Help with Exchange Hosted Services & Netscreen NS50

[gmen667]

Hello,


My situation is this. I am completely new to the Netscreen architecture and am basically learning as I go. Brutal I know, but what can I do?

My company is using MS Exchange hosted services to help with spam/virus problems and the Exchange service provider we use emailed me and asked me to "please allow SMTP traffic on port 25 from the following IP addresses if you have not done so already:"

My question, is where do I do this? I am thinking it is in the "Policies" section. If so, then I assume the section to create the policy would be in the "From Untrust To Global" area.

Would I create this?
1. Create Source as Exchange Server IP 1 (Since I have 3 to add, I would repeat the steps numerous times)
2. Create Destination is MIP for Mail Server with Service of MAIL

Is that it? Am I completely off? Any help would sooo very much be appreciated and welcomed.


Thank you

 

[Njetscreamer]

Hey gmen,

if you are running in nat mode, you will need to create a mip for the traffic to be able to reach its destination.

so if you have 3 live ip addresses that should correspond to 3 servers with internal ip addresses thenyou need to do the following.

live ip range 1.1.1.1 - 1.1.1.3
internal 192.168.1.1 - 192.168.1.3 (servers)

where x is the interface number of the wan interface.
and assuming you are using the trust vr as opposed to multiple vr's

set int eX mip 1.1.1.1 host 192.168.1.1 netmask 255.255.255.255 vrouter trust-vr
set int eX mip 1.1.1.2 host 192.168.1.2 netmask 255.255.255.255 vrouter trust-vr
set int eX mip 1.1.1.3 host 192.168.1.3 netmask 255.255.255.255 vrouter trust-vr

then you only need to set policies from untrust to trust (assuming e3 is in zone untrust and servers are in zone trust) to permit smtp.

Thats it....

Kind regards

Njetscreamer

 

[gmen667]

Thanks for that, it is getting me in the right direction. Many thanks!

I forgot to mention one thing, this NS50 is already setup and mail is flowing in without a problem. I just need to add the additional server Ips from our exchange provider. I would just put those in the policy from untrust to trust. If so, then the source with be the Exchange provider iP addresses and the destination would be "Any" with the Mail service? I hope that makes sense.


Thank you so much Njetscreamer, you are making my life 100X better!

 

[gmen667]

I have a quick update to add. I am so close to getting this fixed but just need a little bit of help. It turns out the setting is correct, I have under "Untrust to Globa" a Source of Any and a destination to MIP (Mail Server IP) with SMTP service. But for some reason, outside traffic is still not coming in. Am I missing something obvious? Any ideas would be greatly appreciated!


Thanks

 

[ITWorkshop]

Dear Gmen,

If you are running your Netscreen in NAT mode, then your policy should be from Untrust to Trust. The Source Address will be "Any" (if inbound e-mail will be coming from any outside source ip address.)The destination will be your "MIP" (Mapped IP Address of your Exchange Server and the Service will be "SMTP" if you only want to allow incoming trafic from port 25. The Action should be set to "Permit."

After this you may need to re-position the policy order.
Try to "Move" this policy to the top of policy list.