Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 6272 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port Forwarding to another UTM connected via RED

triggad23

Hi,

 

I'm using the UTM for many years now, but now I have a problem I got stuck..

 

The Environment:

Site A (a rented Server):

Small Server, virtual UTM (UTM A), many public IPs, fast Internetconnection

 

Site B:

big hardware UTM (UTM B), dyn. IP, not so fast Internetconnection (100/40), all other Servers are located here

 

I have a good working UTM to UTM Red Tunnel between Site A&B and until now I'm using this szenario:

- MX Records points to site A

- the Emailprotection of UTM A processes the Mail

- the Email gets forwarded over the Red Tunnel directly to the Mailserver at Site B

 

This worked for years now, but i wan't to make the "remote" UTM A dumber, so everything important is at site B

 

So what i want:

- MX Records points to site A

- the SMTP Port is forwarded to UTM B

- UTM B makes the Processing of the Email and delivers it to the Exchange

 

I tried it this was:

- on UTM A I created a DNAT:

    Source: Any

    Service: SMTP

    Destination: the Interface with the Public IP the MX record points to

    Change Destination: the Red Tunnel IP of UTM B

    Change Service: SMTP

    automatic Firewall Rules

- on UTM A I created a masquerading for the Red Tunnel network

- on UTM B i allowed the RED IP of UTM A as Upstream Host in the Email Protection (but the allow only is not selected)

 

I tried to test this construct via telnet on Port 25 but I can't connect to any SMTP Server (Timeout).

I checked the Firewall Logs on both UTMs but there are no entrys for this problem.

 

Has anyone an idea where the mistake could be...

 

Greets Daniel



This thread was automatically locked due to age.
  • 0

    You're not waiting for this answer probably, but why not just change MX record to point to B? If the desired scenario you describe a failure of internet connection in point A will completely disable email while all email is handled by B.

    I'm not sure whether it's possible to DNAT to a site behind RED tunnel. You might need change to IPSEC between the two UTMs.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Hi,

     

    thanks for your answer. Site B has a Dynamic IP and theres no option to change this (3 times more expensive...). In theory it's possible to use a Mailserver behind dyndns but in the past I had a lot problems with foreign Mailserver caching the old ip too long.

    Site A has a complete /29 subnet and some additional IPs. So it would be nice to use them forwarded to site B. In addition to this site A has redundant Internetconnections. It's just the server i rented there is to small for my exchange server and i don't want to spend more money...

    When this scenario is possible i wanted to use more services via this way. But if it's not possible, i will make the UTM at site A more intellegent, doing the Mail processing, Webprotection etc.

    I tried ipsec before, but the RED tunnel worked better for me. I had a lot connectivityproblems, especialy after the nightly IP-change at site B. Since i changed to RED tunnels there were no more problems.

     

    Greets

    Daniel

  • +1

    Hallo Daniel,

    I'm a visual-tactile learner, so I would have to make a diagram to follow your explanation.  I suspect that you just need a Full NAT instead of a DNAT.  This is a problem similar to Accessing Internal or DMZ Webserver from Internal Network.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    the FullNAT worked immediately! Thanks a lot!

    Has anyone Security Concerns about this construct? Would it be better to route this "forwarded external traffic" through an separate Red Tunnel?

     

    Greets Daniel

  • 0 in reply to triggad23

    Hi,

     

    I have found another solution for this problem!

    As I said before I have a complete /29 Subnet available at Site A. From the Internet the hole Traffic for this Subnet is routed over another public IP (not within this subnet) so I could simply use it by adding the IPs as "Additional IPs" to this Interface. But the fact that I have a complete Subnet available brought me to another Idea:

    Why not to us this Subnet for the Red Tunnel?

     

    Tried it and it worked perfekt. So now i have 5 IP Addresses directly assigned to a Interface on UTM B! The only downside is, that I'm loosing one IP for the Red Interface on UTM A.

     

    Greets

    Daniel

Unfiltered HTML