11-30-2009 10:14 PM - edited 03-04-2019 06:50 AM
Dear All,
I am facing a problem i.e, my all Network Computers traffic, Microsoft Exchange traffic, VPN traffic goes through one link,
I have a pool of live IP addresses with a mask of /29
some of my computers have virus and they broadcast to port 25 (smtp) which causes my live ip block on diffrent spam sites, resulting my Exchange emails bouncing with errors,,,,, then I need to clear my ip address from those sites and to change the live ip from my pool.....
I want to isolate my Live IP with the following config
1 - Microsoft Exchange Traffic should use one Live IP address
2 - VPN traffic shoud use one Live IP address
3 - Internal Network computers should use remaining Live IP pool for internet surfing.....
Currently my configuration is :
Int fa0/0
Ip address 192.168.74.1 255.255.255.0 (for example)
Ip nat inside
Int fa0/1
Ip address 55.55.55.55 255.255.255.248 (for example)
Ip nat outside
ip local pool ippool 192.168.55.100 192.168.55.200
Ip nat inside source list deny_vpn_go_nat interface fa0/1 overload
ip access-list extended deny_vpn_go_nat
deny ip 192.168.74.0 0.0.0.255 192.168.20.0 0.0.3.255
deny ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.3.255
deny ip 192.168.1.0 0.0.0.255 192.168.55.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 any
In the above scenario, I am using my one live ip from the pool,, others are not in use,,, I want to use these with this config....
ip access-list extended deny_vpn_go_nat
deny ip 192.168.74.0 0.0.0.255 192.168.20.0 0.0.3.255
deny ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.3.255
deny ip 192.168.1.0 0.0.0.255 192.168.55.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip nat pool localint 58.27.232.19 58.27.232.21 netmask 255.255.255.248
ip access-list extended locint
deny ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.255.255 any
ip nat inside source list locint pool localint overload
Please advise,, whether this configuration will work or not,, as my Router is in production network, and I can take only limited time for its down time for configuration change,,,.,,
Any other idea for Isolation of my Live IP addresses will be very helpful for me,,,
Thanks in Advance
Junaid Abbas
12-01-2009 06:48 AM
1 - Microsoft Exchange Traffic should use one Live IP address
2 - VPN traffic shoud use one Live IP address
3 - Internal Network computers should use remaining Live IP pool for internet surfing.....
1. I would restrict the users from being able to SMTP out to the internet directly.
An ACL on the inside interface would look something like this-
access-list 100 permit tcp host [Exchange IP] any eq 25
access-list 100 deny tcp any any eq 25
This will allow Exchange but block everything else.
2. This has to be the interface IP.
3. With the configuration of 1, you don't need to do this.
12-01-2009 08:32 PM
Hi Collin,
Thanks for your support,
If i use my existing config shown in my first post with your advised configuration for blocking smtp traffic except MS-Exchange, well, it will be helpful as well my live ip blockage is concern,
I have only 2 WAN Ports on my Router, Cisco 2811, I am using fa0/0 for inside and fa0/1 for outside,,
please advise, how could i dedicate my one live ip for VPN, one for exchange, and the other pool for net surfing,,,,
As I am already trying to make a pool and to overload it, will it be helpful? or is this the correct way?,,
Please Advise
Thanks
Junaid
12-02-2009 07:27 AM
For a static nat to your exchange server-
ip nat inside source static 192.168.74.99 55.55.55.3
The VPN will always use the IP of your outside interface.
A nat pool for users-
ip nat pool TEST 55.55.55.2 55.55.55.2 netmask 255.255.255.0
ip nat inside source list 7 pool TEST
access-list 7 permit 192.168.74.0 0.0.0.255
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml
Make sure you lab it up before implementing as I'm not 100% sure if the TEST pool will overload.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: