06-26-2003 05:15 AM - edited 03-02-2019 08:26 AM
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
i have a cisco 827 cofigured for adsl connection and 16 public ip address
in my lan i have a mail server (exchange server ) this server have the ip 10.0.0.9 and use the port 25 i want to give a public ip for this server and the other for the other pc in my lan for that i used dynnamic nat and static nat at the same time but i cant connect to the mail server from a public ip just work on the lan
here is the configuration for the router and please help me and thank you very much !!
Router#sh run
Building configuration...
Current configuration : 1622 bytes
!
version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging rate-limit console 10 except errors
aaa new-model
enable secret 5 xxxxxxxxxxxxxxxxx
!
username Router password 7 xxxxxxxxxxxx
mmi polling-interval 60
mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip finger
no ip domain-lookup
!
ip dhcp pool client
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
!
no ip dhcp-client network-discovery
!
!
!
interface Ethernet0
ip address 10.0.0.6 255.0.0.0 secondary
ip address yy.yy.yy.177 255.255.255.240
ip nat inside
hold-queue 32 in
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/16 ilmi
!
bundle-enable
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address nn.nn.nn.210 255.255.255.252
ip nat outside
pvc 8/35
vbr-nrt 640 640 1
encapsulation aal5snap
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
no ip http server
!
ip nat pool Router yy.yy.yy.179 yy.yy.yy.190 netmask 255.255.255.240
ip nat inside source list 1 pool Router
ip nat inside source static 10.0.0.9 yy.yy.yy.178
ip nat inside source static tcp 10.0.0.9 25 yy.yy.yy.178 25 extendable
access-list 1 deny 10.0.0.9
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 101 deny tcp any any eq telnet
snmp-server manager
!
line con 0
transport input none
stopbits 1
line vty 0
password 7 xxxxxxxxxxxx
line vty 1 3
access-class 101 in
line vty 4
access-class 101 in
access-class 101 out
!
scheduler max-task-time 5000
end
06-26-2003 05:27 AM
Hi -
All you need to know about config of NAT on c827 etc is here >
>http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/826/swg/routconf.htm
Hope this helps --
06-27-2003 07:14 AM
thanks but dont resolve the problem because i make a static nat for the exchange server with the smtp port but dosent work the router block the traffic from the outside in the smtp port !!!
thanks for any other help
06-30-2003 02:27 PM
Hi -
Okay, the link I provided didn't have the required info. Basically, if you want (if I'm reading your post correctly) - a 'client' to connect to a inside server for smtp on port 25, then you'll require a 'static translation' and a ACL configured on your router, as the previous post suggested as well.
Hope this helps - lets us know if need any more help --
07-03-2003 04:19 AM
hi
is what i do in the conf if you see my post is wath i think that is logical but dosent work is that the problem !!!!
thank you for any help
06-30-2003 12:03 PM
Hi
Are you trying to est. a connection from your lan to a host outside on port 25?
Then i think you problem could be that if you try to establish a connection from the inside your source port is not 25...only the destination port will be 25.
As the config is now it should work to make a connection from the outside to this ip on port 25.
But what if you do a static nat on ip and install also an ACL which will do the
needed filtering?
Hope that helps you
Roger
07-03-2003 04:09 AM
thank you very much for the help
as far as for my case i have a mail server (exchamge) in my lan and i want that server to be accesible from internet
i do a static nat for that server and a dynamic one for the other device in my lan but the server cant be reacheebale from internet the port 25 remain blocked and from the lan work
i try with an ACL to open port 25 but the same problem !!!!
i dont know how i cam i do
thanks for any help
07-03-2003 04:40 AM
Hi
What if we start with a basic setup and go step by step further?
I see also a ACL 101 which i do not know where this one is active.
I also do not see why you got the yy.yy.yy.170 as a primary and 10.0.0.6
as a secondary on the ethernet?
If i understand you setup you have all you clients and the exchange server on
the 10.0.0.0/24 segment.
What is you routing to the provider? Static?
So could you remove all the ACL's and then just implement a static NAT
for the exchange server like:
ip nat inside source static 10.0.0.9 yy.yy.yy.178 no-alias
Remove the official ip address from the lan.
==> check if that's working and let me know.
Regards
Roger
06-30-2003 04:14 PM
Have you configured any routing protocols on your router?
From a quick glance i can't see anything configured, so im thinking the next hop router may not know about your router etc ?
Try putting
router rip
network yy.yy.yy.0
and see what that does, also check your route map table by using the
show route map
command and see if your router is talking to the next router correctly ? a little network diagram may help some of us.
07-03-2003 04:12 AM
i have configured the RIP but they dont change nothing the problem is the same
and the router talk correctly with the next hop (telecom)
if there is another way !!!
thank you very much for any other help
07-03-2003 04:36 AM
Hi --
Okay, what I'm thinking is that if you allowed port 25 with ACL on your router and that didn't help in allowing clients from the internet connecting to your mail server. I presume that your service provider (telcom) router has a ACL permiting port 25 to be allowed in to your network - can you find this out ??
Make sure you have the correct ACL's configured on your router as well i.e. permiting port 25, and can you post your config please (make sure to take out ALL password and inside IP addrs.
Jay
07-04-2003 01:37 AM
Building configuration...
Current configuration : 1531 bytes
!
version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname DSC
!
logging rate-limit console 10 except errors
aaa new-model
enable secret 5 xxxxxxxxxxxxxxxxxxxx
!
username dsc password 7 xxxxxxxx
mmi polling-interval 60
mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip finger
no ip domain-lookup
!
no ip dhcp-client network-discovery
!
!
!
interface Ethernet0
ip address 10.0.0.6 255.0.0.0 secondary
ip address xyxyxyyx 255.255.255.240
ip nat inside
hold-queue 32 in
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/16 ilmi
!
bundle-enable
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 62.86.91.210 255.255.255.252
ip nat outside
pvc 8/35
vbr-nrt 640 640 1
encapsulation aal5snap
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
no ip http server
!
ip nat pool dsc xyxyyxyxy xyxyyxyxy netmask 255.255.255.240
ip nat inside source list 1 pool dsc
ip nat inside source static 10.0.0.9 xyxyyxyxy
ip nat inside source static tcp 10.0.0.9 25 xyxyyxyxy 25 extendable
access-list 1 deny 10.0.0.9
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 101 deny tcp any any eq telnet
snmp-server manager
!
line con 0
transport input none
stopbits 1
line vty 0
access-class 101 in
access-class 101
out
password 7 xxxxxxxxxx
line vty 1 4
access-class 101 in
access-class 101 out
!
scheduler max-task-time 5000
end
07-03-2003 05:31 AM
Hi --
Also, forgot to add on my previous post, can you place the following access-list and test to see if it helps your situation.
Am using numbered access-list here :
>access-list 101 permit tcp any host
Now place the above ACL your outbound interface with a access-group cmd.
>access-group 101 in
Place the above ACL 101 as the first line. Do a 'write memory' to save config, now test the above ACL to check if there are any 'hits' on the ACL
>ROUTER#show access-list 101
Hope this helps --
07-04-2003 02:03 AM
hi
i also tryied this ACL in & out in the ATM0.1 interface but dosent work
i think is impossible to resolve this probleme this router is too small to do that !!!!!!!
thank you for all
07-08-2003 12:27 AM
hi
could you one's test what i posted bevor...i still think if you go step by step
you can implement what you have planed.
Just go back to my last posting an try to do the tests.
Regards
Roger
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: