02-22-2012 09:13 AM - edited 03-07-2019 05:06 AM
Hi all, I am relatively new to IOS and could use some help. We have 2 routers, 1 internal, 1 DMZ/external. Internal is a 1921, DMZ is a 891. We have an interesting setup right now where each router has its own public IP and separate connection to the modem. The 1921 handles all normal internet traffic and has our VPN server for remote access to our internals. The 891 handles our Lync Edge server and will soon have an Exchange Edge server. The I am trying to configure the 891 to forward traffic from the DMZ subnet to the internal subnet and exchange server.
I have done everything that I *think* needs to be done to get this work. My boss believes I should be able to telnet from a dmz machine to our internal exchange server over port 25 and vice versa. However, this does not work.
The 891's fastethernet8 interface is connected directly to the 1921's gigabitethernet0/0 interface.
My config is as follows:
1921(INSIDE)-
*took out anything that doesnt pertain to SMTP traffic and these 2 routers
interface GigabitEthernet0/0
description TO-DMZ
ip address 10.10.1.2 255.255.255.0
ip access-group sdm_gigabitethernet0/0_in in
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
ip policy route-map smtprule
duplex auto
speed auto
no cdp enable
ip nat inside source static tcp 192.168.1.186 25 interface GigabitEthernet0/0 25
ip nat inside source route-map smtprule interface GigabitEthernet0/0 overload
ip route 10.10.10.0 255.255.255.0 GigabitEthernet0/0
!
ip access-list extended sdm_gigabitethernet0/0_in
permit tcp any host 10.10.1.2 eq smtp
permit tcp any host 10.10.1.2 eq 50636
permit tcp any host 192.168.1.186 eq smtp
permit tcp any host 192.168.1.186 eq 50636
permit tcp any any eq 1723
permit gre any any
permit ip 192.168.1.0 0.0.0.255 any
permit ip host 10.10.1.2 any
permit icmp any host 10.10.1.2 administratively-prohibited
permit icmp any host 10.10.1.2 time-exceeded
permit icmp any host 10.10.1.2 unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log
access-list 151 permit tcp host 192.168.1.186 eq smtp any
access-list 151 permit tcp host 192.168.1.186 any eq smtp
access-list 151 permit ip host 192.168.1.186 any
!
route-map smtprule permit 5
match ip address 151
set interface GigabitEthernet0/0
!
891(DMZ)-
interface FastEthernet8
ip address 10.10.1.10 255.255.255.0
ip nat outside
ip policy route-map smtprule
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$
ip address 10.10.10.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip nat inside source route-map smtprule interface FastEthernet8 overload
ip route 192.168.1.0 255.255.255.0 FastEthernet8
access-list 151 permit tcp host 10.10.10.3 eq smtp any
access-list 151 permit tcp host 10.10.10.3 any eq smtp
access-list 151 permit ip host 10.10.10.3 any
route-map smtprule permit 5
match ip address 151
set interface FastEthernet8
A few things to note:
*10.10.10.3 is the exchange edge server
*192.168.1.186 is the exchange server
*in the 1921's ACL I tried both the IP of the fastethernet8(DMZ) interface and what you see currently which is the gigabitethernet0/0(inside) interface
*the route-map is just a test, I am really not sure if it was even necessary. Things are looking exactly the same since I put it in.
My boss is convinced SMTP wont flow between the two routers until I can telnet on port 25 to each respective machine, is this true? From each router I can ping machine IPs off the other router, but machines themselves can not ping machines on the other router (or the router itself). So for instance while in 891 I can ping 192.168.1.186 and while on the 1921 I can ping 10.10.10.3 but I cannot ping 192.168.1.186 from 10.10.10.3 or vice versa.
What am I missing? I was originally under the impression that static routes were the only thing I needed. After I added them it opened up the pinging I was talking about, but still cannot telnet on 25.
Please help!
Solved! Go to Solution.
02-25-2012 11:46 AM
I'm assuming the exchange edge server is on a switch interface (assigned to vlan 1) on the 891 router.
If so, do you have a requirement to have both the exchange and edge server hiding behind 2 seperate NATs for when they communicate with each other? It appears to me that this problem is NAT based.
02-23-2012 07:14 AM
Anyone? Really need help with this.
02-24-2012 01:29 PM
Desperately need help here. PLEASE.
I have tried EIGRP and OSPF and no luck still. Do I even need them? Was I configuring them wrong? Do I need to do something more complex with them then just the basic network commands?
02-24-2012 02:15 PM
Sam,
Do you think you could post a quick sketch of your topology with the devices, servers and IP addresses indicated? It would simplify the process of troubleshooting your configuration.
Best regards,
Peter
02-25-2012 06:32 AM
Agree that a map is needed. Also, couldn't all this be done away with by adding an additional nic in the internal exchange server plugged directly into the 891?
Sent from Cisco Technical Support iPad App
02-27-2012 07:26 AM
DMZ Subnet 10.10.10.0
^
|
891 fastethernet8- ip address 10.10.1.10 connected directly to ->
1921 gigabitethernet0/0- ip address 10.10.1.2
|
v
Internal Subnet 192.168.1.0
Exchange Edge is 10.10.10.3 in the DMZ, Exchange Hub is 192.168.1.186 internal.
02-25-2012 11:46 AM
I'm assuming the exchange edge server is on a switch interface (assigned to vlan 1) on the 891 router.
If so, do you have a requirement to have both the exchange and edge server hiding behind 2 seperate NATs for when they communicate with each other? It appears to me that this problem is NAT based.
02-27-2012 09:34 AM
It was indeed a NAT problem. I removed my NAT statements and took 'ip nat outside' off my interfaces and it worked! Not using RIP, OSPF, or anything, just static routes.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: