Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
619
Views
0
Helpful
6
Replies

2901 router config for Exchange server

Go to solution
jschaber1
Level 1
Level 1

‎07-29-2014 08:08 AM - edited ‎03-04-2019 11:26 PM

Hello All,

I am trying to configure a 2901 router to allow traffic from an external ip (x.x.x.244) to an internal ip (192.168.100.220) for an email domain I have set up. I have the MX traffic set and an a record mail.workforcedevelopmentinc.org set. On the exchange server I can run port query and all the ports say they are listening. When I try to run port query against the IP or the name I get the message the ports are not listening. Attached is the current config of the router. Someone other than myself originally configured the router. I am trying to get up the speed. Any help would greatly be appreciated.

Thanks

 

Here is the config:

Using 7981 out of 262136 bytes
!
! Last configuration change at 08:26:48 CDT Tue Jul 29 2014 by Admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXX
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone CST -6 0
clock summer-time CDT recurring
!
ip cef
!
!
!
ip dhcp excluded-address 192.168.100.254
ip dhcp excluded-address 192.168.100.1 192.168.100.20
!
ip dhcp pool ccp-pool
 import all
 network 192.168.100.0 255.255.255.0
 dns-server x.x.x.x
 default-router 192.168.100.254
 lease 0 2
!
!
!
ip domain name yourdomain.com
ip inspect name firewall h323
ip inspect name firewall sqlnet
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall ftp
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall tftp
ip inspect name firewall rcmd
ip inspect name firewall http
ip inspect name firewall icmp
no ipv6 cef
!
multilink bundle-name authenticated
!

!
!
interface Tunnel101
 description xxxx
 ip address 192.168.98.25 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip tcp adjust-mss 1300
 ip ospf cost 30
 tunnel source GigabitEthernet0/1
 tunnel destination x.x.x.x
 tunnel key xxxxx
 tunnel protection ipsec profile Routers
!
interface Tunnel102
 description yyyy
 ip address 192.168.98.5 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip tcp adjust-mss 1300
 ip ospf cost 30
 tunnel source GigabitEthernet0/1
 tunnel destination y.y.y.y
 tunnel key yyyyyy
 tunnel protection ipsec profile Routers
!
interface Tunnel103
 description zzzz
 ip address 192.168.98.33 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip tcp adjust-mss 1300
 ip ospf cost 30
 tunnel source GigabitEthernet0/1
 tunnel destination z.z.z.z
 tunnel key zzzzzz
 tunnel protection ipsec profile Routers
!
interface Tunnel104
 description dddd
 ip address 192.168.98.37 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip tcp adjust-mss 1300
 ip ospf cost 30
 tunnel source GigabitEthernet0/1
 tunnel destination d.d.d.d
 tunnel key dddd
 tunnel protection ipsec profile Routers
!
interface Tunnel106
 description cccc
 ip address 192.168.98.29 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip tcp adjust-mss 1300
 ip ospf cost 30
 tunnel source GigabitEthernet0/1
 tunnel destination c.c.c.c
 tunnel key cccccc
 tunnel protection ipsec profile Routers
!
interface Tunnel107
 description llll
 ip address 192.168.98.13 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip tcp adjust-mss 1300
 ip ospf cost 30
 tunnel source GigabitEthernet0/1
 tunnel destination l.l.l.l
 tunnel key llllll
 tunnel protection ipsec profile Routers
!

!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Inside
 ip address 192.168.100.254 255.255.255.0
 ip nat inside
 ip nat enable
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description Outside
 ip address m.m.m.m. 255.255.255.248
 ip access-group Inbound in
 ip nat outside
 ip inspect firewall out
 ip virtual-reassembly in
 duplex auto
 speed auto
!
router ospf 1
 router-id 192.168.100.254
 redistribute static
 network 192.168.98.0 0.0.0.255 area 0
 network 192.168.100.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list NO_NAT interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.100.200 m.m.m.m
ip route 0.0.0.0 0.0.0.0 64.83.224.241
!

!
!
control-plane
!
!
!
line con 0
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 192.5.41.40 prefer
ntp server 192.5.41.41
!
end

 

** REmoved public IP addresses and other confidential information to protect customer's network information

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vasilii Mikhailovskii
Level 7
Level 7
In response to jschaber1

‎08-04-2014 10:31 PM

Hello.

In "inbound" ACL you need to replace "192.168.100.200" with m.m.m.m (public IP-address you've NAT-ed into).

PS: if it doesn't help, please provide whole config (as attachment) + sh ip nat stat

View solution in original post

0 Helpful
6 Replies 6

Go to solution
jschaber1
Level 1
Level 1

‎07-29-2014 10:33 AM

thanks. I forgot to do that.

0 Helpful

Go to solution
Vasilii Mikhailovskii
Level 7
Level 7

‎07-30-2014 09:59 AM

Hello.

Please provide your ACL "inbound" and "NO_NAT".

Probably you don't need "ip nat enable" on inside interface (only "ip nat inside").

Your static port NAT should be configured like

ip nat inside source static tcp 192.168.100.200 25 m.m.m.m 25 - for SMTP traffic

ip nat inside source static tcp 192.168.100.200 443 m.m.m.m 443 - for SSL (WebAccess and Anywhere).

no ip http secure-server

no ip http server

0 Helpful

Go to solution
jschaber1
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎08-04-2014 06:58 AM

Here is the ACL info. I added all the permits for the 192.168.100.200 address

ip access-list extended Inbound
 permit esp any host 64.X.X.X
 permit udp any host 64.X.X.X eq isakmp
 permit udp any host 64.X.X.X eq non500-isakmp
 permit tcp any host 64.X.X.X eq 22
 permit icmp any host 64.X.X.X echo
 permit gre any host 64.X.X.X
 permit tcp any host 192.168.100.200 eq smtp
 permit tcp any host 192.169.100.200 eq pop3
 permit tcp any host 192.168.100.200 eq 143
 permit tcp any host 192.168.100.200 eq 465
 permit tcp any host 192.168.100.200 eq 585
 permit tcp any host 192.168.100.200 eq 587
 permit tcp any host 192.168.100.200 eq 993
 permit tcp any host 192.168.100.200 eq 995
ip access-list extended NO_NAT
 remark *** Deny VPN traffic from NAT ***
 deny   ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255
 deny   ip 192.168.100.0 0.0.0.255 192.168.102.0 0.0.0.255
 deny   ip 192.168.100.0 0.0.0.255 192.168.103.0 0.0.0.255
 deny   ip 192.168.100.0 0.0.0.255 192.168.104.0 0.0.0.255
 deny   ip 192.168.100.0 0.0.0.255 192.168.105.0 0.0.0.255
 deny   ip 192.168.100.0 0.0.0.255 192.168.106.0 0.0.0.255
 deny   ip 192.168.100.0 0.0.0.255 192.168.107.0 0.0.0.255
 deny   ip 192.168.100.0 0.0.0.255 192.168.108.0 0.0.0.255
 deny   ip 192.168.100.0 0.0.0.255 192.168.109.0 0.0.0.255
 deny   ip 192.168.100.0 0.0.0.255 192.168.110.0 0.0.0.255
 deny   ip 192.168.100.0 0.0.0.255 192.168.111.0 0.0.0.255
 deny   ip 192.168.100.0 0.0.0.255 192.168.112.0 0.0.0.255
 permit ip 192.168.100.0 0.0.0.255 any
!
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit 208.29.62.160 0.0.0.31

0 Helpful

Go to solution
Vasilii Mikhailovskii
Level 7
Level 7
In response to jschaber1

‎08-04-2014 10:31 PM

Hello.

In "inbound" ACL you need to replace "192.168.100.200" with m.m.m.m (public IP-address you've NAT-ed into).

PS: if it doesn't help, please provide whole config (as attachment) + sh ip nat stat

0 Helpful

Go to solution
jschaber1
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎08-05-2014 05:41 AM

WFDI-2901#sh ip nat stat
Total active translations: 534 (1 static, 533 dynamic; 533 extended)
Peak translations: 1939, occurred 17:21:08 ago
Outside interfaces:
  GigabitEthernet0/1
Inside interfaces:
  GigabitEthernet0/0
Hits: 7178282  Misses: 0
CEF Translated packets: 7093791, CEF Punted packets: 68327
Expired translations: 117692
Dynamic mappings:
-- Inside Source
[Id: 1] access-list NO_NAT interface GigabitEthernet0/1 refcount 533

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0


I also made the changes adding the acl for the external IP. I will test the email later this morning

Thanks

0 Helpful

Go to solution
jschaber1
Level 1
Level 1
In response to jschaber1

‎08-05-2014 11:07 AM

Thank you. That worked. Email is now coming and going properly

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card