ScreenOS Firewalls (NOT SRX)
Reply
New User
rtharris23
Posts: 3
Registered: ‎04-06-2011
0

Need help with port forwarding

I have a remote user who has Verizon as their ISP. It appears Verizon is blocking traffic on port 25 so the user is not able to send email through our mail server.

 

My plan is to have them use port 8025 as their SMTP port setting in Outlook.

 

WHat I need to happen is the traffic to hit the 12.46.178.7 the public IP for our e-mail server by way of port forwarding port 8025 to port 25 on the mail server which is internally 192.168.1.9.

 

I have a MIP mapping this public IP to this private one.

 

My best attempt so far was to create a service with source ports of 8025-8025 and destinaion ports of 25-25

 

I then created a policy for MIP (12.46.178.7) where I assigned this service but it did not work and the remote user is not even able to telnet the public IP address on that port.

 

Any ideas where to begin troubleshooting this?

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Need help with port forwarding

You can't mix port translation with MIP.

 

You could change your MIP to a VIP, but then you would also need to put in a source-NAT rule for your mail server (since the MIP will handle that automatically).

 

Or, you could just configure your mail server to listen on 8025 in addition to 25.  :smileyhappy:

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
New User
rtharris23
Posts: 3
Registered: ‎04-06-2011
0

Re: Need help with port forwarding

Could you explain this a bit further?

 

...but then you would also need to put in a source-NAT rule for your mail server

 

Unfortunately I don't think I can have my mail server software listen on two ports unless you know something about Imail Server v 8.12 that I couldn't find online.

 

Thanks for the assist.

Contributor
pirata
Posts: 14
Registered: ‎02-02-2011
0

Re: Need help with port forwarding

I think it's probably easier just to setup a VIP on that interface and map port 8025 to 25 on the destination IP. To do this you first delete the MIP, create a VIP instead. Then change your policy to accept from Any (or client) to <Public IP> port 8025 Accept.

 

regards,

Perish

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Need help with port forwarding

 


rtharris23 wrote:

Could you explain this a bit further?

 

...but then you would also need to put in a source-NAT rule for your mail server


When you use a MIP, it creates a 1-1 mapping of public IP to private IP, and it works bidirectionally.  Incoming traffic to the public MIP address gets translated to the private IP, and outgoing traffic originating from the private IP automatically gets translated to the public MIP address (automatic source NAT, in effect...)

 

VIPs don't work the same say, since you could have a single VIP public address pointing to numerous internal private IP addresses.  If you use a VIP for incoming traffic, you would then have to create a policy for your outgoing traffic (traffic originating from your internal servers out to the internet) which applies a Source NAT action, so that the traffic is sent out to the internet with a valid IP address instead of a non-routable private address.


rtharris23 wrote:

 

Unfortunately I don't think I can have my mail server software listen on two ports unless you know something about Imail Server v 8.12 that I couldn't find online.


I'm not familiair with Imail, but perhaps this KB article might point you in the right direction?

 

If you can get your SMTP server listening on an additional port (8025), then you can just keep your MIP setup and just add a new entry to your security policy to permit traffic on port 8025.

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
New User
rtharris23
Posts: 3
Registered: ‎04-06-2011
0

Re: Need help with port forwarding

I thought you had something with the Imail KB article unfortunately that is for version 8.2 and I'm on version 8.12 and the reg key they suggest to change isn't even there.

 

can you spell out a little more clearly the what and in what order I'd need to create things to get a VIP setup working?

 

My guess would be...

 

1) Get rid of MIP

2) Create VIP for 12.46.178.7 to 192.168.1.9

 

Then I'm not sure what I need to create to get services like SMTP, POP3, FTP and TS working so I can access the internal server via the external IP like I do now via the MIP.

 

Would those just be Virtual Services assigned to the VIP?

 

The policy would then be a Trust to Untrust correct?

 

Looking at that I see source address options of either entering something or using and Address Book entry. What would that entry need to look like to limit it to just 192.168.1.9? I see 192.168.1.0/24 but don't really know what that means. No matter what I enter it looks like it needs some sort of / value after the IP address itself.

 

Thanks for your time helping me with this.

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Need help with port forwarding

 


rtharris23 wrote:

I thought you had something with the Imail KB article unfortunately that is for version 8.2 and I'm on version 8.12 and the reg key they suggest to change isn't even there.


Maybe it's time to run a better mail server.  :smileyvery-happy:   Sorry, I couldn't resist that one.


rtharris23 wrote:

can you spell out a little more clearly the what and in what order I'd need to create things to get a VIP setup working?

 

My guess would be...

 

1) Get rid of MIP

2) Create VIP for 12.46.178.7 to 192.168.1.9

 

Then I'm not sure what I need to create to get services like SMTP, POP3, FTP and TS working so I can access the internal server via the external IP like I do now via the MIP.

 

Would those just be Virtual Services assigned to the VIP?


You're on the right track.  Create the VIP address for 12.46.178.7. Then you create VIP services which will map port numbers on the VIP to internal servers.  So for example, for SMTP, you will create your VIP service for port 25, "Map to Service" SMTP(25), "Map to IP" 192.168.1.9.  You can do the same for your other services.  Then create an additional service in the same way to map VIP port 8025 to 25 on the internal IP.


rtharris23 wrote:

The policy would then be a Trust to Untrust correct?

 

Looking at that I see source address options of either entering something or using and Address Book entry. What would that entry need to look like to limit it to just 192.168.1.9? I see 192.168.1.0/24 but don't really know what that means. No matter what I enter it looks like it needs some sort of / value after the IP address itself.


Nope, your incoming policies are going to be Untrust -> Trust.

 

You will need to create a custom service object for your port 8025.  Then your policy from untrust->trust can either be a single policy that lists all of the accepted services for the VIP, or you can break each policy out, for example, to only allow source addresses of your Verizon clients to access the VIP on port 8025.  Your desiination address is the VIP, so choose VIP(12.46.178.7) from the list for destination.

 

Now, you need to make sure your outgoing traffic originating from your 192.168.1.9 server is NATed as it leaves your network.  Either your internal interface that connects to your server would be in mode NAT (vs. mode Route), or you create a policy from Trust->Untrust to permit traffic, and under Advanced you're going to set Source Translation.  There you can either choose to NAT the traffic to the Egress interface IP, or you can create a DIP pool of one or more public addresses to use when applying the source NAT.


rtharris23 wrote:

Thanks for your time helping me with this.


Sure, just let me know where to send the bill.  :smileywink:

 

I'd suggest you look through the ScreenOS Concepts & Examples Guide.  There's a whole chapter (chapter 45 in the ScreenOS 6.3 C&E guide) for MIP and VIP creation and configuration.

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.