HELP!! Need help with NAT and PAT for SMTP

tyoungbauer · ‎06-21-2007

I have an emergecy where I need to use the router for NAT and PAT. It is short term until we swing the firewall.

I can build nat and get out bound web surfing and ping but I need inbound email.

I cannot seem to get the PAT working

Config is below

I have a 667 vlan for the internat and the email server is on the 192 vlan. Users are on vlan 10

interface FastEthernet0/0

ip address 10.1.1.20 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex full

speed 10

no mop enabled

!

interface FastEthernet0/0.667

encapsulation dot1Q 667

ip address X.X.X.214 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

!

interface FastEthernet0/1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1.10

description Data Vlan

encapsulation dot1Q 10

ip address 172.20.10.254 255.255.255.0

ip helper-address 192.168.1.10

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

no cdp enable

!

interface FastEthernet0/1.11

description Voice Vlan

encapsulation dot1Q 11

ip address 172.20.11.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

no cdp enable

!

interface FastEthernet0/1.192

encapsulation dot1Q 192

ip address 192.168.1.254 255.255.255.0

ip helper-address 192.168.1.10

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

no cdp enable

!

interface FastEthernet0/1.254

encapsulation dot1Q 254

ip address 172.20.254.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

no cdp enable

!

router eigrp 101

network 172.21.0.0

network 172.22.0.0

auto-summary

!

ip route 0.0.0.0 0.0.0.0 66.162.50.213

ip route 172.21.0.0 255.255.0.0 10.1.1.21

ip route 172.22.0.0 255.255.0.0 10.1.1.22

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat pool TGO-MSP X.X.X.214 X.X.X.214 netmask 255.255.255.252

ip nat inside source list 101 pool TGO-MSP overload

ip nat inside source static tcp 192.168.1.10 25 X.X.X.214 25 extendable

!

access-list 101 permit ip any any log

access-list 102 permit tcp any host X.X.X.214 eq smtp

!

JORGE RODRIGUEZ · ‎06-21-2007

I don't see any ip-access-group in/out interface statements in your config for applying your access list 102 for inbound/outbound smtp.

Jorge Rodriguez

tyoungbauer · ‎06-21-2007

Which Interface should I go? I would usually have a firewall so I have not had to setup and enviroent like this .

Thanks

rico_hao40 · ‎06-21-2007

interface FastEthernet0/0.667

ip access-group 102 in

JORGE RODRIGUEZ · ‎06-21-2007

since you have static nat for the smtp server

the ip access-group 102 in and out should be placed in the interface where the inbound smtp request is expected and if the outboud is expected to go out the same interface then you place the ip access-group 102 in/out on that interface.

in your case smtp is in x.x.x.214 subnet on interface FastEthernet0/0.667

ip access-group 102 in

ip access-group 102 out

HTH

Jorge

Jorge Rodriguez

tyoungbauer · ‎06-21-2007

Thanks Guys but no luck??

sh ip nat trans loks good

TGO-MSP-WFC-Router#sh access-lists

Extended IP access list 101

10 permit ip any any log (4567 matches)

Extended IP access list 102

10 permit tcp any host 66.162.50.214 eq smtp (180 matches)

Extended IP access list 103

10 permit tcp any host 192.168.1.10 eq smtp

access looks OK

still cannot get a connection?

Thanks

tyoungbauer · ‎06-21-2007

I think I am good. That server is on another subnet and it has a default gateway that still lives there. My guess is in bound is coming n but being directed out the other gateway.

Thanks