Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

TX 370 blocking outgoing smtp not working because of port translation?

JTwrennJTwrenn Newbie ✭
in Entry Level Firewalls

Been working on this for longer than I expected and getting confused. Wondering if port translation might be the issue but not sure.

Running a TZ370 with sonicwall 7.0.1-5080 R3248

The setup is fairly simple. We have no custom NAT policies, and no incoming ports. We do have vpn access from some other locations, but I am only worried about location 1 at this point, not the remote offices for sending this way.

We are trying to lock down outgoing SMTP on port 25 for everything but two systems for scanning to email using direct send. I figured two lan to wan firewall rules would be best. I added the following rules.

To simplify I would like help just blocking SMTP first, then i go down the allow for specific servers part. I created this rule.

Action Deny

Priority 1

Schedule Always

Enable on

Source

Zone Lan

Address Any

Port SMTP (Send e-mail)

Destination

Zone Wan

Address Any

Port/services Any

Logging On

Allow fragmented packets on

However if I run a Test-NetConnection -InformationLevel detailed -ComputerName portquiz.net -Port 25

I get

ComputerName : portquiz.net
RemoteAddress : 35.180.139.74
RemotePort : 25
NameResolutionResults : 35.180.139.74
MatchingIPsecRules :
NetworkIsolationContext : Internet
InterfaceAlias : NIC1
SourceAddress : 192.168.1.6
NetRoute (NextHop) : 192.168.1.1
TcpTestSucceeded : True

Source address there is the server I am testing on and the netroute is my router ip.

So I ran a packet capture on ether type: Ip, Ip Types TCP, source ip 192.168.1.6, and source port 25 Then I re-ran the connection test. I get the following that seems to indicate it is not hitting my access rule.

PacketCap.JPG

Every time I do a test on this the source for the x0 to x1 egress changes. It appears to me that nat is somehow blocking the firewall from stopping these ports.

Access rule 6 is the rule for all outgoing, however it is lower on the list. I am wondering if the issue is port translation as it seems to go out on a normal route. I have tried adding an explicit 25 to 25 outgoing Nat policy but I cannot turn off the port translation on the advanced tab, so i am stumped.

I figured just a firewall rule is all it would take but it appears that nat translation is blocking that as it comes up with a different port everytime.

What is going on here? It seems to me that nat is port translating so much that the firewall rules are not being applied correctly. Any help would be appreciated.

Category: Entry Level Firewalls
Reply

Answers

  • JTwrennJTwrenn Newbie ✭

    Just as a side note…I found a work around but it is a very frustrating one. Instead of setting the rule based on the sending port I did it on the outgoing port. IE this

    ___________________________

    Action Deny

    Priority 1

    Schedule Always

    Enable on

    Source

    Zone Lan

    Address Any

    Port/services Any

    Destination

    Zone Wan

    Address Any

    Port/services SMTP (Send e-mail)

    Logging On

    Allow fragmented packets on

    _____________________________

    This appears to work but the random inside ports still seems very odd and makes it backwards. Would love to be able to turn that off if there is any way, or if I am missing a way to get it to actually send on the proper port at least internally.

Sign In or Register to comment.