Hello,
an XG uses a smarthost in the upstream to send and receive mails towards the internet. My problem is that the XG sends outgoing mails already on the right interface, but here is a transfer network towards the smart host, which is private and not public, the upstream smart host knows no route to the IP that the Sophos uses. I have already tried everything with NAT, but nothing seems to work here.
Help :)
Hello Sophos User2126,Thank you for reaching to community, So if I understood it correct you have an on premise smarthost which you want to utilize under email > general settings > Smarthost settings. If that is a case you can create a DNAT for that on premise server: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/NATRules/RulesPoliciesCreateDNATAndFirewallRulesForInternalServers/index.html
Thanks & Regards,_______________________________________________________________
Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
Hi, this also works to run Sophos itself (the MTA service) over the NAT?
It should with source as "ANY"
Unfortunately does not work. The problem may also be that this NAT should be on an interface IP of the Sophos that is on LAN1, but the route would go via LAN4.
There is still a CLI command that is needed for NAT in conjunction with IPSec. Could there still be a possibility here?
Do you want me to draw it?
Yea topology will be better to narrow down. Do you have Aliases on LAN1 ? if not have you created any ?
Yes, there is an alias configured.
Thats the situation, the Exchange sends the Mails to the Sophos, and than the Sophos should send it to the smarthost, out on P4.BUT the Mail-Service inside the Sophos must use an source IP-Address of the LAN (actual it uses the configured alias) to communicate with the Smarthost, because the transfer-network is local-only and not routed by the provider.Incoming mails from the smart host are working as expected.
Hello Sophos User2126,In this scenario instead of MASQ with the interface in the NAT rule under "Translated source (SNAT)" leave that original and select the outbound interface and mark it with that particular desired interface.
Tried this and also this: https://support.sophos.com/support/s/article/KB-000035607?language=en_USBut both don't seem to work. I'll capture some traffic to see whats going on
Sure tcpdump, packetcapture can help understand !!