Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 12095 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT Rule doenst work for Internal Network

Marcel Keßler

Hey there,

 

we used a mail server behind the sophos with a specific domain. The domain pointed to one of our Interfaces. We used a DNAT-Rule to redirect all mail specific traffic on this interface to the mail server. It worked fine. Now i needed to switch mail server but i am not able to easily change all mail-configuraitions on the end-devices. So i set up the new mailserver and a new dnat rule which redirects to the new mailserver. The two rules look like this:

 

Any -> Mail-Services -> OldDomain -> NewDomain (NewDomain is a static host in the UTM)

Any -> Mail-Services -> Specific Interface (to which the mx-records point) -> NewDomain

 

This also works fine. Well for most of my office. Every user was able to connect without any changes to the configuration on the end-device itself. But not in the Main-Office.

 

It works for devices outside of the Network (we are not using the utm's mail-protection so the mail-server is reachable from outside). It works for our VPN Users (own IP Range). And it works for our 5 RED networks (all with each own IP Range like 11.0.104.0/24). But not for everyone in the main office with the IP Range 11.0.7.0/24.

 

I already tried to set up a specific DNAT-Rule for this Group of users via the Internal Network as Source (11.0.7.0/24) or a specific ip range (11.0.7.100 - 11.0.7.200 is our dhcp range) or for a specific ip (my own device). It doenst work and doesnt show up in the Log files. All Internal Devices (HeadOffice) try to connect to the old server. I also tried to set up a

Internal -> Any -> OldDomain -> NewDomain

just to get redirected anyhow. But also this doesnt work. It ssems like the Sophos UTM is ignoring the DNAT-Rules for my Internal Network. Can you tell me why?

 

Greetings



This thread was automatically locked due to age.
Parents
  • 0

    If the source and destination hosts are residing in the same subnet (11.0.7.0/24) the traffic simply is handled directly between client and server. The UTM can only DNAT traffic that passes it (in a normal case the traffic flows from one interfaces network to another interfaces network, e.g. LAN and DMZ, WAN and LAN, WAN and DMZ).

    But I generally don't get your problem right.

    • you have an internal mail server "old" which was responsible for "yourdomain.com" and an internal mail server "new" which is responsible for what? a new domain or is simply mail server old migrated to new?
    • you have a MX record pointing to e.g. "mail.yourdomain.com" which is an A record to (one of your) external IP(s) - and hopefully a RDNS for that IP resolving to "mail.yourdomain.com" also
    • you had a NAT rule for mail server old:
      • ANY - SMTP - External IP -> SMTP - IP mailserver OLD
      • if the servers were exchanged you simply have to change "IP mailserver OLD" to "IP mailserver NEW"
    • NATing is happening on IPs and ports, not on domains!
      • so if the new server is responsible for "mail.yourotherdomain.com" you need all that was there for the other domain:
        • A record on DNS providers side,
        • MX record pointing to the A record
        • NAT rule for another external IP - pointing to IP mailserver NEW
        • RDNS entry on internet providers side for the "new external IP"
        • firewall rule allowing any - SMTP - IP mailserver NEW
    • I guess for the internal users there existed a split brain DNS config where "mail.yourdomain.com" points to "IP mailserver OLD", take a look at your forward lookup zones
      • the "empty entry" for "mail.yourdomain.com" forward lookup zone has to be changed to "IP mailserver NEW", too
      • or, if really a completely new mail domain is used you have to do a second split brain DNS config for that domain, too

     

     

     

    • OR is the UTM your mail gateway? You see, there are some important informations on your configuration missing!

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

Reply
  • 0

    If the source and destination hosts are residing in the same subnet (11.0.7.0/24) the traffic simply is handled directly between client and server. The UTM can only DNAT traffic that passes it (in a normal case the traffic flows from one interfaces network to another interfaces network, e.g. LAN and DMZ, WAN and LAN, WAN and DMZ).

    But I generally don't get your problem right.

    • you have an internal mail server "old" which was responsible for "yourdomain.com" and an internal mail server "new" which is responsible for what? a new domain or is simply mail server old migrated to new?
    • you have a MX record pointing to e.g. "mail.yourdomain.com" which is an A record to (one of your) external IP(s) - and hopefully a RDNS for that IP resolving to "mail.yourdomain.com" also
    • you had a NAT rule for mail server old:
      • ANY - SMTP - External IP -> SMTP - IP mailserver OLD
      • if the servers were exchanged you simply have to change "IP mailserver OLD" to "IP mailserver NEW"
    • NATing is happening on IPs and ports, not on domains!
      • so if the new server is responsible for "mail.yourotherdomain.com" you need all that was there for the other domain:
        • A record on DNS providers side,
        • MX record pointing to the A record
        • NAT rule for another external IP - pointing to IP mailserver NEW
        • RDNS entry on internet providers side for the "new external IP"
        • firewall rule allowing any - SMTP - IP mailserver NEW
    • I guess for the internal users there existed a split brain DNS config where "mail.yourdomain.com" points to "IP mailserver OLD", take a look at your forward lookup zones
      • the "empty entry" for "mail.yourdomain.com" forward lookup zone has to be changed to "IP mailserver NEW", too
      • or, if really a completely new mail domain is used you have to do a second split brain DNS config for that domain, too

     

     

     

    • OR is the UTM your mail gateway? You see, there are some important informations on your configuration missing!

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

Children
  • 0 in reply to kerobra_retired

    Hello there,

     

    seems like i really missed something. I have to admint: I am pretty new to all this and somehow got into this position and have to solve these problems on my own. It's nice to have people like you, which take time to help out newbies like me. Thanks a lot!

     

    Seems like i have to provide more details:

     

    • Old Setup:
      • Domain abc.de with MX record pointing to sub.abc.de which points to a static external IP.
      • No internal DNS Server.
      • Mail Server behind UTM with specific internal IP. Also a Hostname defined as Static Host (with Domain sub.abc.de and 'reverse dns' ticked) in the UTM.
      • DNAT-Rule: Any -> Mail-Services -> WAN-Interface with static external IP -> sub.abc.de
      • All Mail-Clients connect to sub.abc.de
    • New Setup:
      • Domain abc.de with MX record still pointing to sub.abc.de which points to the same static external IP.
      • Still no internal DNS Server but i will set one up. Is it needed for the current setup ? If so i will do this next.
      • Mail Server also behind UTM with a specific internal IP. Also defined as a Static Host 'mail.sub.abc.de' in the UTM. (I also dislike this sub-sub-sub-behaviour but the ssl-certificate was already signed for mail.sub.abc.de and not mail.abc.de ...)

    I simply didnt knew that DNAT only applies to connections which passes the UTM (but of course it makes sense...). As a temporary solution i gave the static host 'mail.sub.abc.de' in the UTM another hostname. The hostname of the old mail server 'sub.abc.de'. So Clients in and out of the network will always (doenst matter which port) will always reach the mail server.

     

    Of course this is a super dirty setup and i want to make build a stable and clean setup. So i have to change some things. You already pointed me into the right direction. I think the first step is to set up an internal DNS Server with a split brain config and only use a DNAT Rule to point external mail-traffic to my mail server.

     

    At the moment the UTM is not my mail gateway. But i also want to implent it this way since we already have the full license.

     

    Greetings

  • 0 in reply to Marcel Keßler

    It looks like Kevin has this in hand, so I've not read much of the above, Marcel, but you will want to familiarize yourself with #1 in Rulz and Accessing Internal or DMZ Webserver from Internal Network.

    EDIT: Based on the comment by Ol De below, you might also want to look at DNS best practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML