Sophos UTM 320 with 9.004-29.
Migrated from a Cisco ASA 5510.
I've added masquerating and firewall rules to allow all outbound traffic from my internal subnet to the Internet, and it will appear to be coming from the UTM primary external IP.
I need one exception: my SMTP server needs, to avoid issues with reverse DNS lookup, to be NATed outbound to a different public IP. I've added this as an additional IP on the external interface.
NAT rule:
Full NAT
Traffic Selector: any ---> SMTP ---> External (WAN) [smtp_external] (address)
Source Translation: External (WAN) [smtp_external] (address)
Destination translation: smtp_internal
Automatic firewall rule: yes
The problem is that the outbound traffic from the SMTP server is NATed to the masquerade rule default address, not the NAT-rule-specific public SMTP address. As such, strict reverse DNS recipients are rejecting my messages.
I really don't want to change reverse DNS.
On the Cisco ASA, the dynaic NAT (equivalent to masquerade rules) were applied after static NAT rules. Static NAT rules were automatically bidirectional.
How do I need to change my UTM rules to get equivalent bidirectional NATing?
Migrated from a Cisco ASA 5510.
I've added masquerating and firewall rules to allow all outbound traffic from my internal subnet to the Internet, and it will appear to be coming from the UTM primary external IP.
I need one exception: my SMTP server needs, to avoid issues with reverse DNS lookup, to be NATed outbound to a different public IP. I've added this as an additional IP on the external interface.
NAT rule:
Full NAT
Traffic Selector: any ---> SMTP ---> External (WAN) [smtp_external] (address)
Source Translation: External (WAN) [smtp_external] (address)
Destination translation: smtp_internal
Automatic firewall rule: yes
The problem is that the outbound traffic from the SMTP server is NATed to the masquerade rule default address, not the NAT-rule-specific public SMTP address. As such, strict reverse DNS recipients are rejecting my messages.
I really don't want to change reverse DNS.
On the Cisco ASA, the dynaic NAT (equivalent to masquerade rules) were applied after static NAT rules. Static NAT rules were automatically bidirectional.
How do I need to change my UTM rules to get equivalent bidirectional NATing?