Check Point Firewall-1 Destination NAT

Situation: We have a split SMTP configuration (both internal and external SMTP servers) and want the external SMTP server to be able to send SMTP traffic to our incoming SMTP server. The servers are on different networks, so traffic from the external SMTP has to reach the firewall, pass the rulebase, and have its destination IP address rewritten to the internal SMTP server. A Check Point Firewall separates the DMZ and internal networks.

IP addresses used in this example:

DMZ network: 192.168.1.0/24
Firewall DMZ interface: 192.168.1.2
External SMTP server: 192.168.1.3

Internal network: 10.0.0.0/8
Firewall internal interface: 10.0.0.1
Choke router: 10.0.0.2
Internal SMTP server: 10.0.0.3

For this example, our DMZ network is 192.168.1.0/24 and our internal network is 10.0.0.0/8. The firewall DMZ interface is 192.168.1.2. The internal mail server IP address is 10.0.0.3.

1. Determine an unused IP address on the DMZ network. In this example, we will use 192.168.1.4.

2. Create a static ARP entry on the firewall for the unused IP address, since we want the firewall to handle traffic destined to this IP address. Use the hardware address of the firewall's DMZ interface for the ARP entry.
arp -s 192.168.1.4 MAC_address_of_firewall_DMZ_interfacepub

3. Create a static route on the firewall for traffic from the external SMTP server to the internal SMTP server. This route will be the next hop for traffic to 192.168.1.4, which we want sent to our internal SMTP server. In the next hop is a choke router with IP address 10.0.0.2.
route add 192.168.1.3 10.0.0.2 1

4. Add a rule in the Security Policy allowing SMTP traffic from the external SMTP server to 192.168.1.4.

Source: 192.168.1.3
Destination: 192.168.1.4
Service: SMTP
Action: Accept

5. Add a rule in the Address Translation rewriting the destination IP of SMTP traffic from the external SMTP server (192.168.1.3) to the internal SMTP server (192.168.1.4).

Original Packet Source: 192.168.1.3
Original Packet Destination: 192.168.1.4
Original Packet Service: SMTP

Translated Packet Source: Original
Translated Packet Destination: 10.0.0.3
Translated Packet Service: Original

6. Install the Security Policy.

7. Test the configuration.

Login to the external SMTP server. Attempt to connect to the destination NAT address 192.168.1.4 on TCP port 25 (SMTP).

telnet 192.168.1.4 25


You should connect to the internal SMTP server.

Back to brandonhutchinson.com.
Last modified: 04/08/2003