Static NAT to SMTP server

[fabwhack]

I'm going crazy trying to get this working; I've searched around and followed instructions given to others but I just can't get this working:

NGX R61 on a Nokia IP265. Trying to get SMTP from a public IP address to an internal SMTP server. I've created two rules:

Security rule:

Source: Any
Destination: public IP of SMTP server (also tried putting the internal address in here)
Service: SMTP
Action: accept

Address translation:

Original Source: Any
Original Destination: public IP of SMTP server
Original Service: SMTP
Translated Source: = Original
Translated Destination: private IP of SMTP server
Translated Service: = Original

it just DOESN'T work. Automatic hide and static NAT works fine, but in the case I'd like to translate just SMTP stuff from this address - we may have other services on the address in the future going to different boxes.

What am I doing wrong?

[david]

when you setup the static NAT rule do you have one for outbound?

i.e.

Original Source: private IP of SMTP server
Original Destination: any
Original Service: SMTP
Translated Source: = public IP of SMTP server
Translated Destination: = Original
Translated Service: = Original

[fabwhack]

I didn't (thought it might do that automatically, but I can see why it wouldn't), but I've added that in and I still can't connect to port 25 on the public address :(

NAT rules now look like:

any - public IP - smtp / original - private IP - original
private IP - any - smtp / public IP - original - original

I've got corresponding security rules too:

any - public IP - smtp
public IP - any - smtp
any - private IP - smtp
private IP - any - smtp

(I know eventually I'll only need two of the above, but this is just for testing).

[david]

what do you see in the fw logs? (make sure that under query properties you have xlatesrc/xlatedst enabled.)

[fabwhack]

That's the strange thing.

If I telnet out to port 25 somewhere from the mail server, everything is fine, and I can get a connection, and I can see the entry in the logs: the Xlatesrc is correct etc.

But connecting to port 25 from the outside world to the public address shows nothing in the logs! I've tried several different addresses, including ones that has being automatically NAT'd previously, and it's just not working :(

[dfwboiler]

As someone else said, does Tracker show the nat translation happening?
Did you do an fw monitor to view traffic?

Does the smtp server have a route for the source?

"connecting to port 25 from the outside world to the public address shows nothing in the logs!"
Assuming your rule is logging, this sounds like a routing problem, not a fw problem.

[chillyjim]

Did you set up proxy arp? When using manual NAT, the firewall cannot automatically add the proxy arp entry. You might want to try and use automatic NAT and see if it works.

[MarioL]

Like chillyjim says, no logs in the firewall means packets aren't getting there, which in turn suggests that the firewall isn't replying to ARP for the public IP.

Unless you have a complex setup, automatic NAT is a much easier and elegant way to solve this.

My suggestion:
- Change the SMTP inbound rule to use the private IP object
- Delete the manual NAT rule and the Public IP object
- Add automatic address translation to the private IP object (edit it and go to the NAT tab, select automatic address translation, enter the public IP and chose "Static")
- Push the policy

That should be it.