Zywall 110 NAT

Inoyat
Inoyat Posts: 2
First Comment
edited April 2021 in Security
We use zywall as a gateway to access the Internet.
Also configured nat - to access the internal mail server.
However, the ip address of the internal interface of the Zywall is fixed in the mail server logs - not the external address.

Example:

Jun 11 08:45:31 core0 postfix / smtpd [22638]: connect from zywall [10.103.100.250]
Jun 11 08:45:31 core0 postfix / smtpd [22638]: 7A9A17B4BC: client = zywall [10.103.100.250]

But when we use Cisco (and NAT) as a gateway, the real ip address is sent to the mail server:

Jun 11 09:17:59 mx1 postfix / smtpd [18197]: connect from mail.sicon.ru [91.214.185.210]
Jun 11 09:17:59 mx1 postfix / smtpd [18197]: 9E1BD124BA5: client = mail.sicon.ru [91.214.185.210]


Rule in Zywall:

ip virtual-server LotusSMTP_1 interface wan1 original-ip wan1_IP map-to Domino map-type port protocol tcp original-port 25 mapped-port 25 nat-1-1-map

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Inoyat  

    According to your description, the source IP address has replaced as USG LAN interface.

    Does USG WAN and LAN are connected the same switch?

    Can you describe your topology and traffic direction(From WAN or LAN side)


    Can you try to disable “NAT Loopback” function in NAT rule.

    And check if the status on server again.


  • PeterUK
    PeterUK Posts: 2,704  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    You likely have made a Routeing rule with Address Translation > Source Network Address Translation set to outgoing-interface change this to none.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Inoyat

    Did you add policy route rule like:

    Source: Any, Destination: Any, Next-Hop: WAN interface, SNAT: WAN Interface


    If yes, the reason is because incoming traffic hits the rule and source IP address replaced as interface IP.

    You can add a new policy route rule:

    Source: any, Destination: ServerIP, Next-Hop:Auto, SNAT: none

    Then client source IP will able define as correct.

    You can reference to this thread. The scenario and situation should be the same as yours.

  • Inoyat
    Inoyat Posts: 2
    First Comment

    Thanks for all!

Security Highlight