Check Point Firewall-1 Destination NAT
Situation: We have a split SMTP configuration (both internal and
external SMTP servers) and want the external SMTP server to be able to
send SMTP traffic to our incoming SMTP server. The servers are on
different networks, so traffic from the external SMTP has to reach the
firewall, pass the rulebase, and have its destination IP address
rewritten to the internal SMTP server. A Check Point Firewall separates
the DMZ and internal networks.
IP addresses used in this example:
DMZ network: 192.168.1.0/24
Firewall DMZ interface: 192.168.1.2
External SMTP server: 192.168.1.3
Internal network: 10.0.0.0/8
Firewall internal interface: 10.0.0.1
Choke router: 10.0.0.2
Internal SMTP server: 10.0.0.3
For this example, our DMZ network is 192.168.1.0/24 and our internal
network is 10.0.0.0/8. The firewall DMZ interface is 192.168.1.2. The
internal mail server IP address is 10.0.0.3.
1. Determine an unused IP address on the DMZ network. In this example,
we will use 192.168.1.4.
2. Create a static ARP entry on the firewall for the unused IP address,
since we want the firewall to handle traffic destined to this IP
address. Use the hardware address of the firewall's DMZ interface for
the ARP entry.
arp -s 192.168.1.4 MAC_address_of_firewall_DMZ_interfacepub
3. Create a static route on the firewall for traffic from the
external SMTP server to the internal SMTP server. This route will be
the next hop for traffic to 192.168.1.4, which we want sent to our
internal SMTP server. In the next hop is a choke router with IP address
route add 192.168.1.3 10.0.0.2 1
4. Add a rule in the Security Policy allowing SMTP traffic from
the external SMTP server to 192.168.1.4.
5. Add a rule in the Address Translation rewriting the
destination IP of SMTP traffic from the external SMTP server
(192.168.1.3) to the internal SMTP server (192.168.1.4).
Original Packet Source: 192.168.1.3
Original Packet Destination: 192.168.1.4
Original Packet Service: SMTP
Translated Packet Source: Original
Translated Packet Destination: 10.0.0.3
Translated Packet Service: Original
6. Install the Security Policy.
7. Test the configuration.
Login to the external SMTP server. Attempt to connect to the
destination NAT address 192.168.1.4 on TCP port 25 (SMTP).
telnet 192.168.1.4 25
You should connect to the internal SMTP server.
Back to brandonhutchinson.com.
Last modified: 04/08/2003