架设EXCHANGE 2007邮件服务器,接收邮件要映射995端口,在VIP里没有995端口可以选,所以我在OBJECT里自己添加了一个.
TCP src port:0-65535 , dst port:955-955
然后添加了VIP,再做一条策略.
可是现在用客户端收信仍旧提示服务器没有响应,但是发邮件就没有问题.
请问哪里设置错误了.

楼主，你得把配置贴出来让我们看看啊，没有配置不好判断呀

set clock timezone 8
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "pop995" protocol tcp src-port 0-65535 dst-port 995-995 timeout never
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nAlVH4rKH+dJcToB0sAHf/NtwkOy2n"
set admin http redirect
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "Trust"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/6" zone "Trust"
set interface "ethernet0/9" zone "Trust"
set interface ethernet0/0 ip 192.168.1.2/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/2 ip 116.x.x.250/29
set interface ethernet0/2 nat
set interface ethernet0/9 ip 192.168.2.1/24
set interface ethernet0/9 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
unset interface ethernet0/2 ip manageable
set interface ethernet0/9 ip manageable
unset interface ethernet0/1 manage ssh
unset interface ethernet0/1 manage telnet
unset interface ethernet0/1 manage snmp
unset interface ethernet0/1 manage ssl
unset interface ethernet0/1 manage web
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
unset interface ethernet0/9 manage ping
unset interface ethernet0/9 manage ssh
unset interface ethernet0/9 manage telnet
unset interface ethernet0/9 manage snmp
unset interface ethernet0/9 manage ssl
unset interface ethernet0/9 manage web
set interface vlan1 manage mtrace
set interface ethernet0/9 monitor track-ip threshold 3
set interface ethernet0/9 monitor track-ip weight 4
unset interface ethernet0/9 monitor track-ip dynamic
set interface ethernet0/2 vip 116.x.x.251 80 "HTTP" 192.168.2.100
set interface ethernet0/2 vip 116.x.x.251 + 443 "HTTPS" 192.168.2.66
set interface ethernet0/2 vip 116.x.x.251 + 21 "FTP" 192.168.2.100
set interface ethernet0/2 vip 116.x.x.252 110 "POP3" 192.168.2.66
set interface ethernet0/2 vip 116.x.x.252 + 80 "HTTP" 192.168.2.66
set interface ethernet0/2 vip 116.x.x.252 + 443 "HTTPS" 192.168.2.66
set interface ethernet0/2 vip 116.x.x.252 + 143 "IMAP" 192.168.2.66
set interface ethernet0/2 vip 116.x.x.252 + 25 "SMTP" 192.168.2.66
set interface ethernet0/2 vip 116.x.x.252 + 995 "pop995" 192.168.2.66
set interface ethernet0/9 dhcp server service
set interface ethernet0/9 dhcp server enable
set interface ethernet0/9 dhcp server option lease 1440000
set interface ethernet0/9 dhcp server option gateway 192.168.2.1
set interface ethernet0/9 dhcp server option netmask 255.255.255.0
set interface ethernet0/9 dhcp server option dns1 202.96.209.133
set interface ethernet0/9 dhcp server option wins1 202.96.209.6
set interface ethernet0/9 dhcp server ip 192.168.2.30 to 192.168.2.200
set interface ethernet0/9 dhcp server config next-server-ip ip 192.168.2.30
set interface ethernet0/2 dip interface-ip incoming
unset flow no-tcp-seq-check
set flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 202.96.209.6 src-interface ethernet0/0
set dns host dns2 202.96.209.133 src-interface ethernet0/1
set dns host dns3 0.0.0.0
set address "Trust" "192.168.10.3/24" 192.168.10.3 255.255.255.0
set address "Trust" "192.168.10.3/32" 192.168.10.3 255.255.255.255
set address "Untrust" "116.x.x.251/29" 116.x.x.251 255.255.255.248
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set policy id 1 name "lan" from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 2 name "WEB" from "Untrust" to "Global"  "Any" "VIP(116.x.x.251)" "HTTP" permit
set policy id 2 application "HTTP"
set policy id 2
exit
set policy id 3 from "Untrust" to "Global"  "Any" "VIP(116.x.x.251)" "HTTPS" permit
set policy id 3
exit
set policy id 5 from "Untrust" to "Global"  "Any" "VIP(116.x.x.251)" "FTP" permit
set policy id 5
exit
set policy id 8 from "Untrust" to "Global"  "Any" "VIP(116.x.x.252)" "HTTP" permit
set policy id 8
exit
set policy id 9 from "Untrust" to "Global"  "Any" "VIP(116.x.x.252)" "HTTPS" permit
set policy id 9
exit
set policy id 11 from "Untrust" to "Global"  "Any" "VIP(116.x.x.252)" "POP3" permit
set policy id 11
exit
set policy id 12 from "Untrust" to "Global"  "Any" "VIP(116.x.x.252)" "SMTP" permit
set policy id 12
exit
set policy id 13 from "Untrust" to "Global"  "Any" "VIP(116.x.x.252)" "pop995" permit
set policy id 13
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/2 gateway 116.x.x.249 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

你最好在内网用客户端连接一下，然后用Sniffer抓包看一下，是不是还有其他端口需要用到！

995端口应该有系统自定义的服务
所以你重新定义一个新的995端口应该是不行的
建立策略的时候在action上面有一个server选项 这里选择你定义的端口服务 下面的application选项 选最后一项 ignore
这样试试吧
也许能成功

可以做个MIP ,在不信任接口选择MIP，把公网IP地址和对应的时下IP地址填进去 然后在策略那里选择untrust to trust策略，选择刚才建立的MIP 就可以啦

流量在跑的时候 会被定义为原先995端口的服务，也就不走泥自定义的pop995那个服务了

995端口是EXCHANGE的POP3加密服务要用到的端口啊，楼主,EXCHANGE连接器设置有问题.吧？