Transparent redirect with CP R55

[ipfw_rules]

Hello people.

I was recently forced to implement several Checkpoint FW-1 clusters running Checkpoint NG AI on Solaris.
Now, Im trying to get them to do what a modern firewall should be able to do, but I have very little success.

I want to hijack all outgoing connections with a destination port of 25 and redirect them to a local server. Basically, we want to allow smtp, but only trough our own server, and it should be transparent so that the users doesnt have to change anything.
The rule Im trying to implement looks like this:

ORIGINAL TRANSLATED
SOURCE DEST SERVICE SOURCE DEST SERVICE
local_net any smtp original local_smtp original

Checkpoint refuses and says that if original destination is any then translated destination must = original. What is the point of having translation if you are not allowed to translate?

Can anyone verify that CP really is not able to do this?
Does anyone know if there is a workaround?
I simply can not phatom that a ridiculously expensive and well-known firewall is not able to do simple redirects.

[ddarby1]

Hi,

I've got an idea that what you're after is not a NAT rule, but a security rule using an SMTP resource (defined under 'Resources' in the left hand GUI).

In the resource properties you would then specify your mail server IP address.
After this in the security rule, you would set the service as 'Add with Resource', then add SMTP and the SMTP Resource.

I've not tried it yet but basically this should use the FW-1 SMTP Security Server to hijack all the SMTP connections and redirect them as you require.

Any comments welcome, I'm not an expert.

[gafrol]

Hi,

the easiest way to do that is to use the smtp_mapped service. You'll find it under "Services" --> "Other" --> smtp_mapped. There are other _mapped services for http and ftp for example.

You need to adjust the smtp_mapped service under "Advanced..." and fill in your IP address and Port as required.

rgds
gafrol

[chillyjim]

Quote:

Originally Posted by ipfw_rules

Now, Im trying to get them to do what a modern firewall should be able to do, but I have very little success.

What firewall lets you "NAT" *:25 -> Fixedaddress:25?

I'm pretty familiar with the major non-proxy firewalls and don't know any that will support this. A proxy, like sidewinder will.

That being said, what you are trying to do is not NAT but port mapping and gafrol's answer should work.