static Route ??

 

[rn4it]

You'll definetly want the allow bi-directional NAT and enable client side translation, I'm not sure about the automatic arp though, but other then that it sounds right. Just put in your static route, after that it should work, but here's a checklist.
1-smtpobject_nat
2-smtpobject_privaddr
3-security rule any => smtpobject_nat (services allowed) accept and which ever tracking options
4-proxy arps
5-static routes (public address to private address)
6-NAT rule (This can be specific for this service or just a general NAT rule)
goodluck

 

[ChrisAC]

If you have 'client side NAT' enabled on NG then you do not need a static route in your your NATed addresses. NG performs NAT before it routes the packets, unlike 4.1 which made a routing decision before it applied NAT.

Make sure that your MX record points to the global IP addresses of the mail server and not the firewall.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[LeedsUnitedAFC]

Chris I have done all of the above and still no mail is flowing through it still flows to my old mail server that is external to the firewall. I have had the MX record point to the firewall and the global address of the mail server. What is the Rule if you have it point to the mail server? and does it go above the Stealth Rule.
rn4it
What do you mean by smptobject_nat and smptobject_privaddr
are these two seperate workstation objects ??? I have not tried static routes yet so I will give them a try.
I have also left it in the hands of the Nokia guys.....

THANKS GUYS.

 

[ChrisAC]

Why have you had an MX record pointed at the firewall? You just need the global address of the mail server. You also need a rule to allow SMTP from anywhere. Have you checked the logs to make sure that the traffic is not being blocked?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[LeedsUnitedAFC]

Because in 4.1 if you have the mail server in the DMZ you can list the firewall as the MX record you proxy-arp to the mail server and a static route defined. The mail server is NATted and there is an smtp-resource defined above the Stealth rule and another rule defining Any=Int.mailSrv=smtp=accept
This works
As for the logs they are showing nothing. When i define the mail server in the rule base instead of the firewall I cannot Telnet to port 25 of the mail server either???

 

[rn4it]

Leeds
This rule should be any where between, a rule any to FW deny and any any any drop.
smtpobject_nat = mail server public IP
smtpobject_privaddr = mail server private IP

You need to have your MX record point to the mail servers, if the DNS server has a pubic IP then the MX record should point to the mail servers public IP. If it has a private IP then you need to use your private IP and contact whoever updates your public DNS and have them update the MX record.

As for the rule, any -> smtpobject_nat using smtp, pop3 etc accept. You will also need to have a NAT rule, to handle the translation. The Nokia guys should be able to help you out.