Re: how to nat an inside mail exchange server in a cisco827

admin_2 · ‎06-26-2003

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

i have a cisco 827 cofigured for adsl connection and 16 public ip address

in my lan i have a mail server (exchange server ) this server have the ip 10.0.0.9 and use the port 25 i want to give a public ip for this server and the other for the other pc in my lan for that i used dynnamic nat and static nat at the same time but i cant connect to the mail server from a public ip just work on the lan

here is the configuration for the router and please help me and thank you very much !!

Router#sh run

Building configuration...

Current configuration : 1622 bytes

!

version 12.1

no service single-slot-reload-enable

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Router

!

logging rate-limit console 10 except errors

aaa new-model

enable secret 5 xxxxxxxxxxxxxxxxx

!

username Router password 7 xxxxxxxxxxxx

mmi polling-interval 60

mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip finger

no ip domain-lookup

!

ip dhcp pool client

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

!

no ip dhcp-client network-discovery

!

interface Ethernet0

ip address 10.0.0.6 255.0.0.0 secondary

ip address yy.yy.yy.177 255.255.255.240

ip nat inside

hold-queue 32 in

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/16 ilmi

!

bundle-enable

dsl operating-mode auto

!

interface ATM0.1 point-to-point

ip address nn.nn.nn.210 255.255.255.252

ip nat outside

pvc 8/35

vbr-nrt 640 640 1

encapsulation aal5snap

!

ip classless

ip route 0.0.0.0 0.0.0.0 ATM0.1

no ip http server

!

ip nat pool Router yy.yy.yy.179 yy.yy.yy.190 netmask 255.255.255.240

ip nat inside source list 1 pool Router

ip nat inside source static 10.0.0.9 yy.yy.yy.178

ip nat inside source static tcp 10.0.0.9 25 yy.yy.yy.178 25 extendable

access-list 1 deny 10.0.0.9

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 101 deny tcp any any eq telnet

snmp-server manager

!

line con 0

transport input none

stopbits 1

line vty 0

password 7 xxxxxxxxxxxx

line vty 1 3

access-class 101 in

line vty 4

access-class 101 in

access-class 101 out

!

scheduler max-task-time 5000

end

jmia · ‎06-26-2003

Hi -

All you need to know about config of NAT on c827 etc is here >

>http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/826/swg/routconf.htm

Hope this helps --

Report Inappropriate Content · ‎06-27-2003

thanks but dont resolve the problem because i make a static nat for the exchange server with the smtp port but dosent work the router block the traffic from the outside in the smtp port !!!

thanks for any other help

jmia · ‎06-30-2003

Hi -

Okay, the link I provided didn't have the required info. Basically, if you want (if I'm reading your post correctly) - a 'client' to connect to a inside server for smtp on port 25, then you'll require a 'static translation' and a ACL configured on your router, as the previous post suggested as well.

Hope this helps - lets us know if need any more help --

Report Inappropriate Content · ‎07-03-2003

hi

is what i do in the conf if you see my post is wath i think that is logical but dosent work is that the problem !!!!

thank you for any help

rwiesmann · ‎06-30-2003

Hi

Are you trying to est. a connection from your lan to a host outside on port 25?

Then i think you problem could be that if you try to establish a connection from the inside your source port is not 25...only the destination port will be 25.

As the config is now it should work to make a connection from the outside to this ip on port 25.

But what if you do a static nat on ip and install also an ACL which will do the

needed filtering?

Hope that helps you

Roger

Report Inappropriate Content · ‎07-03-2003

thank you very much for the help

as far as for my case i have a mail server (exchamge) in my lan and i want that server to be accesible from internet

i do a static nat for that server and a dynamic one for the other device in my lan but the server cant be reacheebale from internet the port 25 remain blocked and from the lan work

i try with an ACL to open port 25 but the same problem !!!!

i dont know how i cam i do

thanks for any help

rwiesmann · ‎07-03-2003

Hi

What if we start with a basic setup and go step by step further?

I see also a ACL 101 which i do not know where this one is active.

I also do not see why you got the yy.yy.yy.170 as a primary and 10.0.0.6

as a secondary on the ethernet?

If i understand you setup you have all you clients and the exchange server on

the 10.0.0.0/24 segment.

What is you routing to the provider? Static?

So could you remove all the ACL's and then just implement a static NAT

for the exchange server like:

ip nat inside source static 10.0.0.9 yy.yy.yy.178 no-alias

Remove the official ip address from the lan.

==> check if that's working and let me know.

Regards

Roger

bena · ‎06-30-2003

Have you configured any routing protocols on your router?

From a quick glance i can't see anything configured, so im thinking the next hop router may not know about your router etc ?

Try putting

router rip

network yy.yy.yy.0

and see what that does, also check your route map table by using the

show route map

command and see if your router is talking to the next router correctly ? a little network diagram may help some of us.

Report Inappropriate Content · ‎07-03-2003

i have configured the RIP but they dont change nothing the problem is the same

and the router talk correctly with the next hop (telecom)

if there is another way !!!

thank you very much for any other help

jmia · ‎07-03-2003

Hi --

Okay, what I'm thinking is that if you allowed port 25 with ACL on your router and that didn't help in allowing clients from the internet connecting to your mail server. I presume that your service provider (telcom) router has a ACL permiting port 25 to be allowed in to your network - can you find this out ??

Make sure you have the correct ACL's configured on your router as well i.e. permiting port 25, and can you post your config please (make sure to take out ALL password and inside IP addrs.

Jay

Report Inappropriate Content · ‎07-04-2003

Building configuration...

Current configuration : 1531 bytes

!

version 12.1

no service single-slot-reload-enable

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname DSC

!

logging rate-limit console 10 except errors

aaa new-model

enable secret 5 xxxxxxxxxxxxxxxxxxxx

!

username dsc password 7 xxxxxxxx

mmi polling-interval 60

mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip finger

no ip domain-lookup

!

no ip dhcp-client network-discovery

!

interface Ethernet0

ip address 10.0.0.6 255.0.0.0 secondary

ip address xyxyxyyx 255.255.255.240

ip nat inside

hold-queue 32 in

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/16 ilmi

!

bundle-enable

dsl operating-mode auto

!

interface ATM0.1 point-to-point

ip address 62.86.91.210 255.255.255.252

ip nat outside

pvc 8/35

vbr-nrt 640 640 1

encapsulation aal5snap

!

ip classless

ip route 0.0.0.0 0.0.0.0 ATM0.1

no ip http server

!

ip nat pool dsc xyxyyxyxy xyxyyxyxy netmask 255.255.255.240

ip nat inside source list 1 pool dsc

ip nat inside source static 10.0.0.9 xyxyyxyxy

ip nat inside source static tcp 10.0.0.9 25 xyxyyxyxy 25 extendable

access-list 1 deny 10.0.0.9

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 101 deny tcp any any eq telnet

snmp-server manager

!

line con 0

transport input none

stopbits 1

line vty 0

access-class 101 in

access-class 101

out

password 7 xxxxxxxxxx

line vty 1 4

access-class 101 in

access-class 101 out

!

scheduler max-task-time 5000

end

jmia · ‎07-03-2003

Hi --

Also, forgot to add on my previous post, can you place the following access-list and test to see if it helps your situation.

Am using numbered access-list here :

>access-list 101 permit tcp any host eq 25

Now place the above ACL your outbound interface with a access-group cmd.

>access-group 101 in

Place the above ACL 101 as the first line. Do a 'write memory' to save config, now test the above ACL to check if there are any 'hits' on the ACL

>ROUTER#show access-list 101

Hope this helps --

Report Inappropriate Content · ‎07-04-2003

hi

i also tryied this ACL in & out in the ATM0.1 interface but dosent work

i think is impossible to resolve this probleme this router is too small to do that !!!!!!!

thank you for all

rwiesmann · ‎07-08-2003

hi

could you one's test what i posted bevor...i still think if you go step by step

you can implement what you have planed.

Just go back to my last posting an try to do the tests.

Regards

Roger