I have an issue that I'm really hoping someone knows about.
We had an old Exchange 2000 server that was failing with a internal IP of 192.168.1.2, set up with static NAT on Checkpoint FW-1 NG FP3. When I set up our new Exchange 2003 server on new hardware, I gave it an internal IP of 192.168.1.4 so that it could co-exist with the old server while the config was moved over, and a new anti-spam tested for a month or so. I then went on the checkpoint server and changed the IP address ending in the 2 to a 4 on the node that represents the internal half of the static NAT.
Incoming mail works fine, internal mail works fine, 90% of the outgoing mail reaches it's destination quickly. 10% of the mail doesn't reach certain clients on the outside.
Tracing this, I find that the mail leaves our network, reaches the destination mail server, then times out, comes back and sits in our queue for a retry.
I tried everything from an Exchange/SMTP point of view, but everything checked out. I then activated the second NIC in the mail server and unplugged the Checkpoint Firewall from the network, and assigned the outside NAT address of 207.x.x.163 to the 2nd NIC card of the new Exchange server, and rebooted. After this ALL mail flows fine (without the firewall).
When I talked to the client we had a problem sending mail to, he observed that we were sending a lot of "out of state" packets coming into his Checkpoint Firewall. His systems were in turn sending "out of state" packets back. I figure this was his anti-spam requesting some data from our mail server.
We have this problem with about 5 companies so far, including anyone at a hotmail address.
Why is the firewall doing this? Is there any way to fix the out of state packet problem?
Cheers,
Brad