Create a Post
Showing results for 
Search instead for 
Did you mean: 

ClusterXL with only private ip addresses + MTA

Hi everyone! I have a challenging problem. Corporate internet access is a little bit hierarchical. We have border routers for handling BGP with several ISPs with different channels. Behind border routers is staying our CHECKPOINT cluster. Routes between border routers and the CP cluster are handed by OSPF process and the neighborship broadcast network is from private pool. There are no public IPs assigned to checkpoint. All our public pool is handed by NAT policy on the CP cluster (i mean we have manual nat rules fur public services and typical object nat behind our public pool addresses). Everything works fine until we need to deploy MTA on our cluster. Some digging into guides provided a clearly method of configuring MTA with listening on ALL interfaces- that's ok, all our interfaces are listening 25 port, cool. But we need a public address and all interfaces are with private IPs so there is no nothing much easier than configuring a static manual nat with a selected public IP from our pool for pointing to one of VIPs(for example outside) on tcp 25 (smtp). Of course in the access policy all necessary rules were added, so no drops by firewall.

BUT.... it's not working no mail is coming to our MTA from the internet

A simple telnet to this public ip on 25 port shows us a destination host unreachable.

Fw monitor returns packet as it comes to gateway(i) with dest publicIP on port 25, than it is correctly nated to VIP(I), than it enters preout chain(o) and goes out (O).

No drops in zdebug...

There are no returned packets except ICMP unreachable from that public IP(among manual nat for mta this ip is also ip of CP cluster as it initiates traffic to the internet)

I have already opened a case on service desk, but would like to ask here about my trouble, maybe someone will give a suggestion.

Thanks in advance!

0 Kudos
3 Replies
Employee Employee


Out of interest have you configured manual rules in your access policy or are you relying on the implied rules for MTA per sk110758?



0 Kudos

Hi Chris!

Of course I did, I have mentioned that there are no drops from firewall in debugs, and showing all steps in fw monitor(iIoO) that packet to 25 port is correctly crossing also approves this information.

0 Kudos

Problem solved. I have created another interface with private ip adressess on both gateways, but in smart console I have added a public pool address in VIP field. Now MTA listens  on this VIP too.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events