New Member

Question

configure vip for mail server

Forum|Forum|13 years ago
August 13, 2012
8 replies
6028 views

I have an exchange mail server and I mapped the dmz ip address to a public ip address mail server dmz ip: 10.10.10.10 vip: 20.20.20.20

edit " mail" set extip 20.20.20.20 set extintf " wan1" set mappedip 10.10.10.10

the 20.20.20.20 is a static ip I have from my isp this is the fw policy

config firewall policy edit 64 set srcintf " wan1" set dstintf " dmz" set srcaddr " all" set dstaddr " mail" set action accept set utm-status enable set schedule " always" set service " DNS" " HTTP" " HTTPS" " ICMP_ANY" " IMAP" " PING" " POP3" " SMTP" set av-profile " smtp-in" set spamfilter-profile " smtp-in" set profile-protocol-options " smtp-in" set logtraffic enable next end

my problem is that if I check the ip address of the server (from websites such as whatismyip) I get the wan1 ip and not 20.20.20.20 and I have problems with sending emails to companies that have rDNS checks (my isp has correctly configured the rdns for 20.20.20.20) is somwthing wrong in my configuration? thanks

rwpatterson

New Member

Create an IP pool (call it " mail" ), give it the single IP address that you wish to have the mail server appear as (20.20.20.20). In the policy that sends mail from the DMZ outward, check the " Use IP Pool" check box, then select " mail" from the list of available pools. A VIP is a destination NAT, fine for incoming. the IP pool is a source NAT, needed for sending email outward using a different address than the interface.

gquerenghiAuthor

New Member

sweet I' ll try that thanks

gquerenghiAuthor

New Member

I configured the ip pool and set the firewall policy like this how can I check if the traffic is actually going out with the ip pool address?

config firewall policy edit 68 set srcintf " dmz" set dstintf " wan2" set srcaddr " mailserver" set dstaddr " all" set action accept set utm-status enable set schedule " always" set service " ANY" set av-profile " mail" set spamfilter-profile " mail" set profile-protocol-options " mail" set logtraffic enable set nat enable set ippool enable set poolname " mailserver" next end

ddskier

New Member

On the server itself, go to the following web-site. http://www.whatismyip.com It will report the public IP that the server is using.

gquerenghiAuthor

New Member

it still shows the fortigate wan1 ip

rwpatterson

New Member

Policies are scanned top down. Make sure the mail server policy is located above the general web surfing policy. As a rule, always place the most specific policies before the broader, general ones.

gquerenghiAuthor

New Member

it' s the first one in the dmz->wan section the server has a dmz ip and an internal one, and there' s a rule for the internal network to wan1 to allow all outgoing traffic is it possible that they conflict in some way?

rwpatterson

New Member

Two NIC cards? It may be using the other NIC/IP address. If that' s the case, make a policy for the other IP and do the same: place it before the others in the internal/wanx list, and use the same NAT pool.

gquerenghiAuthor

New Member

I disabled the internal nic in the mail server and the public ip going out through the dmz nic is actually the ip pool address so it works I can' t figure out why some emails are bounced back because of missing rDNS the exchange smtp connector uses the dmz NIC I' ll try your suggestion thanks

rwpatterson

New Member

Check your institution' s DNS records. Maybe the server setting hasn' t propagated correctly? Are you sure the reverse records have been set up correctly?

emnoc

New Member

Note, having a mail-server exposed to the public on a DMZ and with a 2nd nic on the internet network, is asking for trouble if any thing is exposed or exploited.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded