How are you handling
your mail? Does your mail server
have it's own external IP address? (I have about 6 addresses I can
use. I assigned one just to the mail
server)
Make sure that you ARP
the IP address onto the Ethernet adapter. In windows it's probably just
adding it in the network config. For me, on AIX, I had to use the ARP
command to add it. Because the
firewall itself has to respond to the IP address, it has to know that it is
supposed to do so.
Access Rules:
ANY MAIL_EXT SMTP ACCEPT
MAIL_INT ANY SMTP ACCEPT
NAT Rules:
INT_NET INT_NET ANY ORIGINAL ORIGINAL ORIGINAL
!INT_NET MAIL_EXT SMTP ORIGINAL MAIL_INT ORIGINAL
MAIL_INT ANY SMTP ORIGINAL MAIL_EXT ORIGINAL
Oh yeah, something
that bit me in the butt. If you use
your Firewall IP address as the address for your mail server..
make sure that you put the SMTP accept rule above the
firewall stealth rule.... Ya know, the "ANY FIREWALL DROP ALERT" rule.
I don't know if
any of this is even your problem, but I like to at least try and help. J
Joe
======================================================================
Joseph
Voisin, Systems and Network Administrator, Engel Canada Inc.
www.engelmachinery.com |
[email protected] |
======================================================================
-----Original Message-----
From: Hanke,
Eric [mailto:[email protected]]
Sent: Wednesday, October 24, 2001
5:12 PM
To:
[email protected]
Subject: [FW-1] Migration Headache
Hello list:
Tried a migration (fresh install) of FW-1 4.1 last night on a Windows
2000 SP 2 Compaq Proliant 1600. Thought the install went well until my
users were not able to receive any e-mail, sending e-mail was ok.
Here is a quick Config rundown:
Checkpoint FW-1 4.1 SP5 on Enforcement Module (Windows 2000 SVR SP2)
Checkpoint FW-1 on the GUI Client and Management Module (Windows 2000
SVR SP2)
This was a fresh install. I
opted to manage my routes manually; I already had a text printout of the routes
from my NT 4.0 Firewall-1 (4.0)
Basically the first few rules look as such
Firewall -----> Management Accept
Management -----> Firewall Accept
ANY -----> SMTP_SVR(NAT'ed) Accept
SMTP_SVR(NAT'ed) -----> Outside_world Accept
I also had the necessary DNS rules installed so the Mail server could
do a DNS lookup. The strange thing
is that on the Log you could see the Firewall pass the request from the public
IP of the SMTP server to the NAT'ed address but
the SMTP server never received the e-mail.
I think this is a routing problem; I am new to routing with Windows
2000. Any ideas or a thought on
what to look at next is greatly appreciated.
Eric
Eric M Hanke
Senior
Network Engineer
Tempel Steel Company
Magnetic
Steel Laminations for the Electronic and Electrical Industries
Phone