Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 8790 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Internal users accessing email server with external IP address??

Mathew Fernando

Hi 

 

I have started setting up XG firewall for my home use and I got the email protection in MTA mode working. I can access my email server from external networks - can send/receive emails - all good.

 

With mobile devices, like iPhone/tablets, when a user comes home and work on the internal/inside network, their access to email server get resolve to external public IP, thus email does not work.

 

Two solutions;

1. DNS sevrer on local LAN to resolve it to local private IP

2. U-turn NAT so that when DNS resolve to external/public IP, FW does the destination NAT. 

 

As I see 2nd solution is an better option as we do not need an additional DNS server or use FW as a DNS server and devices can point to any DNS server.

Palo Alto uses this 2nd method - https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-U-Turn-NAT/ta-p/61889

 

Can someone please let me know how to do the same U-Turn NAT on XG firewall as I want to avoid DNS solution?

Thanks in advance.

 

Mathew



This thread was automatically locked due to age.
Parents
  • 0

    Hi Mathew, 

    Could you check if you are using a DNAT rule if so create a loopback rule and check again?

    On XG it is called reflexive rule please enable it and add LAN as per the screenshot below.


      

    Please take the packet capture of the traffic while connecting with your mail server.

    I will assume that your mail server is on the LAN. You may change zone as per your setup.

  • 0 in reply to Aditya Patel

    Hi Aditya,

     

    Thanks for the reply and sorry for getting back late as I had to set it up again for testing.

    Yes, this worked. In fact, it worked for port TCP 80 - for my internal web server but it did not work for my internal email server - port TCP 587 (SMTPs) and 993 TCP (IMAPs). 

    I think I had some other issues with mail server MTA settings.

     

    FYI, I used the Software version - SFOS_16.05.7_MR-7.VMW-305.

    If you have any working screen captures for rule settings for an email server and MTA settings, can you please share with me and let me know?

     

    Thanks in advance.

     

    Mathew

Reply
  • 0 in reply to Aditya Patel

    Hi Aditya,

     

    Thanks for the reply and sorry for getting back late as I had to set it up again for testing.

    Yes, this worked. In fact, it worked for port TCP 80 - for my internal web server but it did not work for my internal email server - port TCP 587 (SMTPs) and 993 TCP (IMAPs). 

    I think I had some other issues with mail server MTA settings.

     

    FYI, I used the Software version - SFOS_16.05.7_MR-7.VMW-305.

    If you have any working screen captures for rule settings for an email server and MTA settings, can you please share with me and let me know?

     

    Thanks in advance.

     

    Mathew

Children
No Data