----- Original Message -----
From: "Joerg Oertel" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, June 02, 2000 7:00
AM
Subject: Re: [FW1] Advanced Misuse
Configuration Guide :-)
>
> On Fri, 02 Jun 2000 05:33:24 -0700, Jerald Josephs wrote:
>
> >It is more accurate to state that NAT is one of the last things that
> FW-1
> >will
> >do rather than stating that it occurs on the outbound interface. I
> know that
> >we
> >have stated that NAT occurs on the outbound interface before, but
> that is
> >not
> >what is happening on all platforms FW-1 runs on.
>
> Well, at least the FW-1 manuals shows it in this way (I'm talking
> about V4.0 here)
>
> >
> >Unfortunately, since this thread does not include all responses, it
> is not
> >easy
> >to determine what was suggested and what does and does not work.
>
> No additional responses via private mail.
>
>
> >
> >Going back to Joerg's original email. I see that he wants to use
> Static NAT
> >to translate the valid, external IP address associated with this
> site's MX
> >record
> >to the invalid, internal IP address assigned to the SMTP server,
> which has
> >been
> >relocated behind the firewall.
> >
> >But, I only see the FWXT_DST_STATIC rule. What about the
> FWXT_SRC_STATIC
> >rule? What has been done to enable the SMTP server to have its
> packets
> >translated
> >back to the valid, external IP address?
>
> Yeah, that was the easy part and has been done by automatic NAT rules.
> The tricky part is to catch the SMTP traffic and translate the
> destination address to a new server that is located in the great wide
> open (where the other server has been located before). To achieve this
> I created the rule descibed in my original post. I this would work,
> the answer packets from this server to the sender won't touch the
> firewall again, hence I don't need a "translate back" rule.
>
> Maybe this ASCII "Art"work can clearify what I mean:
>
>
>
> valid address private address
> traffic-----------------> NAT ----------->
> +---------+
> /~~^''') +----------+ |relocated|
> Internet)------+--------| FW-1 |-----------| mail |
> _______) | +----------+ | server |
> ^ | |special NAT +---------+
> | +---------+ |(SMTP)
> | | new |<-----+to new server with a valid address
> +-----| mail |
> answer | server |
> to +---------+
> sender
>
>
> My experiments show that SMTP traffic is indeed translated to the new
> servers address, but is routed to the segment where the old
> (relocated) server resides.
>
> Kind regards,
>
> Joerg
>
> On Fri, 02 Jun 2000 05:33:24 -0700, Jerald Josephs wrote:
>
> >It is more accurate to state that NAT is one of the last things that
> FW-1
> >will
> >do rather than stating that it occurs on the outbound interface. I
> know that
> >we
> >have stated that NAT occurs on the outbound interface before, but
> that is
> >not
> >what is happening on all platforms FW-1 runs on.
>
> Well, at least the FW-1 manuals shows it in this way (I'm talking
> about V4.0 here)
>
> >
> >Unfortunately, since this thread does not include all responses, it
> is not
> >easy
> >to determine what was suggested and what does and does not work.
>
> No additional responses via private mail.
>
>
> >
> >Going back to Joerg's original email. I see that he wants to use
> Static NAT
> >to translate the valid, external IP address associated with this
> site's MX
> >record
> >to the invalid, internal IP address assigned to the SMTP server,
> which has
> >been
> >relocated behind the firewall.
> >
> >But, I only see the FWXT_DST_STATIC rule. What about the
> FWXT_SRC_STATIC
> >rule? What has been done to enable the SMTP server to have its
> packets
> >translated
> >back to the valid, external IP address?
>
> Yeah, that was the easy part and has been done by automatic NAT rules.
> The tricky part is to catch the SMTP traffic and translate the
> destination address to a new server that is located in the great wide
> open (where the other server has been located before). To achieve this
> I created the rule descibed in my original post. I this would work,
> the answer packets from this server to the sender won't touch the
> firewall again, hence I don't need a "translate back" rule.
>
> Maybe this ASCII "Art"work can clearify what I mean:
>
>
>
> valid address private address
> traffic-----------------> NAT ----------->
> +---------+
> /~~^''') +----------+ |relocated|
> Internet)------+--------| FW-1 |-----------| mail |
> _______) | +----------+ | server |
> ^ | |special NAT +---------+
> | +---------+ |(SMTP)
> | | new |<-----+to new server with a valid address
> +-----| mail |
> answer | server |
> to +---------+
> sender
>
>
> My experiments show that SMTP traffic is indeed translated to the new
> servers address, but is routed to the segment where the old
> (relocated) server resides.
>
> Kind regards,
>
> Joerg
>
Let's see if I (finally) understand
this!:
1) SMTP is initially directed to an IP
address associated with an MX record and
this IP address is on the external
LAN.
2) Routing has the packets that are addressed
to this IP address going through
the firewall, which does NAT and the new
destination IP address is the recently
relocated (and now internal) SMTP server. This
enables FW-1 to filter these packets.
3) But, we really do not want the internal server
to receive these packets and would
rather have all SMTP land on the new external SMTP
server.
I would locate the SMTP server behind the firewall
and modify the NAT rules
so that the MX IP translates to the new SMTP
server. I would not go any further
in attempting to munge with the routing to get
around a poor network design.
Actually, I would setup a public server network
segment and locate the new SMTP
server on this segment and configure it to be a
mail relay and then continue to use
the newly relocated internal server as the mail
host. This would enable me to correctly
use the SMTP Security Server to filter SMTP
packets.
--- Jerald Josephs
