SMTP connection errors... Check Point Firewall FP3

[Excremont]

Help...

I am having problems with external sources connecting to an internal SMTP server.

I have configured NAT Manually forcing any connections made to the public IP Address to be NAT'd on SMTP protocol to my internal SMTP server. The rule base has also been configued to allow SMTP traffic to my SMTP server.

When I try and telnet to the public IP Address on port 25 it fails to make a connection.

Does anyone know of any bugs, known issues or better ways to make this work?

Thanx

 

[redlikeme]

I've seen this behaviour before on different firewalls. Is the fw looking from connections originating on port 25 as well as a destination port 25?

I don't think you can specify the originating port in a normal telnet window, but you can with netcat

nc -p 25 destination 25

Hope this helps.

 

[ChrisAC]

What do the firewall logs show?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[Excremont]

The FW log indicates that a connection is successfully made to the public IP interface of the Mail Relay Agent which is NAT'd to it's internal IP address, but, for some reason the connection is made again and again... indicating that delivery of the mail has been unsuccessful. Now when I check the logs of Mail Relay Agent it shows that an SMTP connection is made (opened) the ended (Closed) straight away. At first I thought that maybe there was a bug in Mail Relay software, however I have ruled out that possibley due to fact that I use that same piece of software to route mail out and it works fine. I'm somewhat leaning toward the NATing being the culprit, based on the fact that I cannot telnet to Public Address on port 25 anymore (when I say anymore I mean before I used Auto NAT and have now switched to Manual).

Any thoughts?

If I've missed anything of any importance let me know.

 

[ChrisAC]

Does the mail server have a default gateway of the firewall's internal address? Is the firewall doing proxy arp for the mail servers outside address?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[Excremont]

Yes, the mail server has the internal IP of the gateway of the firewall configured. I'm pretty certain proxy Arp and all the routing table information is correct as outgoing mail follows the exact same route and works fine.

The only difference is that mail going out comes from an Internal source to an Internal source then gets routed out based on the results of a DNS lookup for MX. Where as External comes in (through NAT) then finds where is going based on the results of an Internal DNS lookup, but it doesn't make it far enough to perform a lookup. The log of the mail relay agent indicates that that a connection is made and quickly terminated. Also when I try and telnet on port 25, the FW log shows that a connection was successful, however I know that is isn't because the cmd screen displays a "could not connect to host" message. Also, if I set the Node (In checkpoint) to use Auto NAT instead of manual, telneting to port 25 on the public Interface works, but as soon as I change it to manual it stops.

 

[ChrisAC]

Make sure that you're using 'static' and not 'hide'.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[Excremont]

I have a static NAT route in place.

The only thing that's crossing my mind (as a potential problem) is that I have one Internal box thats performing multiple tasks, that require it to have 4 public IP Addresses. Now the NAT rules start by routing each address to the 1 internal IP that the box has physical attached to the NIC. The first 2 NAT rules are working fine, they provide a way for Zone Transfers (DNS) to happen. however the 3rd & 4th rules which are routing SMTP traffic are not routing the traffic properly, or least that how it would appear. I'm fairly new to NAT with Check Point, but I have consulted with the main Check Point guy from my place of work. He is quite bewildered with the problem and is suggesting that I remove all the NAT rules and start SMTP 1 first. I'm not to keen on this idea. I'm hoping that someone has had enough experience with Check Point or that may have already encountered the problem.

 

[ChrisAC]

NATing multiple outside addresses to one internal address as 'statics' may cause you a problem. I can't think of any reason that you would need to do this. Just because the box runs multiple services, it can still do this on a single global IP address, ie. NAT ONE outside address to that internal server and then just apply rules to allow specific trafic to that (single)address.

Why you need TWO NAT rules to allow DNS and another TWO NAT rules to allow SMTP is beyond me!

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************