Configure ports & IPs for hardware firewall

Question asked by MARK - 5/3/2015 at 7:57 AM

Answered

Hello. I am transitioning to a new server. It has a hardware firewall (external unit). The OLD server just had a software firewall running in Windows.

The OLD server had an IP used solely for SM. This was an external IP (could be seen by world). All worked fine.

NEW server cannot see EXternal IPs, only INternal NAT addresses. Each external IP available to the box is mapped/translated to a corresponding internal IP.

For example, the external 69.69.69.69 is mapped to the internal 10.10.10.10. In SM (v11), I am unable to enter the IP addresses in the "bindings" area. Instead, I can only choose from the IPs SM sees on the box; these are all INternal.

I would prefer to use an IP other than the box's primary one, making it solely used for SM (as I believe I have read is best practice for email server on same box as website). But... I mostly need it to work so I will put it on ANY IP the box has, EX/INternal.

I tried setting up the protocols on this internal IP. In "hostnames" area, I was able to enter an IP and I entered the EXternal one.

This approach is not working and I've no idea what is correct. Anyone have insight on this they could share?

Thanks for any assistance.

3 Replies

Reply to Thread

CCWH Replied

5/4/2015 at 10:05 AM

I'm confused about what the issue is. We have a number of SM configured in different datacentres. In one of the DCs we have what you are trying to configure (I think).

We have an external FW (Hardware) which has a number of external facing public IP addresses. These addresses are then routed using NAT'ing to internal IP. This all works fine as long at the specified internal IP address is configured on the SM Mail Server box along with the correct internal DNS obviously.

The above is pretty straightforward. This would be the approach for an internal only mail server too, without the external FW routing.

The part that I am confused by is

"For example, the external 69.69.69.69 is mapped to the internal 10.10.10.10. In SM (v11), I am unable to enter the IP addresses in the "bindings" area. Instead, I can only choose from the IPs SM sees on the box; these are all INternal."

That is correct, you can only choose from IP addresses allocated to that box. So, you would choose the internal IP address that is routed to your external one. If this is not working then I can only think there is an issue with the DNS/NAT'ing.

Bruce Barnes Replied

5/4/2015 at 12:31 PM

Your internal addresses need to be mapped to the external addresses in your firewall.

This doesn't appear to have anything to do with SmarterMail.

Since you changed servers, there is a high probability that your public facing IP addresses also changed.

If your public IP addresses changed, then you will also have to re-do:

all of the HOST records to point to the new public IP addresses.
all of your SPF records
all of your rDNS records

You will need to speak to your hosting provider to dig further into this and find out if your "old" public IP addresses were moved over to the new server or you have new public IP addresses.

Bruce Barnes

ChicagoNetTech Inc

brucecnt@comcast.net

Phonr: (773) 491-9019

Phone: (224) 444-0169

E-Mail and DNS Security Specialist

Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com

Website: https://www.ChicagoNetTech.com

Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

MARK Replied

5/4/2015 at 1:19 PM

Marked As Answer

Thanks for everyone input. I was able to ensure the FW's external IPs were mapped to the corresponding internal ones. I then set those to SM and all is working now.

Thanks again!

Back to Community Threads

Please leave this box unchecked

Reply to Thread

Enter the verification text