Need help from experts

caleb_xin · ‎12-08-2005

Hi, I have a problem of my WAN IP address, please help me.

bellow is my IP:

WAN Connections

Router Serial Port IP (ISP Site) : 203.92.70.121

Router Serial Port IP (Installation site) : 203.92.70.122

Netmask Number : 255.255.255.252

LAN Connections

Network IP address : 203.92.72.32 - 203.92.72.39

Netmask Number : 255.255.255.248

I've configured that my Email server to use IP 203.92.72.33 and can receive emails successfully.

But when sending out emails, other email servers read my IP as 203.92.70.122, so if the server checks the reverse DNS record against my IP, my mail will be rejected. How can I configure the router to let other people see my IP as 203.92.72.33 ~ 203.92.72.38 instead of my Router Serial Port IP?

sundar.palaniappan · ‎12-08-2005

Looks like you are doing PAT on the router.

Just create a static NAT for your Email server as noted below. In your config, use your server's private (inside local) address in place of 10.1.1.1

ip nat inside source static (10.1.1.1) 203.92.72.33

This will make all traffic from your server to the outside world to be sourced from 203.92.72.33.

HTH,

Sundar

caleb_xin · ‎12-08-2005

Thanks sundar.

I created few static NAT like this previously:

ip nat inside source static tcp 192.168.1.200 110 203.92.72.33 110 extendable

ip nat inside source static tcp 192.168.1.200 23 203.92.72.33 23 extendable

...

I wanted to allow only certain ports to be opened.

So as you said, does it mean that I have to map everything of the server to this IP?

By the way, how to delete these entries in the access-list?

Georg Pauwen · ‎12-08-2005

Hello,

in order to avoid confusion: you have been assigned 203.92.72.32 - 203.92.72.39 for use on your LAN ?

Can you post the full configuration of your router ?

Regards,

GP

caleb_xin · ‎12-08-2005

I have assign 203.92.72.33 to my domain name mail.oco.sg. My mail server's LAN IP is 192.168.1.200 and is mapped to global IP 203.92.72.33.

and when I ping my domain from outside, it shows:

Reply from: 203.92.72.122: TTL has expired in transit

......

Bellow is my running-config.

Current configuration : 2314 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Genesis

!

enable password 7 0703264D490C1700041B18

!

clock timezone gmt 8

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

ip cef

!

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip route-cache flow

hold-queue 100 out

!

interface ATM0

ip address 203.92.70.122 255.255.255.252

ip nat outside

ip route-cache flow

no atm ilmi-keepalive

pvc 8/35

protocol ip 203.92.70.121 broadcast

encapsulation aal5snap

!

dsl operating-mode auto

!

ip nat inside source list 100 interface ATM0 overload

ip nat inside source static udp 192.168.1.200 53 203.92.72.38 53 extendable

ip nat inside source static tcp 192.168.1.200 53 203.92.72.38 53 extendable

ip nat inside source static tcp 192.168.1.200 2443 203.92.72.33 2443 extendable

ip nat inside source static tcp 192.168.1.200 3443 203.92.72.33 3443 extendable

ip nat inside source static tcp 192.168.1.200 443 203.92.72.33 443 extendable

ip nat inside source static tcp 192.168.1.32 3399 203.92.72.38 3399 extendable

ip nat inside source static tcp 192.168.1.200 3389 203.92.72.38 3389 extendable

ip nat inside source static tcp 192.168.1.200 25 203.92.72.33 25 extendable

ip nat inside source static tcp 192.168.1.200 110 203.92.72.33 110 extendable

ip nat inside source static tcp 192.168.1.200 6000 203.92.72.33 6000 extendable

ip nat inside source static udp 192.168.1.200 6000 203.92.72.33 6000 extendable

ip nat inside source static tcp 192.168.1.200 489 203.92.72.33 489 extendable

ip nat inside source static udp 192.168.1.200 489 203.92.72.33 489 extendable

ip nat inside source static tcp 192.168.1.200 143 203.92.72.33 143 extendable

ip nat inside source static tcp 192.168.1.200 6021 203.92.72.33 6021 extendable

ip nat inside source static udp 192.168.1.200 6021 203.92.72.33 6021 extendable

ip nat inside source static tcp 192.168.1.200 80 203.92.72.33 80 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 203.92.70.121

ip http server

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

snmp-server community lga-adsl-827 RO

!

line con 0

stopbits 1

line vty 0 4

password 7 04570C070824424B1A1016

login

!

scheduler max-task-time 5000

end

Georg Pauwen · ‎12-08-2005

Hello,

the configuration looks good, I wonder if it makes a difference if you exclude the IP address of the mail server from the access list used as the source for the PAT:

-->access-list 100 deny host 192.168.1.200 any

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

and then clear all dynamic translations with the command:

clear ip nat translation *

Regards,

GP

caleb_xin · ‎12-08-2005

I'm sorry GP, I'm very new to Cisco Router, can you explain in more detail?

if I do "access-list 100 deny host 192.168.1.200 any" will my mail server be able to connect to internet?

if I clear all the "ip nat inside source static ...", will my mail server still map to the IP 203.92.72.33

if possible, can you give me a step by step config demo?

Thank you so much.

Georg Pauwen · ‎12-09-2005

Hello,

if you exclude the IP address of the mail server from the access list, anything coming from the mail server will never have IP address 203.92.70.122, because it is never dynamically translated. It will always only use the static entries you have configured (through the ports you have specified), so your access to the Internet is not affected.

What I meant by clearing the dynamic NAT entries: just enter the command:

clear ip nat translation *

at the command prompt, this will clear any entries your mail server has with IP address 203.92.70.122. So you actually do not change anything in your configuration except for the access list, as mentioned:

-->access-list 100 deny ip host 192.168.1.200 any

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

Hope that makes sense...

GP

caleb_xin · ‎12-09-2005

Thank you so much GP.

I've entered the commands, but seems no different. I enter "show ip nat translation" after I cleared it, 192.168.1.200 still have mapping to some other ports,

tcp 203.92.70.122:2712 192.168.1.200:2712 194.30.193.13:25 194.30.193.13:25

tcp 203.92.70.122:2716 192.168.1.200:2716 194.30.193.11:25 194.30.193.11:25

tcp 203.92.70.122:2713 192.168.1.200:2713 194.30.193.14:25 194.30.193.14:25

tcp 203.92.70.122:2717 192.168.1.200:2717 194.30.193.12:25 194.30.193.12:25

tcp 203.92.70.122:2714 192.168.1.200:2714 194.30.193.15:25 194.30.193.15:25

tcp 203.92.70.122:2718 192.168.1.200:2718 194.30.193.13:25 194.30.193.13:25

tcp 203.92.70.122:2719 192.168.1.200:2719 194.30.193.14:25 194.30.193.14:25

tcp 203.92.70.122:2724 192.168.1.200:2724 194.30.193.10:25 194.30.193.10:25

tcp 203.92.70.122:2720 192.168.1.200:2720 194.30.193.15:25 194.30.193.15:25

tcp 203.92.70.122:2725 192.168.1.200:2725 194.30.193.11:25 194.30.193.11:25

tcp 203.92.70.122:2722 192.168.1.200:2722 194.30.193.15:25 194.30.193.15:25

tcp 203.92.70.122:2721 192.168.1.200:2721 194.30.193.16:25 194.30.193.16:25

tcp 203.92.70.122:2726 192.168.1.200:2726 194.30.193.12:25 194.30.193.12:25

tcp 203.92.70.122:2723 192.168.1.200:2723 194.30.193.16:25 194.30.193.16:25

tcp 203.92.70.122:2727 192.168.1.200:2727 194.30.193.13:25 194.30.193.13:25

tcp 203.92.70.122:2728 192.168.1.200:2728 194.30.193.14:25 194.30.193.14:25

and I still receive error message from other mail server:

3644 delivery deferral: abc@hol.gr, remote server said (194.30.193.12) : 451 4.1.8 Possibly forged hostname for 203.92.70.122

do I need to restart the router? any command can restart the router?

Georg Pauwen · ‎12-09-2005

Hello,

I am starting to think that maybe your service provider is not routing your address space correctly, when I do a PING or TRACEROUTE, it bounces between 203.92.70.121 and 203.92.70.122. Besides, the IP addresses are translated as following:

host-203-92-70-122.lga.net.sg [203.92.70.122]

host-203-92-70-121.lga.net.sg [203.92.70.121]

and the mail server as

host-203-92-72-33.lga.net.sg [203.92.72.33]

Can you check with your provider if they are correctly routing your addresses ?

Regards,

GP

caleb_xin · ‎12-09-2005

I called them, they say that it's the problem of my router. If they come to my site to check the router, they will charge $100 to 200 dollars.

My mail server is accessable from out side, can receive email and provide web services. But cannot ping, when ping to 203.92.72.33, it shows

reply from 203.92.70.122: TTL expired in transit

Georg Pauwen · ‎12-09-2005

Hello,

ok. Maybe you should try and reboot the router, there should not be any dynamic entries in the NAT table if you have excluded the IP address of the mail server from the access list. Can you save the running configuration to the startup configuration with the command:

copy run start

then reboot the router, and check the entries in the NAT table ?

Regards,

GP

caleb_xin · ‎12-09-2005

I restart the router already, but i still get these entries in the translation list:

tcp 203.92.70.122:3056 192.168.1.200:3056 194.30.193.10:25 194.30.193.10:25

tcp 203.92.70.122:3057 192.168.1.200:3057 194.30.193.11:25 194.30.193.11:25

tcp 203.92.70.122:3058 192.168.1.200:3058 194.30.193.12:25 194.30.193.12:25

seems that deny doesn't work.

Georg Pauwen · ‎12-09-2005

Hello,

I don´t want to sound stupid, but can you check what access list 100 looks like exactly ? If you just add the new line to the access list, it will be added at the bottom of the access list without effect. You need to remove the access list with the ´no access-list 100´ command, and then reenter the entire access list, with the deny statement first...

Regards,

GP

caleb_xin · ‎12-09-2005

Sorry GP if I made you fed up. But this is really a very first time I configure the Cisco Router. I did read the guide but no very understand it.

this is my access-list 100, please have a look:

Genesis#show access-list 100

Extended IP access list 100

deny ip host 192.168.1.200 any (15 matches)

permit ip 192.168.1.0 0.0.0.255 any (10 matches)