topic Re: NAT not working on GAIA in Spark Firewall (SMB)

NAT not working on GAIA

Softwhere — Mon, 14 Apr 2025 10:09:36 GMT

Hello everyone,

Have a interesting problem, I am missing something. Our configuration the Firewall R81.10. local managed. We have 2 Email Servers configured as a DAG, behind the Firewall and tried to NAT both to the same Public IP, the ending is .250, (Firewall has .251), When we send a email for example to ping@mxtoolbox, it shows that the email is coming from .251. When we go to browser on either of the Email Servers and make a speedtest it shows up with the correct .250 Address.

Obviously our problem is some Emails are refused since the .251 is no MX entry in the DNS. So how should we configure the NAT correctly?

Have added our NAT table DAG-Email contains both internal IP of Email Servers EX_NAT is public address .250 EX2019 and EX19-2 corresponds to the internal Email Servers.

All 3 NAT are clicked "Hide multiple sources behind the translated source addresses" as well as "Serve as an ARP Proxy for the original destination IP address".

BTW we have a 3rd Email Server using NAT with .253 that works fine.

Would greatly appreciate some help with this, I obviously am missing something.

Thanks much

JJY

Re: NAT not working on GAIA

AkosBakos — Mon, 14 Apr 2025 10:26:24 GMT

Could you share a pic of the NAt rules? Simply blur out the sensitive data

Re: NAT not working on GAIA

Softwhere — Mon, 14 Apr 2025 10:32:19 GMT

I thought I had added the .png

Re: NAT not working on GAIA

the_rock — Mon, 14 Apr 2025 12:08:37 GMT

Just to make sure there is no connection that "stuck" somewhere, have you tried rebooting the fw?

Andy

Re: NAT not working on GAIA

Softwhere — Mon, 14 Apr 2025 12:11:23 GMT

Thanks for support, but yes have rebooted a couple of times.

Re: NAT not working on GAIA

the_rock — Mon, 14 Apr 2025 12:15:50 GMT

K, just to make sure we got this right, do you have basic diagram of what exactly is supposed to be natted and how? I think that way, we can 100% ensure its right.

Andy

Re: NAT not working on GAIA

AkosBakos — Mon, 14 Apr 2025 12:49:58 GMT

Now I suggest you to do packet capture eg.: # fw monitor, and check what happening. Does the packet leave the CheckPoint, or stucks is somewhere, as Andy told.

A little help for the syntax : https://tcpdump101.com/

Maybe an fw ctl zdebug + drop | grep IP can be useful as well.

Akos

Re: NAT not working on GAIA

the_rock — Mon, 14 Apr 2025 12:55:28 GMT

@AkosBakos Thank you for promoting my colleague's site, appreciated it mate! We gave it to few customers in the past when we would go on site to do work for them, I hope they still use it : - )

Andy

Re: NAT not working on GAIA

AkosBakos — Mon, 14 Apr 2025 13:03:06 GMT

Really? One of the best sites ever 🙂

Re: NAT not working on GAIA

the_rock — Mon, 14 Apr 2025 13:06:13 GMT

O yea, he is super nice guy. Funny enough, he actually gave me R60 CCSA and CCSE training back in 2009 (makes me feel old lol). Im sure @PhoneBoy knows him really well.

These days, he is really busy, so he may update the site from time to time, but probably not as often as he used to. but, if you or anyone else has a feedback, Im sure he would be more than happy to look into whatever suggestions people have.

Andy

Re: NAT not working on GAIA

PhoneBoy — Mon, 14 Apr 2025 17:54:07 GMT

We worked together for a hot minute, so yeah. 🙂

Re: NAT not working on GAIA

the_rock — Tue, 15 Apr 2025 01:02:31 GMT

I still think simple diagram would help us, just blur out any sensitive data.

Andy

Re: NAT not working on GAIA

Softwhere — Tue, 15 Apr 2025 07:52:16 GMT

Thanks guys, I have attached a 'simple' diagram with just the relevant devices. Packets are sent, entire Emails are being sent just not with NAT, tried putting one of the Servers in as Server, but no difference

Thanks again,

Jeff

Re: NAT not working on GAIA

the_rock — Tue, 15 Apr 2025 10:59:09 GMT

Hi Jeff,

K, so just to make sure I got this right (tx for the diagram btw, excellent), is it the case where 172.17 and .18 hosts are supposed to be natted to 88.x.x.x IPs respectively?

Andy

Re: NAT not working on GAIA

Softwhere — Tue, 15 Apr 2025 11:16:25 GMT

Hi Andy,

Yes, acutally quite strange, the 2 Exchange servers are in a Microsoft DAG so both Servers contain all Mailboxes and both Send/Recieve Emails. Both Servers 172.17.0.6/7 should be NATed to 88.217.xx.250. When using the browser (HTTPS), to identify ip Address it shows on both Servers correctly 88.217.xx.250. However when sending Emails, (to help identify problem, presently only the .6 is used to send Emails), in the header it shows Email is coming from the 88.217xx.251, which is the IP Address of the Checkpoint. This of course does not correspond to SPF,DMARC, and DKIM. Have presently helped simply by adding the .251 Address as a mx. But this will not work long since it is not possible to create a DKIM for the Firewall.

The Internet settings for both under NAT the 'Do not hide internal networks behind this Internet connection' is not clicked . If it is clicked then the correct ip Address is used in sending Emails, (in other words works as should), however all other Servers can no longer connect to the Internet.

Hope this description is understandable :).

Thanks again,

Jeff

Re: NAT not working on GAIA

the_rock — Tue, 15 Apr 2025 11:26:36 GMT

It is, yes, thanks! Hey, if you allow remote, I would love to do it and see if we can figure this out. Im in EST, which is GMT-4 I believe, so its 7.30 am here, I can do around 8.30 am my time, if that works?

Let me know.

Andy

Re: NAT not working on GAIA

Softwhere — Tue, 15 Apr 2025 11:42:46 GMT

Hi Andy,

Sure, so about 1hr? can send me an email info@softwhere-it.com could give you direct access to FW or Remote up to you.

Greets,

Jeff

Re: NAT not working on GAIA

the_rock — Tue, 15 Apr 2025 11:48:09 GMT

Are you free in about 15 mins? I can send you direct message here with zoom link if that works?

Andy

Re: NAT not working on GAIA

the_rock — Tue, 15 Apr 2025 11:59:08 GMT

Also emailed you via my personal gmail.

Andy

Re: NAT not working on GAIA

Softwhere — Tue, 15 Apr 2025 12:19:41 GMT

Yes, am available now, had to go to Mac's for some food, (if you can call it that!)