Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Static route?

Status
Not open for further replies.

Abernut

IS-IT--Management
Jul 18, 2007
14
US
It is hard to describe my topology so I drew it out and it should be attached to this.

We have three sites, Florida, New York, and California connected via Branch Office VPNs.

Florida
Watchguard X700
LAN-192.168.0.0/24

I also have my web/email server attached to the WG using our Public IP's.

NY
Watchguard Edge
LAN-192.168.1.0/24

CA
Watchguard Edge
LAN-192.168.2.0/24


We recently switched to a Verizon MPLS network.

The problem is that if I take the two Edges out of the equation and let the traffic come in on the MPLS...they can not access my exchange server.

In my X700 I see a
DENY Out Eth1 TCP 20 124 192.168.2.101 71.85.32.41 110 Spoofed Address, every time someone hits send/receive in outlook. (I have them set up to just POP my mail server)

If I can provide any more info please let me know.

Thank you,



 
A quick look suggests you're getting internal traffic hitting the watchguard (I'm assuming it's set as a true DMZ for exchange) instead of coming through the internet side.

Don't blindly bang a rule in because I could have misread but it look like you need to allow traffic from your internal network to the Exchange server with a rule - my concern is if that traffic is hitting the watchguard in the right place.

I think the options are - make an internal IP for Exchange and save the trombone effect of going through the Watchguard at all, OR make a rule to allow what's happening now, OR if it's possible remove the exchange servers connection with the internal IP range (may not be practical)

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top