Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Inbound connections being NAT'd to firewall

from Brooks, George [Contractor] [Permanent Link]
Subject: Re: [FW-1] Inbound connections being NAT'd to firewall
From: "Brooks, George [Contractor]" <George.Brooks AT SSP.NAVY DOT MIL>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Wed, 18 Aug 2004 17:40:57 -0400 
I have working what I wanted to work, but I will try to explain.

The Internet is 10.10.10.xxx
The External IP address of my firewall is 192.168.100.30 which is also
the MX record value
The Internal IP address of my firewall is 192.168.200.29
My Internal SMTP server IP address is  192.168.1.230


Originally.  A mail message from the internet to my organization is:

        [S] 10.10.10.100 -->  [D] 192.168.100.30

I have a redirect rule on the firewall to send it to my internal SMTP
server.  So the packet is translated to

        [S] 10.10.10.100 -->  [D] 192.168.1.230

I can not put a NAT rule to using a source address of *ANY, so what I
did was create a rule that contains all Class A, B, and C addresses.
Then I used it in a NAT rule.

So now this is what happens

        [S] 10.10.10.100 -->  [D] 192.168.100.30

is translated to

        [S] 192.168.200.29 -->  [D] 192.168.1.230


I am only concerned about INCOMING SMTP traffic, outgoing mail is being
handled properly.

There are other reasons that I want to do this.  Because of the way our
Extranets are configured (and I can not get into that discussion here),
there is another route to 10.10.10.100 that does not go through this
firewall.  SMTP traffic is required to come through the internet, but
all other traffic comes through the Extranet.  When incoming SMTP
traffic comes through the firewall showing its original IP address, we
have a lot of routing problems and email does not flow.  So we need
incoming mail from the internet to reflect the internal interface of our
firewall.

Also because of the way the network is set up, our SMTP server MUST
relay outgoing email.

As I said originally, our Raptor firewall did this for me seamlessly.



George Brooks
BAE Systems @ Strategic Systems Programs
202-764-2154


-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
Previtera, Sal
Sent: Wednesday, August 18, 2004 12:18 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Inbound connections being NAT'd to firewall

Turn Relay Off the SMTP server....use it only as incoming SMTP server.

Outgoing SMTP traffic should be directed to the Checkpoint firewall,
create an SMTP resource in the firewall configuration and appropriate
firewall rules to forward the SMTP traffic out the Internet.

You cannot hide the external SMTP IP address, that is public information
on
your DNS records....it is called the MX record...that is how e-mail get
routed to your organization.

Other than that, I am totally confused on what you are trying to do!


-----Original Message-----
From: Brooks, George [Contractor] [mailto:George.Brooks AT SSP.NAVY DOT MIL]
Sent: Wednesday, August 18, 2004 10:28 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Inbound connections being NAT'd to firewall

My goal is not to hide the address of my incoming mail server.  I am
trying to hide the addresses of external mail servers that need to
connect to my internal mail server.

I am just trying to see if anyone has tried this.

George Brooks
BAE Systems @ Strategic Systems Programs
202-764-2154


-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Crist
Clark
Sent: Tuesday, August 17, 2004 5:55 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Inbound connections being NAT'd to firewall

Brooks, George [Contractor] wrote:

> It seems that Checkpoint has a limitation that I did not have with my
> Raptor firewall.  In the past, all incoming requests to our email
server
> hid the address of the incoming mail server.  This made it easy for us
> to prevent our email server from being used as a relay from the
> internet, while at the same time, allowing all of our other internal
> mail servers use this server as a relay.
>
> Has anyone gotten around this limitation by building a set of
supernets
> that would include all possible Class A, B, and C networks?  If so,
did
> it work?

It's pretty easy to set up NAT to "hide" the address of your incoming
mail server. However, I don't see how that would have any impact on
your ability to prevent relaying.

Configuring a set of networks that contains all A, B, and C networks
is trivial,

   Class_A      Network: 0.0.0.0        Mask: 128.0.0.0
   Class_B      Network: 128.0.0.0      Mask: 192.0.0.0
   Class_C      Network: 192.0.0.0      Mask: 224.0.0.0

But I'm not sure how that helps anything.
--
Crist J. Clark                               crist.clark AT globalstar DOT com
Globalstar Communications                                (408) 933-4387

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] Inbound connections being NAT'd to firewall, Hal Dorsman
Next by Date:  Re: [FW-1] SmartUpdate-Get Data Problem, Wayne Ho
Previous by Thread:  Re: [FW-1] Inbound connections being NAT'd to firewall, Hal Dorsman
Next by Thread:  Re: [FW-1] Inbound connections being NAT'd to firewall, Kevin_Butters
Indexes:  [Date] [Thread] [Top] [All Lists]