Mail used to go straight to my mail server, so my MX record matched my sending mail server (i.e. reverse DNS checked out). I have since moved the receiving of mail to another server, so my sending and receiving servers have different IP addresses. I have a Netscreen firewall, does anyone know how I can configure this so that my sending mail server will have a NAT address of my MX record? Thanks.
Just make a MIP on the untrust interface from the previous public address to the new internal address.
Then make a policy from external (all) to internal MIP(public address) for service smtp. You needn't enable NAT, it's implied by the MIP.
Return traffic from the internal traffic will go out the MIP public address not the gateway public address.
-Russ.
That will work if the mail is going to and from the same server. But, the mail is going to server A, and being sent back out from server B. So my MIP will point to server A, but then when server B sends mail it will go out with the gateway address.
What you need to do is define a DIP of a single address on the same IP as the MIP -- try it, not sure if your version of firmware and your box will let you do that or not. But if it can, then you make a trust --> untrust policy for server B, with NAT, then check the DIP in the NAT properties. This makes it come out the DIP IP.
If you can't do this, try erasing your MIP on server A and put in a VIP for smtp to server A instead. It might let you make a DIP and a VIP on the same IP, even if it won't let you make a DIP and a MIP on the same one. If this works, you'll need two policies, one for server A *and* B to both NAT out (trust -> untrust) on your DIP, then a second policy in for your VIP(serverA) with service smtp.
-Russ.
It does not seem to want to let me create a DIP using a MIP or a VIP. Am I out of luck? Thanks for your help.
Describe exactly what you're doing and the error -- you may in fact be out of luck. Some boxes let you do that and some don't.
What firmware are you on?
-Russ.
I did some more testing and it looks like I can actually add a MIP (haven't tested a VIP yet) that matches my untrust interface IP. I was not able to do that when I got the box so I had eliminated this possibility, but this must have changed at some point during my ScreenOS upgrades over the years. This would work, because I can setup a MIP that points to my receiving mail relay, and when I send mail from my mail server it will take the untrust IP (as it is now) and that would match my MX. This just means I have to change my MX record. What do you think? Thanks for your help.
Well that's ok, but you really should consider a VIP instead, because a MIP directs *everything* to that mail server and leaves you no other options. With a VIP you can still peel of other services for other servers inside you lan. But yes, that should accomplish what you need quite well.
-Russ.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.