I thought I had added the .png 

Just to make sure there is no connection that "stuck" somewhere, have you tried rebooting the fw?

Andy

Thanks for support, but yes have rebooted a couple of times.

K, just to make sure we got this right, do you have basic diagram of what exactly is supposed to be natted and how? I think that way, we can 100% ensure its right.

Andy

Now I suggest you to do packet capture eg.: # fw monitor, and check what happening. Does the packet leave the CheckPoint, or stucks is somewhere, as Andy told.

A little help for the syntax : https://tcpdump101.com/

Maybe an fw ctl zdebug + drop | grep IP can be useful as well.

Akos

@AkosBakos Thank you for promoting my colleague's site, appreciated it mate! We gave it to few customers in the past when we would go on site to do work for them, I hope they still use it : - )

Andy

Really? One of the best sites ever 🙂

O yea, he is super nice guy. Funny enough, he actually gave me R60 CCSA and CCSE training back in 2009 (makes me feel old lol). Im sure @PhoneBoy knows him really well.

These days, he is really busy, so he may update the site from time to time, but probably not as often as he used to. but, if you or anyone else has a feedback, Im sure he would be more than happy to look into whatever suggestions people have.

Andy

We worked together for a hot minute, so yeah. 🙂

I still think simple diagram would help us, just blur out any sensitive data.

Andy

Thanks guys, I have attached a 'simple' diagram with just the relevant devices. Packets are sent, entire Emails are being sent just not with NAT, tried putting one of the Servers in as Server, but no difference

Thanks again,

Jeff 

Hi Jeff,

K, so just to make sure I got this right (tx for the diagram btw, excellent), is it the case where 172.17 and .18 hosts are supposed to be natted to 88.x.x.x IPs respectively?

Andy

Hi Andy,

Yes, acutally quite strange, the 2 Exchange servers are in a Microsoft DAG so both Servers contain all Mailboxes and both Send/Recieve Emails. Both Servers 172.17.0.6/7 should be NATed to 88.217.xx.250. When using the browser (HTTPS), to identify ip Address it shows on both Servers correctly 88.217.xx.250. However when sending Emails, (to help identify problem, presently only the .6 is used to send Emails), in the header it shows Email is coming from the 88.217xx.251, which is the IP Address of the Checkpoint. This of course does not correspond to SPF,DMARC, and DKIM. Have presently helped simply by adding the .251 Address as a mx. But this will not work long since it is not possible to create a DKIM for the Firewall. 

The Internet settings for both under NAT the 'Do not hide internal networks behind this Internet connection' is not clicked . If it is clicked then the correct ip Address is used in sending Emails, (in other words works as should), however all other Servers can no longer connect to the Internet.

Hope this description is understandable :).

Thanks again,

Jeff

It is, yes, thanks! Hey, if you allow remote, I would love to do it and see if we can figure this out. Im in EST, which is GMT-4 I believe, so its 7.30 am here, I can do around 8.30 am my time, if that works?

Let me know.

Andy

Hi Andy,

Sure, so about 1hr? can send me an email info@softwhere-it.com could give you direct access to FW or Remote up to you.

Greets,

Jeff

Are you free in about 15 mins? I can send you direct message here with zoom link if that works?

Andy

Yes, am available now, had to go to Mac's for some food, (if you can call it that!)

K, messaged you directly with zoom link

Andy

Hey Jeff,

I looked into this a bit more (set up quick demo lab) for smb and was wondering if you see the same option I attached, though this is R81.10.10 version. im almost positive you showed me is checked, but just wanted to confirm if same setting is there. Btw, another thing I thought of...since you said this works randomly, did you ever try disable/re-enable NAT rules or even delete/re-create them??

Andy

Also emailed you via my personal gmail.

Andy