Screen OS

I have configured a NS-50 setup in transparent mode on my network and everything is working as it should be except that mail is not being delivered to my exchange server.  If I remove the firewall all the mail then gets delivered to my users accounts.  Does anyone know what this problem is or how to resolve it.  Thanks

Since you didn't really tell much about your environment, i am asuming the following. Please correct any wrong assumption.

 

- You are using 2 zones, v1-trust and v1-untrust.

- All your clients are in v1-treust

- Your mailserver is in v1-trust

- Internet access is working

- Your mailserver expects mail to be delivered via SMTP on port 25

 

What do your security policies look like ? Did you allow traffic from v1-untrust to v1-trust ? Specificly, smtp towards your mailserver ?

Can your mailserver reach the internet ?

Yes I am using 2 zones, v1-trust and v1-untrust, clients and mailserver are in v1-trust, internet is working, I can send mail but cannot recieve it.  The only policy I have in place is from v1-trust to v1-untrust any any any.  I tried playing around with some of the mail policies allowing v1-untrust to v1-trust, but was unsucessful in making anything work.  From the exchange server I can access the internet.

You are going to need a policy to allow traffic to flow from the untrust zone to the trust zone. By default there is no policy so there is not traffic. Many different ways to handle this. You could create a MIP on your untrust interface mapping the internal IP of your Exchange server to an external IP and then create a policy from untrust to trust any to MIP.

 

That is just one simple way - lots of solutions to this problem depending on your setup and desired traffic flow.

Since he is running transparant mode i wouldn't see fit for a MIP.

 

Basicly setting a policy from v1-untrust source any to v1-trust destination mailserver service smtp should do i think.

 

 

Dennis

Hey Dennis - yes, I guess it would help to fully read the post......  -- I just kinda missed that whole big "transparent" word..

 

Thanks.

When setting up this policy, do I need to put the IP address of the exchange server?  I ask because I setup a policy from v1-untrust to v1-trust to allow mail smtp service but that still didnt work.

Its not required to insert the ip address of the mailserver. You could test with source any,. destination any and service any in your policy.

 

Once you've done that, you should be able to ping your server also (if ping is on), from the interface which is in v1-untrust.

Thanks Dennis, problem solved, set policy v1-untrust to v1-trust source ANY to destination IP address of exchange server service MAIL, and it worked, my users inboxes where immediately flodded with emails that had been sitting outside the firewall.  The policy ANY, ANY, ANY from untrust to trust still didnt work. 

Great!

 

For your information, v1-untrust is not the same as untrust and neither is v1-trust the same as trust.

In transparent mode the layer2 zones (v1-xxxx) are used in stead of the layer3 zones trust/untrust.

The ANY, ANY, ANY, policy was set up on the v1-untrust to v1-trust and still did not allow mail traffic through.Sorry for the confusion as I did not use the proper syntax.