Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 6 Jul 2009 18:53:44 +0200
From:      Giuliano Gavazzi <>
To:        Kim Attree <>
Cc:        "" <>
Subject:   Re: Problem with source based policy routing
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On M 6 Jul, 2009, at 15:35 , Kim Attree wrote:

> I have one Internal Exchange server (don't laugh), and NAT handles  
> the static mapping of IP/Port to that server. The original point  
> here is to have two mapped NAT port 25's to the same internal Mail  
> server, hence the addition of the NAT before and during the forward  
> logic (obviously wrong though).

ah, if you want to have an internal server to be reachable on both  
public addresses, via the corresponding two firewall interfaces, you  
must have a way to tell the firewall how to distinguish the return  
packets in order to use the correct natd instance. If the internal  
exchange server port is the same, there is no way telling that. At  
most you could use the peer port, but even that would not be  
failproof, and I would not know how to proceed (I think dynamic rules  
can only establish holes - allow action - in the firewall, not a fwd  
action). So you must use two different ports or alias addresses on the  
exchange server, and divert to the appropriate outgoing natd instance  
on the basis of that.

I have not enough time at the moment to write down a complete  
workflow, but I hope this, with the remarks in my previous post, gives  
you enough hints.


Want to link to this message? Use this URL: <>