i have an exchange server with static PAT on vlan1, server is accessible from the internet, but not from the local vlan1 because DNS points to WAN ip. Solved that by putting an entry in the local DNS server to the internal ip of the Exchangeserver. Works great for pc's and laptops but the problem is, this doesnot work for Iphones, Ipads and some Nokia smartphones. Those devices keep their DNS entries for a long time so a lot of people complain that they cannot get their email.
I already looked into the NAT on a stick solution but cannot get that working.
VLAN2 IP: 10.96.45.254/24
Exchange server: 192.168.115.11
I already tried to create a loopback interface but i cannot get it to NAT the traffic to the Exchangeserver. Can somebody please help me to get this fixed
Current nat config:
interface FastEthernet0 description VLAN1SWITCH no ip address ! interface FastEthernet1 description VLAN2 switchport access vlan 2 no ip address spanning-tree portfast ! interface GigabitEthernet0 description $ES_WAN$$FW_OUTSIDE$ ip nat outside ip virtual-reassembly in
! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$ ip address 192.168.115.253 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Vlan2 ip address 10.96.45.254 255.255.255.0 ip nat inside ip virtual-reassembly in
ip nat pool LAN_TO_DMZ 10.96.45.96 10.96.45.223 netmask 255.255.255.0 ip nat inside source static tcp 192.168.115.11 80 interface GigabitEthernet0 80 ip nat inside source static tcp 192.168.115.11 443 interface GigabitEthernet0 443 ip nat inside source list 105 interface GigabitEthernet0 overload ip nat inside source route-map SDM_RMAP_2 pool LAN_TO_DMZ overload ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 dhcp ! access-list 104 remark NAT pool DMZ access-list 104 deny ip 10.96.45.0 0.0.0.255 10.16.0.0 0.0.255.255 access-list 104 permit ip 192.168.115.0 0.0.0.255 any access-list 105 remark NAT pool INTERNET access-list 105 deny ip 192.168.115.0 0.0.0.255 10.16.0.0 0.0.255.255 access-list 105 permit ip 192.168.115.0 0.0.0.255 any ! route-map SDM_RMAP_2 permit 1 match ip address 104 !
I see the logic of what you're trying to accomplish, but it won't work with NAT. You have an ip nat outside on gi0, and ip nat inside on both fa0 and fa1. One is your Lan devices, the other one is your exchange server. You want to translate your lan devices on fa1 to a 67 address in hopes that the traffic will reach your exchange sever with a source of 67 which is outside.
1. The nat inside on fa1 will translate every device on that vlan mobile devices or not to the 67 address. So devices that were working will not longer work.
2. You're expecting the router to receive a 67 packet from fa1 as a source and resend it right back in to the exchange server that has a 192 address. So if you look at that triangle it's not gonna work no matter how you nat it. Because the router will receive the 67 from fa1, then it won't know what to do with it because it cannot NAT in reverse. NAT = one direction per interface. So it will never translate the 67 to 192, and it will drop the packet.
I can think of one way that will work. It's to do a static nat for the exchange server to a specific 67 address. Not interface gi0. A static that is bidirectional, and I think your scenario will then work.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...