Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 28 subscribers
  • Views 7748 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Full NAT XG v17 MR6

kerobra_retired

Sorry, if I ask such a simple question but the search hits are confusing me more than they help since it seems to change from version to version...

I'm relatively new to XGs and have to set up my first customer's XG. I'm coming from SGs, I know how to do it there but on XG I struggle.

 

I have 3 external IPs out of a /29 netmask. First is XGs WAN Interface, the other 2 are configured as aliases. Now I want to configure NAT rules on those aliases. The "incoming" part is no problem - at least I think...

I configured a business application rule as follows:
- Source Zones: WAN
- Allowed Client Networks: Any
- Destination Host/Network: Port 5/Alias IP
- Services: SMTP

- Protected Server: mailserver (LAN IP) - it is an antispam appliance, so don't mind on opening SMTP
- Protected Zone: LAN

- No IPS rule active, till now no checkbox active under "Routing".

 

As far as I understand the XG that should cover the mailserver being accessible via SMTP over the internet. Now I want the SMTP connections FROM this server leaving the XG over the same alias-interface that the traffic comes in. Is it enough to enable "Create reflexive rule" for that?

On a SG UTM I would have configured 2 NAT rules, a DNAT incoming and a SNAT outgoing. I don't see if the "Masquerading" part covers the incoming connection or the outgoing connection. Or do I have to create a 2nd (firewall) rule for the outgoing connection?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    you will need to use a business rule for the incoming traffic to your mail server, there are templates for smtp.

    You will need to create business rule with a NAT for your incoming mail again there should be business rule templates.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    thanks for your reply. The SMTP templates are only for the XG doing the mail scanning, aren't they? This part is covered by the device that is the destination on the LAN side.
    So I think i have to use a normal DNAT template here since the customer hasn't licensed "Mail Protection".

    What I do not understand completely is the "reflexive" rule checkbox. Does this automatically cover all outgoing SMTP connections from the configured LAN target to WAN with automatical SNAT over the external IP configured as "Destination Host/Network" in the "Business Application Rule" or do I have to create a manual "User/Network Rule" that covers this part?

  • +1 in reply to kerobra_retired

    Hi,

    another attempt this time without the cats assisting, they turned the mAC off.

    Without the mail protection you will not be able use the mail business rules but can set up your own rules to pass smtp/s as http/s (web proxy) scanning as a firewall rule.

    Ian

  • +1 in reply to kerobra_retired

    It is always safe to create a separate LAN to WAN network rule for mail servers outgoing connections with a specific outbound IP than using a reflexive rule.Wrongly configuring them may result in mail sent through firewall ip and being blacklisted by recipient servers.

  • 0 in reply to Support Chn

    That was the root cause because I asked. The rule was for the Sonicwall mail appliance.
    Thanks to everyone.

Reply Children
No Data