Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
echo
Contributor II

Dest nat?

Does anybody know how to transparently direct all outgoing port 25 traffic to a certain (mail)server that filters the traffic and then passes on? It was very easy with Juniper SSG5, but with Fortigate 60D for example? I can' t create virtual IP with external address 0.0.0.0/0 to use it in a policy.
7 REPLIES 7
ede_pfau
Esteemed Contributor III

For destination NAT you need to know the original IP and the mapped-to IP addresses. Why 0.0.0.0 then? To clarify, are you planning to send mail traffic from ' internal' to ' wan' to a filtering mail server?

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
echo
Contributor II

0.0.0.0 was my best idea to approach this using the tools available. The thing is that whatever the destination IP -- if port is 25, then this shall be forwarded to a specific IP-address (and keep port 25).
rwpatterson
Valued Contributor III

A simple VIP from internal to wanx should do. Backwards as opposed to most uses, but it should suffice to use internal as the ' external' port, and internal interface as the IP. The mapped IP address should be your outside server, and port 25 should be specified. Any port 25 traffic hitting that IP will then get sent over to the outside mail server. Looks good in theory. Let' s know how it works for you. Additionally, if you don' t want to use the internal interface IP address, you could select any IP address on that subnet.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ede_pfau
Esteemed Contributor III

The difficulty here is that you need to specify a destination IP address to select the traffic. SMTP traffic will NOT use the internal IP address as destination so this won' t work. The logical thing would be to use the wildcard, i.e. ' 0.0.0.0' but that seems not to be allowed. The only way that I can imagine is to make your users use ONE (or a few) external mail servers, and to create VIPs for each of them. That depends on the circumstances, I know...

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
echo
Contributor II

Thanks. I tried the idea of using internal address as external etc., with or without a policy, but then I couldn' t do any port 25 session outside. So the next step is really just to allow port 25 only to certain addresses and only usual outgoing nat will be used then. Not in this case, but it will be a nuisance for those who take their laptop from home to this network and use some other smtp server at home -- they have to change it every time. With transparent smtp forward, it worked so nicely: do telnet whatever.address.there.is 25, it works, but another server is responding and the user doesn' t have to know about it, mail goes out anyway (if it' s not spam). But anyway, that network goes out using another IP-address so if there is going to be a blacklisting problem, then it is not affecting the main network' s outgoing IP-aadress.
ede_pfau
Esteemed Contributor III

No, it' s not going to be " outgoing NAT" ! That is source NAT and what you need is destination NAT. DNAT is done via VIP and the VIP has to be used in a policy to work. You could collect all SMTP servers used for a while and see if there is only a handful. If you create more than one VIP you can use a VIP group in just one policy which makes handling much easier. BTW, I don' t think that convenience is a killer argument for a firewall feature. I am used to work in many different networks with my notebook, and thus I use an IP address switcher tool. It switches address, DNS, gateway, and more if it needs be. I would not expect all networks to be ' convenient' enough so that I didn' t have to budge.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
echo
Contributor II

Yes, this part is clear that if I know the dest addresses then what to do with them. Since my first idea cannot be realised, I' ll leave it now and do something with it when needed. For a start though, as you said, I' ll add port 25 policy to monitor that traffic.
Labels
Top Kudoed Authors