Re: Cisco 1700, NAT, and SMTP

imarxtherapeutics · ‎11-26-2006

Hopefully this is an easy one as I'm not 100% confident of my cisco NAT skills. Unfortunately I didn't originally configure this router.

I just recently discovered that some external mail servers were blocking my mail due to an incorrect PTR record for my mail domain. I've fixed that issue with my ISP, but not I'm still having a similar issue.

I have a block of 6 IP Addresses. Each IP Address is dedicated to a particular domain and service. One of these IP addresses, is for my SMTP services (lets say 207.1.1.4) I have NAT configured to translate this IP address to my mail server on the internal LAN (10.10.0.6).

The problem is that my email is being sent from my server with the IP address from my physical external router address and not my SMTP server's external IP address which has the corresponding PTR record. This is causing other mail servers (a few) to reject my mail due to a failed reverse lookup. How do I configure my router to ensure that my email headers utilize the correct IP address and not the physical router's external IP Address?

Thanks,

Justin

Edison Ortiz · ‎11-26-2006

Justin,

You need to configure a static NAT for the mail server. It would help if you can post the router's config.

Thanks

imarxtherapeutics · ‎11-26-2006

Attached is a snippet of my config.

Thanks again,

Justin

!

ip cef

ip inspect name mysite smtp

ip inspect name mysite tcp

ip inspect name mysite udp

ip audit po max-events 100

interface FastEthernet0

ip address 10.10.0.1 255.255.255.0

ip nat inside

ip route-cache flow

no ip route-cache cef

ip tcp adjust-mss 1400

ip policy route-map Static

speed auto

ip rtp reserve 16384 16383 384

!

interface Serial0

ip address 216.85.129.98 255.255.255.252

ip access-group 111 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect mysite in

ip inspect mysite out

encapsulation ppp

ip route-cache flow

no ip route-cache cef

ip rtp reserve 16384 16383 384

!

ip nat inside source list 110 interface Serial0 overload

ip nat inside source static 10.10.0.2 207.201.193.2 route-map SDM_RMAP_5

ip nat inside source static 10.10.0.6 207.201.193.4 route-map SDM_RMAP_8

ip route 0.0.0.0 0.0.0.0 216.85.129.97

ip route 10.10.3.0 255.255.255.0 10.10.1.2

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

!

access-list 106 remark SDM_ACL Category=2

access-list 106 permit ip host 10.10.0.6 any

access-list 110 deny ip 10.10.0.0 0.0.255.255 10.10.50.0 0.0.0.255

access-list 110 permit ip 10.10.3.0 0.0.0.255 any

access-list 110 permit ip 10.10.1.0 0.0.0.255 any

access-list 110 permit ip 10.10.0.0 0.0.0.255 any

access-list 110 deny ip host 10.10.0.6 any

access-list 110 deny ip host 10.10.0.2 any

access-list 111 permit ip 10.10.50.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 111 remark < allow DNS >

access-list 111 permit udp any any eq domain

access-list 111 permit tcp host 201.194.184.2 host 216.85.129.98 eq telnet

access-list 111 permit tcp any host 216.85.129.98 eq 1723

access-list 111 permit gre any host 216.85.129.98

access-list 111 permit udp any host 216.85.129.98 eq isakmp

access-list 111 permit udp any host 216.85.129.98 eq non500-isakmp

access-list 111 permit esp any host 216.85.129.98

access-list 111 deny ip 172.16.0.0 0.15.255.255 any

access-list 111 remark

access-list 111 remark < Permit traffic to the servers>

access-list 111 permit tcp any host 207.201.193.4 eq www

access-list 111 permit tcp any host 207.201.193.4 eq smtp

access-list 111 permit tcp any host 207.201.193.4 eq 443

access-list 111 permit tcp any host 207.201.193.2 eq 3389

access-list 111 permit tcp any host 207.201.193.4 eq 3389

access-list 111 permit tcp any host 207.201.193.4 eq ftp

access-list 111 permit tcp any host

access-list 111 remark

access-list 111 remark < Permit all other traffic to go through>

access-list 111 permit tcp any any established

access-list 111 permit udp any any

access-list 111 deny ip any any

access-list 112 remark < Access list for telnet>

access-list 112 permit ip 10.10.0.0 0.0.255.255 any

access-list 130 permit ip 10.10.0.0 0.0.255.255 10.10.50.0 0.0.0.255

!

route-map Static permit 1

match ip address 130

set ip next-hop 1.1.1.2

!

route-map SDM_RMAP_5 permit 1

match ip address 103

route-map SDM_RMAP_8 permit 1

match ip address 106

!

Edison Ortiz · ‎11-26-2006

Can you confirm with the ISP that 207.201.193.4 is fully routable back to your router ?

Can you also check in your router if the static NAT translation is taking place by typing

show ip nat translation

You can also force 10.10.0.6 internal address not to participate in the global PAT by adding this command in the ACL

access-list 110 deny ip host 10.10.0.6 any

Make sure this command is executed after

access-list 110 deny ip 10.10.0.0 0.0.255.255 10.10.50.0 0.0.0.255

so you need to copy ACL 110 into notepad and insert the suggested command above. Then delete the ACL 110 and copy and paste from notepad.

imarxtherapeutics · ‎11-26-2006

I'm still getting the issue with the smtp headers showing my physical router address.

Example-

Received: from mail.imarx.com ([216.85.129.98]) by bay0-mc2-f19.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);

Sun, 26 Nov 2006 15:40:08 -0800

My static NAT translation via the show ip nat translation command appears good (both Inside global and inside local are configured).

--- 207.x.x.2 10.10.0.2 --- ---

--- 207.x.x.4 10.10.0.6 --- ---

--- 207.x.x.7 10.10.0.78 --- ---

--- 207.x.x.21 10.10.0.21 --- ---

--- 207.x.x.22 10.10.0.22 --- ---

--- 207.x.x.23 10.10.0.23 --- ---

--- 207.x.x.24 10.10.0.24 --- ---

Still pulling my hair out! Thanks again.

-justin

Edison Ortiz · ‎11-26-2006

Justin,

From the SMTP server, go to this URL

http://www.whatismyipaddress.com/

and check if the IP displayed is actually 207.201.193.4

If it is, NAT is working and I'm not sure why your SMTP packets are being signed with the router's external interface. I'm not a SMTP expert by any means and it could be a configuration setting at the server itself.

imarxtherapeutics · ‎11-27-2006

On outbound connections (ie. www.whatismyipaddress.com) I still get my phyical router address although inbound connectings seem to NAT fine. Any ideas?

Thanks,

Justin

imarxtherapeutics · ‎11-27-2006

SOLVED!

While I had "access-list 110 deny ip host 10.10.0.6 any" in my config originally, the route-map was adding that IP Address back into the global PAT. I simply eliminated the route-map SDM_RMAP_8 command from that NAT static assignment. I'm not sure why those routes had been added.

Thanks again for your help!

-justin

Edison Ortiz · ‎11-27-2006

Justin,

Thanks for the rating.

You had the ACL 110 deny for that host but it was performed after allowing the entire subnet into PAT. Like I suggested in my second reply, you had to have ACL 110 deny on 10.10.0.6 before any permit statement.