Wired Intelligent Edge

Hi,


A brief outline of what I'm trying to achieve...


I have my firewall sat on 10.100.10.254.

My switch sits on 10.100.10.2.

My mail server sits on 10.100.10.5


I am in the process of moving my firewall to a new corp firewall. I plan to do this in 2 stages. Stage one will me the routing of all Internet traffic except email over the new firewall. When the new firewall has proved it's worth, I will migrate the email over to run through it. In the interim I plan to continue to route all email traffic through my existing firewall.


So, here's where I'm currently at. I have set up a static route in my Procurve switch to point anything destined for 3 static IPs (the IP's belonging to the Messagelabs cluster that I use), through my existing firewall so that when I make the change to the default route (0.0.0.0 0.0.0.0) and point it at the new firewall, outbound email will continue to route out through my existing firewall. This works as expected. What doesn't work however is inbound email and I cannot get my head around why. I know if has something to do with the default route on the switch but I can't figure out exactly why this should make a difference.  My thought process is that external email destined for my company, hits the Messagelabs servers, they are configured to relay that email to my mail server through the IP address attached to my existing firewall. There's no reason for that to be any different as nothing has changed here. From there, it hits my firewall but for reasons unknown to me, fails to deliver the email to the mailboxes.

Switching the default route on the Procurve switch back to point at the existing firewall resolves the issue. My existing firewall can see my mail server without any issues so I'm utterly stumped.


If someone could point out why this isn't working as expected, I'd really appriciate it.


Many thanks.

hmmm....interesting.

I guess in your shoes I would be looking at any assumptions I had made.

Does the SMTP send service on the Messagelabs servers use the same IP address(es) as the SMTP receive service, for which you have the routes setup on the switch?

Can you see your SMTP logs on both sides of this issue, to see if,

a/ The Messagelabs is definitely initiating a connection to the EMail server, and getting nothing back?

b/ Does the email server see the SMTP connection but reject it due to - perhaps - DNS changes you may have done in relation to implementing the new firewall?

I'm also thinking about the topology on the outside of your two firewalls - do they share an outside segment? 
How does incoming traffic know which path to take?

Hi Vince,

Thanks for your reply. To answer your questions;

The SMTP send service connects to only one address. That address is tied to my firewall's external facing nic. That connection is then NAT'ed on my firewall to point to the internal IP of my mailserver. The only route Messagelabs knows about is the one to my existing firewall.

I had the same idea about the logs. I'm talking to Messagelabs today to try to work out what they see from their end. I'll be honest and say that I didn't look at the Exchange logs based purely on fact that the only thing to change is a single route on the switch. No DNS comes into it.

As far as the topology goes, the firewalls are on 2 completely separate segments from 2 separate providers. The only inbound traffic I have is email. This is obviously routed via the MX records to my existing firewall.

Part of me is happy you haven't just come in with a "you're an idiot, here's the solution" answer, at least I know now I'm hopefully not missing something glaringly obvious!

:-)

So I figured out the issue. Short solution was that I needed to added every IP range of the Messagelabs servers to the static routing table on my switch. The Messagelabs servers were connecting to my mail server from a random address within their cluster. When my mail server replied, there was no stati route to force all connections to the Messagelabs ranges through my firewall and so the reply ended up going out over the new firewall and hence the failure.

Off the back of this, I do have a new problem. While I have fixed the issue above, I'm left with a new one. My users connect in to my mail server through webmail. What is currently happening is as above. Connections are made from their homes, through my exiting firewall, the firewall directs the traffic to my mail server, my mail server replies on the default ip route (the new firewall) causing the connection to fail. So my question is this; is there any way I can force all connections from my mail server to go out over my other firewall. A static route is in the format of: 

Address range you want to connect to

Subnet Mask

IP address of route

I don't see how I can use a static route to force a single internal IP address to route all it's traffic through a certain IP address.

Any pointers?

Thanks.

Yes you can, but not all layer3 devices can do it.

Google PBR. Policy Based Routing.