01-10-2008 10:59 AM - edited 03-05-2019 08:23 PM
On my 1841 Router. I appreciate any help! Normal SMTP from the outside coming into our NAT'ed router to the SMTP server 10.1.3.134 does not work. If we do nslookups on our internal DNS servers they fail. Our internal DNS servers are not able to contact the external authoritive master servers. I have domain, 25 opened.
This config works on another router at another company I have configured in the past.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname KM-1841-OAP
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
clock timezone Chicago -6
clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
ip cef
!
!
!
!
ip domain name xxxxxx.com
ip name-server ISP DNS1
ip name-server ISP DNS2
!
!
interface FastEthernet0/0
description LAN$ES_LAN$$FW_INSIDE$$ETH-LAN$
ip address 10.1.3.30 255.255.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description CENTURYTEL-INTET$FW_OUTSIDE$$ETH-WAN$
ip address 69.x.x.x 255.255.255.248
ip access-group INBOUND in
ip access-group OUTBOUND out
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
router rip
network 10.0.0.0
!
ip route 0.0.0.0 0.0.0.0 69.x.x.x
!
!
ip http server
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list INSIDE_NAT_ADDRESSES interface FastEthernet0/1 overloa
d
ip nat outside source static tcp 69.x.x.x 25 10.1.3.134 25 extendable
!
ip access-list standard INSIDE_NAT_ADDRESSES
permit 10.0.0.0 0.255.255.255
!
ip access-list extended INBOUND
remark ---applied to traffic entering the office---
permit tcp any any established
permit icmp any any echo-reply
permit tcp any host 10.1.3.6 eq 1494
permit tcp any host 10.1.3.6 eq 88
permit udp host 10.1.3.102 any
permit udp host 10.1.3.104 any
permit udp any host 10.1.3.102
permit udp any host 10.1.3.104
permit tcp any host 10.1.3.21 eq 3389
permit tcp any host 10.1.3.2 eq www
permit tcp any host 10.1.3.134 eq smtp
ip access-list extended OUTBOUND
remark ---applied to traffic leaving the office---
permit tcp any any eq www
permit tcp any any eq 443
permit icmp any any echo
permit tcp any host 199.80.65.1 eq 9000
permit tcp any host 69.2.40.5 eq 5088
permit tcp any host 65.206.239.163 eq 60000
permit tcp any any eq ftp
permit tcp any any eq 37
permit tcp any any eq nntp
permit tcp any any eq 2096
permit tcp any any eq 2095
permit tcp any any eq 2082
permit tcp any any eq 3389
permit tcp any any eq telnet
permit tcp any any eq pop3
permit tcp any any eq 8090
permit tcp host 10.1.3.40 any eq smtp
permit tcp host 10.1.3.102 any eq smtp
permit tcp host 10.1.3.104 any eq smtp
permit tcp host 10.1.3.103 any eq smtp
permit tcp host 10.1.3.108 any eq smtp
permit tcp host 10.1.3.134 any eq smtp
permit tcp any any eq 1494
permit tcp any any eq 7777
permit tcp any any eq 554
permit tcp any any eq 3101
permit udp any any eq isakmp
permit tcp any any eq 4043
permit udp any any eq 4043
permit tcp any any eq 8000
permit tcp host 10.1.3.102 any
permit tcp host 10.1.3.104 any
permit udp host 10.1.3.102 any
permit udp host 10.1.3.104 any
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any eq 2086
permit tcp any any eq 2087
permit tcp any any eq smtp
permit tcp host 10.1.3.200 any
!
!
!
control-plane
!
!
banner motd ^C
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15 0
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178416
ntp update-calendar
ntp server 10.1.3.104 source FastEthernet0/0 prefer
end
01-10-2008 05:44 PM
Anyone? I would be so in debt to you. I've even tried permit udp any any and permit tcp any any and nothing. I've tried using 53 instead of domain, played with the INBOUND and OUTBOUND list - nothing. I would even donate 20.00 :) I know for a fact DNS wasn't this hard to configure on the last 1841 I used.
The only way I can get it working is by removing the acl from the interface or adding permit ip any any in the list.
Thanks in advance!
01-11-2008 08:04 AM
Your inbound acl needs to have the 69.x.x.x address(es) for the destination address since the outside interface is Internet facing. It is unlikely that the outside interface will see traffic with the destination of 10.1.3.x. For example:
instead of permit tcp any host 10.1.3.134 eq smtp
you will want permit tcp any host 69.x.x.x eq smtp
where 69.x.x.x is the mapped address of your mail server 10.1.3.134.
I belive you will also need to have a line like this to get your internal DNS server to work correctly.
permit udp any eq domain host 69.x.x.x (Ouside interface IP that is overloaded)
Here is a link that can help configuring a cisco router to be a firewall without having the firewall feature set:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide