cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1295
Views
0
Helpful
5
Replies

2 smtp server using 2 different public address

MercatorIneo
Level 1
Level 1

Hello,

I have two IPs on my Wan interface : x.x.x.89 and y.y.y.98. I have 2 SMTP server in my LAN, one on 192.168.2.130, the other on 192.168.2.136. I want the .130 SMTP server to use .89 and .136 to use .98.

Here is what I think is relevant in my config :

interface Dialer0

ip address y.y.y.98 255.255.255.252 secondary

ip address x.x.x.89 255.255.255.252

ip access-group 120 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip flow ingress

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip policy route-map VPN-Client

dialer pool 1

dialer-group 1

no cdp enable

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 192.168.10.0 255.255.255.0 192.168.2.150

ip route 192.168.11.0 255.255.255.0 192.168.2.3

ip nat inside source list 101 interface Dialer0 overload

ip nat inside source static tcp 192.168.2.136 25 y.y.y.98 25 route-map smtp-136 exten

dable

!

logging trap debugging

access-list 101 deny   ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 deny   ip 192.168.2.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 deny   ip host 192.168.2.136 any

access-list 101 permit ip any any

access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

access-list 103 permit tcp host 192.168.2.136 any eq smtp

access-list 103 deny   ip any any

access-list 113 remark ... VTY access restriction ...

access-list 113 remark SDM_ACL Category=17

access-list 113 permit ip 192.168.1.0 0.0.0.255 any

access-list 113 permit ip 192.168.2.0 0.0.0.255 any

access-list 113 permit ip 192.168.5.0 0.0.0.255 any

access-list 113 permit ip 192.168.3.0 0.0.0.255 any

access-list 113 permit ip 192.168.20.0 0.0.0.255 any

access-list 113 deny   ip any any

access-list 113 remark ... VTY access restriction ...

access-list 113 remark SDM_ACL Category=17

access-list 120 permit tcp host z.z.z.z any eq 8022

access-list 120 deny   tcp any any eq 8022

access-list 120 permit tcp host z.z.z.z any eq 1433

access-list 120 deny   tcp any any eq 1433

access-list 120 permit ip any any

access-list 121 deny   tcp 192.168.21.0 0.0.0.255 host z.z.z.z eq 3389

access-list 121 deny   tcp 192.168.200.0 0.0.0.255 host z.z.z.z eq 3389

access-list 121 permit ip any any

access-list 144 permit ip 192.168.20.0 0.0.0.255 any

access-list 144 permit ip 192.168.200.0 0.0.0.255 any

access-list 144 permit ip 192.168.21.0 0.0.0.255 any

dialer-list 1 protocol ip permit

no cdp run

!

!

!

route-map smtp-136 permit 10

match ip address 103

!

route-map nonatvpn permit 10

match ip address 102

!

route-map VPN-Client permit 10

match ip address 144

set interface Loopback0

With this config, my first SMTP server works perfectly. My second (.136) is reachable from outside, but can not send mail.

My test:

1) if I remove ""access-list 101 deny   ip host 192.168.2.136 any" .136 works but send mails through the bad IP (.89)

2)initially, I had "ip nat inside source static tcp 192.168.2.136 25 y.y.y.98 25 route-map nonatvpn extendable" in place of "

ip nat inside source static tcp 192.168.2.136 25 y.y.y.98 25 route-map smtp-136 exten". It doesn't work neither, except if I had "

ip nat inside source static 192.168.2.136 y.y.y.98 extendable" => everything works but all my ports are open...

Any help would be greatly appreciated.

Regards.

5 Replies 5

Hi,

You can try using static PAT :

ip nat inside source static tcp 192.168.2.136 25 x.x.x.98 25 extendable

This maps only one port to the outside IP.

Dan

Thanks for you help. I also tried this, with no luck. With this rule, Smtp packet can come from outside, but I can't connect to the outside.

You also have a issue with the input acl on the Dialer0    

access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any

add  :

access-list 102 permit permit tcp any x.x.x.98 eq 25

You deny everything on Dial0 in

Dan

Thanks for your answer but I don't think it is a problem. I can reach  the port 25 from outside, and I can exit from the same interface but  with the other IP. Maybe you made a confusion between ACL 102 and 120.

Regards.

Hello,

Problem is solved. What I had to do:

ip nat pool deuxiemeip y.y.y.98 y.y.y.98 netmask 255.255.255.252

ip access-list extended 104

10 permit ip host 192.168.2.136 any

ip nat inside source list 104 pool deuxiemeip overload

Thanks for taking time.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: