Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1684
Views
0
Helpful
7
Replies

SMTP Between 2 routers

Go to solution
eddysamson
Level 1
Level 1

‎02-22-2012 09:13 AM - edited ‎03-07-2019 05:06 AM

Hi all, I am relatively new to IOS and could use some help. We have 2 routers, 1 internal, 1 DMZ/external. Internal is a 1921, DMZ is a 891. We have an interesting setup right now where each router has its own public IP and separate connection to the modem. The 1921 handles all normal internet traffic and has our VPN server for remote access to our internals. The 891 handles our Lync Edge server and will soon have an Exchange Edge server. The I am trying to configure the 891 to forward traffic from the DMZ subnet to the internal subnet and exchange server.

I have done everything that I *think* needs to be done to get this work. My boss believes I should be able to telnet from a dmz machine to our internal exchange server over port 25 and vice versa. However, this does not work.

The 891's fastethernet8 interface is connected directly to the 1921's gigabitethernet0/0 interface.

My config is as follows:

1921(INSIDE)-

*took out anything that doesnt pertain to SMTP traffic and these 2 routers

interface GigabitEthernet0/0

description TO-DMZ

ip address 10.10.1.2 255.255.255.0

ip access-group sdm_gigabitethernet0/0_in in

ip nat outside

ip virtual-reassembly in

ip verify unicast reverse-path

ip policy route-map smtprule

duplex auto

speed auto

no cdp enable

ip nat inside source static tcp 192.168.1.186 25 interface GigabitEthernet0/0 25

ip nat inside source route-map smtprule interface GigabitEthernet0/0 overload

ip route 10.10.10.0 255.255.255.0 GigabitEthernet0/0

!

ip access-list extended sdm_gigabitethernet0/0_in

permit tcp any host 10.10.1.2 eq smtp

permit tcp any host 10.10.1.2 eq 50636

permit tcp any host 192.168.1.186 eq smtp

permit tcp any host 192.168.1.186 eq 50636

permit tcp any any eq 1723

permit gre any any

permit ip 192.168.1.0 0.0.0.255 any

permit ip host 10.10.1.2 any

permit icmp any host 10.10.1.2 administratively-prohibited

permit icmp any host 10.10.1.2 time-exceeded

permit icmp any host 10.10.1.2 unreachable

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.168.0.0 0.0.255.255 any

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip host 255.255.255.255 any

deny   ip host 0.0.0.0 any

deny   ip any any log

access-list 151 permit tcp host 192.168.1.186 eq smtp any

access-list 151 permit tcp host 192.168.1.186 any eq smtp

access-list 151 permit ip host 192.168.1.186 any

!

route-map smtprule permit 5

match ip address 151

set interface GigabitEthernet0/0

!

891(DMZ)-

interface FastEthernet8

ip address 10.10.1.10 255.255.255.0

ip nat outside

ip policy route-map smtprule

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$

ip address 10.10.10.1 255.255.255.0

ip access-group 102 in

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

ip nat inside source route-map smtprule interface FastEthernet8 overload

ip route 192.168.1.0 255.255.255.0 FastEthernet8

access-list 151 permit tcp host 10.10.10.3 eq smtp any

access-list 151 permit tcp host 10.10.10.3 any eq smtp

access-list 151 permit ip host 10.10.10.3 any

route-map smtprule permit 5

match ip address 151

set interface FastEthernet8

A few things to note:

*10.10.10.3 is the exchange edge server

*192.168.1.186 is the exchange server

*in the 1921's ACL I tried both the IP of the fastethernet8(DMZ) interface and what you see currently which is the gigabitethernet0/0(inside) interface

*the route-map is just a test, I am really not sure if it was even necessary. Things are looking exactly the same since I put it in.

My boss is convinced SMTP wont flow between the two routers until I can telnet on port 25 to each respective machine, is this true? From each router I can ping machine IPs off the other router, but machines themselves can not ping machines on the other router (or the router itself). So for instance while in 891 I can ping 192.168.1.186 and while on the 1921 I can ping 10.10.10.3 but I cannot ping 192.168.1.186 from 10.10.10.3 or vice versa.

What am I missing? I was originally under the impression that static routes were the only thing I needed. After I added them it opened up the pinging I was talking about, but still cannot telnet on 25.

Please help!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Dance
Level 1
Level 1

‎02-25-2012 11:46 AM

I'm assuming the exchange edge server is on a switch interface (assigned to vlan 1) on the 891 router. 

If so, do you have a requirement to have both the exchange and edge server hiding behind 2 seperate NATs for when they communicate with each other?  It appears to me that this problem is NAT based.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
eddysamson
Level 1
Level 1

‎02-23-2012 07:14 AM

Anyone? Really need help with this.

0 Helpful

Go to solution
eddysamson
Level 1
Level 1
In response to eddysamson

‎02-24-2012 01:29 PM

Desperately need help here. PLEASE.

I have tried EIGRP and OSPF and no luck still. Do I even need them? Was I configuring them wrong? Do I need to do something more complex with them then just the basic network commands?

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to eddysamson

‎02-24-2012 02:15 PM

Sam,

Do you think you could post a quick sketch of your topology with the devices, servers and IP addresses indicated? It would simplify the process of troubleshooting your configuration.

Best regards,

Peter

0 Helpful

Go to solution
Jeff Van Houten
Level 5
Level 5
In response to Peter Paluch

‎02-25-2012 06:32 AM

Agree that a map is needed. Also, couldn't all this be done away with by adding an additional nic in the internal exchange server plugged directly into the 891?

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
eddysamson
Level 1
Level 1
In response to Peter Paluch

‎02-27-2012 07:26 AM

DMZ Subnet 10.10.10.0

^

|

891 fastethernet8- ip address 10.10.1.10 connected directly to ->

1921 gigabitethernet0/0- ip address 10.10.1.2

|

v

Internal Subnet 192.168.1.0

Exchange Edge is 10.10.10.3 in the DMZ, Exchange Hub is 192.168.1.186 internal.

0 Helpful

Go to solution
Jason Dance
Level 1
Level 1

‎02-25-2012 11:46 AM

I'm assuming the exchange edge server is on a switch interface (assigned to vlan 1) on the 891 router. 

If so, do you have a requirement to have both the exchange and edge server hiding behind 2 seperate NATs for when they communicate with each other?  It appears to me that this problem is NAT based.

0 Helpful

Go to solution
eddysamson
Level 1
Level 1
In response to Jason Dance

‎02-27-2012 09:34 AM

It was indeed a NAT problem. I removed my NAT statements and took 'ip nat outside' off my interfaces and it worked! Not using RIP, OSPF, or anything, just static routes.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card