On 9/25/07, Aleksander Kamenik <[EMAIL PROTECTED]> wrote: > > Indunil Jayasooriya wrote: > > > SECOND Firewall's default route (gateway) is NOT the FIRST firewall. > > BOTH firewall's default route (gateway) is the router given by our ISP. > > Ok, so you understand your problem now? > > Assuming the packet arrives at 1.2.3.4 from random external ip (eg. > 5.5.5.5), is successfully dnat+rerouted to 2.3.4.5, there again > dnat+reroute to 192.168.x.x. Arrives at smtp server and smtp server > sends a reply to the original sender 5.5.5.5. It does that via it's > default gateway which I assume is 2.3.4.5. 2.3.4.5 sends it via your > ISP's gateway with it's own address of 2.3.4.5 to 5.5.5.5. > > But 5.5.5.5 sent the packet 1.2.3.4, not 2.3.4.5, so it discards it.
YES, I got it. And that's exactly what Riccardo said when I read his mail now. > > The first problem though is that I'm not sure the dnat form 1.2.3.4 to > 2.3.4.5 works, the packet would have to leave via the same interface it > came. Maybe this works, I've never tried that. Make sure packets arrive > on the smtp box with tcpdump. > > As for the solution, one way would be to SNAT the connection at FW1, but > this wwould cause the smtp box to see as if all the incoming connections > are from 1.2.3.4 and not their real IP's (5.5.5.5). > > Actually you should set up custom routing at 1.2.3.4 and not DNAT. You'd > have to mark the packets and then send them to the 2.3.4.5 fw via a > custom route. I'm not sure I could help you with that, never done any > advanced routing. Thanks for your exellent help given so far. I will try with advanced routing. it is plicy routing? -- > Aleksander Kamenik > system administrator > +372 6659 649 > [EMAIL PROTECTED] > > Krediidiinfo AS > http://www.krediidiinfo.ee/ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Thank you Indunil Jayasooriya
_______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
