Incorrect NAT Address Pool Configuration Causes Some Intranet Users Unable to Send Mails

Publication Date:  2015-07-03 Views:  324 Downloads:  0
Issue Description
Network Topology:



Service overview:

The USG serves as the egress gateway for the intranet. nat outbound is configured on the USG, allowing intranet users to access Internet services, including POP3 and SMTP services. Intranet users access the POP3 server on the Internet to receive mails and SMTP server to send mails.

Symptom:

Intranet users can receive mails using the mail client, but some users cannot send mails. They can send and receive mails in web mode.
Handling Process
Before intranet users access Internet services, such as HTTP and SMTP services, source NAT is performed on the USG. The address pool configured on the USG includes two IP addresses. As users' source IP addresses are different, the corresponding public IP addresses may be different. For this point of view, the SMTP server may apply diversified access policies to different addresses. The analysis of packets captured on the outgoing interface of the USG shows that access failures are all from one address. In each time, three-way handshake succeeds, and the client sends an SMTP request, but the server replies with an RST packet, as shown in the following figure.



It is determined that the server denies access from this IP address. After this IP address is deleted from the address pool, users can access the mail server. The configuration on the server is checked. The result shows that the server restricts the access from this address.
Root Cause
The SMTP server restricts the access from a certain public IP address in the USG's address pool. As a result, intranet users using this IP address cannot send mails.
Solution
Modify the NAT address pool on the USG or change the access permission of the restricted IP address on the SMTP server.

END