11-26-2006 12:23 PM - edited 03-03-2019 02:49 PM
Hopefully this is an easy one as I'm not 100% confident of my cisco NAT skills. Unfortunately I didn't originally configure this router.
I just recently discovered that some external mail servers were blocking my mail due to an incorrect PTR record for my mail domain. I've fixed that issue with my ISP, but not I'm still having a similar issue.
I have a block of 6 IP Addresses. Each IP Address is dedicated to a particular domain and service. One of these IP addresses, is for my SMTP services (lets say 207.1.1.4) I have NAT configured to translate this IP address to my mail server on the internal LAN (10.10.0.6).
The problem is that my email is being sent from my server with the IP address from my physical external router address and not my SMTP server's external IP address which has the corresponding PTR record. This is causing other mail servers (a few) to reject my mail due to a failed reverse lookup. How do I configure my router to ensure that my email headers utilize the correct IP address and not the physical router's external IP Address?
Thanks,
Justin
11-26-2006 12:31 PM
Justin,
You need to configure a static NAT for the mail server. It would help if you can post the router's config.
Thanks
11-26-2006 12:58 PM
Attached is a snippet of my config.
Thanks again,
Justin
!
ip cef
ip inspect name mysite smtp
ip inspect name mysite tcp
ip inspect name mysite udp
ip audit po max-events 100
interface FastEthernet0
ip address 10.10.0.1 255.255.255.0
ip nat inside
ip route-cache flow
no ip route-cache cef
ip tcp adjust-mss 1400
ip policy route-map Static
speed auto
ip rtp reserve 16384 16383 384
!
interface Serial0
ip address 216.85.129.98 255.255.255.252
ip access-group 111 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect mysite in
ip inspect mysite out
encapsulation ppp
ip route-cache flow
no ip route-cache cef
ip rtp reserve 16384 16383 384
!
ip nat inside source list 110 interface Serial0 overload
ip nat inside source static 10.10.0.2 207.201.193.2 route-map SDM_RMAP_5
ip nat inside source static 10.10.0.6 207.201.193.4 route-map SDM_RMAP_8
ip route 0.0.0.0 0.0.0.0 216.85.129.97
ip route 10.10.3.0 255.255.255.0 10.10.1.2
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
access-list 106 remark SDM_ACL Category=2
access-list 106 permit ip host 10.10.0.6 any
access-list 110 deny ip 10.10.0.0 0.0.255.255 10.10.50.0 0.0.0.255
access-list 110 permit ip 10.10.3.0 0.0.0.255 any
access-list 110 permit ip 10.10.1.0 0.0.0.255 any
access-list 110 permit ip 10.10.0.0 0.0.0.255 any
access-list 110 deny ip host 10.10.0.6 any
access-list 110 deny ip host 10.10.0.2 any
access-list 111 permit ip 10.10.50.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 111 remark < allow DNS >
access-list 111 permit udp any any eq domain
access-list 111 permit tcp host 201.194.184.2 host 216.85.129.98 eq telnet
access-list 111 permit tcp any host 216.85.129.98 eq 1723
access-list 111 permit gre any host 216.85.129.98
access-list 111 permit udp any host 216.85.129.98 eq isakmp
access-list 111 permit udp any host 216.85.129.98 eq non500-isakmp
access-list 111 permit esp any host 216.85.129.98
access-list 111 deny ip 172.16.0.0 0.15.255.255 any
access-list 111 remark
access-list 111 remark < Permit traffic to the servers>
access-list 111 permit tcp any host 207.201.193.4 eq www
access-list 111 permit tcp any host 207.201.193.4 eq smtp
access-list 111 permit tcp any host 207.201.193.4 eq 443
access-list 111 permit tcp any host 207.201.193.2 eq 3389
access-list 111 permit tcp any host 207.201.193.4 eq 3389
access-list 111 permit tcp any host 207.201.193.4 eq ftp
access-list 111 permit tcp any host
access-list 111 remark
access-list 111 remark < Permit all other traffic to go through>
access-list 111 permit tcp any any established
access-list 111 permit udp any any
access-list 111 deny ip any any
access-list 112 remark < Access list for telnet>
access-list 112 permit ip 10.10.0.0 0.0.255.255 any
access-list 130 permit ip 10.10.0.0 0.0.255.255 10.10.50.0 0.0.0.255
!
route-map Static permit 1
match ip address 130
set ip next-hop 1.1.1.2
!
route-map SDM_RMAP_5 permit 1
match ip address 103
route-map SDM_RMAP_8 permit 1
match ip address 106
!
11-26-2006 03:09 PM
Can you confirm with the ISP that 207.201.193.4 is fully routable back to your router ?
Can you also check in your router if the static NAT translation is taking place by typing
show ip nat translation
You can also force 10.10.0.6 internal address not to participate in the global PAT by adding this command in the ACL
access-list 110 deny ip host 10.10.0.6 any
Make sure this command is executed after
access-list 110 deny ip 10.10.0.0 0.0.255.255 10.10.50.0 0.0.0.255
so you need to copy ACL 110 into notepad and insert the suggested command above. Then delete the ACL 110 and copy and paste from notepad.
11-26-2006 03:48 PM
I'm still getting the issue with the smtp headers showing my physical router address.
Example-
Received: from mail.imarx.com ([216.85.129.98]) by bay0-mc2-f19.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Sun, 26 Nov 2006 15:40:08 -0800
My static NAT translation via the show ip nat translation command appears good (both Inside global and inside local are configured).
--- 207.x.x.2 10.10.0.2 --- ---
--- 207.x.x.4 10.10.0.6 --- ---
--- 207.x.x.7 10.10.0.78 --- ---
--- 207.x.x.21 10.10.0.21 --- ---
--- 207.x.x.22 10.10.0.22 --- ---
--- 207.x.x.23 10.10.0.23 --- ---
--- 207.x.x.24 10.10.0.24 --- ---
Still pulling my hair out! Thanks again.
-justin
11-26-2006 07:22 PM
Justin,
From the SMTP server, go to this URL
http://www.whatismyipaddress.com/
and check if the IP displayed is actually 207.201.193.4
If it is, NAT is working and I'm not sure why your SMTP packets are being signed with the router's external interface. I'm not a SMTP expert by any means and it could be a configuration setting at the server itself.
11-27-2006 01:29 PM
On outbound connections (ie. www.whatismyipaddress.com) I still get my phyical router address although inbound connectings seem to NAT fine. Any ideas?
Thanks,
Justin
11-27-2006 02:01 PM
SOLVED!
While I had "access-list 110 deny ip host 10.10.0.6 any" in my config originally, the route-map was adding that IP Address back into the global PAT. I simply eliminated the route-map SDM_RMAP_8 command from that NAT static assignment. I'm not sure why those routes had been added.
Thanks again for your help!
-justin
11-27-2006 03:29 PM
Justin,
Thanks for the rating.
You had the ACL 110 deny for that host but it was performed after allowing the entire subnet into PAT. Like I suggested in my second reply, you had to have ACL 110 deny on 10.10.0.6 before any permit statement.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide