NAT problem on cisco 1841

Hi Experts,

We have exchange server behind Cisco 1841 and Im using NAT rules to forward port 25 to my exchanger server. Recently we purchased a Barracuda box and here is the problem.
I add one more NAT rule to forward port 25 to a new Loopback that I want to use for Barracuda box.. I can telnet to SPAM filter inside my network but NAT rules is not applying to a new loopback interface so I can telnet port 25 from outside.

Here is running config.

interface Loopback0 ( this loopback I want to use for barracuda spam filter)
 ip address 206.186.26.3 255.255.255.255
!
interface Loopback1
 description NAT Outside
 ip address 206.186.26.1 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
interface Loopback2
 ip address 206.186.26.2 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
interface FastEthernet0/0
 description LAN
 ip address 10.1.1.18 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 description WAN / Rogers Internet
 ip address 206.186.248.22 255.255.255.252
 ip nat outside
 ip virtual-reassembly
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
ip local pool SDM_POOL_1 10.1.1.220 10.1.1.225
ip local pool SDM_POOL_2 10.1.1.230 10.1.1.240
ip route 0.0.0.0 0.0.0.0 206.186.248.21
!
!
ip http server
ip http secure-server
ip nat inside source list 97 interface Loopback0 overload
ip nat inside source list 98 interface Loopback2 overload
ip nat inside source list 99 interface Loopback1 overload
ip nat inside source static tcp 10.1.1.6 80 206.186.26.1 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.1 110 extendable
ip nat inside source static tcp 10.1.1.11 443 206.186.26.1 443 extendable
ip nat inside source static tcp 10.1.1.11 25 206.186.26.2 25 extendable
ip nat inside source static tcp 10.1.1.6 80 206.186.26.2 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.2 110 extendable
ip nat inside source static tcp 10.1.1.11 443 206.186.26.2 443 extendable
ip nat inside source static tcp 10.1.1.229 25 206.186.26.3 25 extendable
!
access-list 97 permit 10.1.1.229
access-list 98 permit 10.1.1.11
access-list 99 permit 10.1.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 10.1.1.0 0.0.0.255 any



10.1.1.11 is my Exchange with MX mail.castgroupinc.com
10.1.1229 is SPAM box with MX mail2.castgroupinc.com

Any help will be appreciating.







StasilaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

from_expCommented:
interface Loopback0
 ip address 206.186.26.3 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
0
from_expCommented:
conf t
interface Loopback0
 ip address 206.186.26.3 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
0
StasilaAuthor Commented:
I did it before and nothing work try to telnet to 206.186.26.3 25  it's not responding.
Even if I change IP from my exchange server to SPAM box it will not respond to port 25.


interface Loopback0
 ip address 206.186.26.3 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
interface Loopback1
 description NAT Outside
 ip address 206.186.26.1 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
interface Loopback2
 ip address 206.186.26.2 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
interface FastEthernet0/0
 description LAN
 ip address 10.1.1.18 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 description WAN / Rogers Internet
 ip address 206.186.248.22 255.255.255.252
 ip nat outside
 ip virtual-reassembly
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
ip local pool SDM_POOL_1 10.1.1.220 10.1.1.225
ip local pool SDM_POOL_2 10.1.1.230 10.1.1.240
ip route 0.0.0.0 0.0.0.0 206.186.248.21
!
!
ip http server
ip http secure-server
ip nat inside source list 97 interface Loopback0 overload
ip nat inside source list 98 interface Loopback2 overload
ip nat inside source list 99 interface Loopback1 overload
ip nat inside source static tcp 10.1.1.6 80 206.186.26.1 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.1 110 extendable
ip nat inside source static tcp 10.1.1.11 443 206.186.26.1 443 extendable
ip nat inside source static tcp 10.1.1.11 25 206.186.26.2 25 extendable
ip nat inside source static tcp 10.1.1.6 80 206.186.26.2 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.2 110 extendable
ip nat inside source static tcp 10.1.1.229 25 206.186.26.3 25 extendable
!
access-list 97 permit 10.1.1.229
access-list 98 permit 10.1.1.11
access-list 99 permit 10.1.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 10.1.1.0 0.0.0.255 any

scheduler allocate 20000 1000
end

0
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

from_expCommented:
ok, does your spam box configured with default gw, can it pit your router and can it access internet?
0
StasilaAuthor Commented:
yes, IP network mask and DG assign to barracuda spam box. i can ping any outside host from it.
0
StasilaAuthor Commented:
I just find out that I actually can't ping outside hosts only inside my network. dg and IP is correct it seems like cisco router is not letting it out.
0
StasilaAuthor Commented:
I add one of my machine to access-list 97 to see if I be able to exist from a network using a loopback 0 interface (206.186.26.3) and it's working just fine. any other ideas why NAT rules is not working for SPAM box?
0
from_expCommented:
does your box has any ips configured
0
StasilaAuthor Commented:
yes. 10.1.1.229 and dg 10.1.1.18
0
StasilaAuthor Commented:
Do I need to create any ACL rules for this interface to let port 25 in and out?
 
0
from_expCommented:
nope, everything should like for your exchange.
actually, if possible, you can disconnect your exchange for a while, configure your spam box with exchange's ip and try to telnet from the outside.
0
StasilaAuthor Commented:
I change the IP in my NAT rule from exchange ip to spam ip and can't telnet.
0
StasilaAuthor Commented:
OK I change local IP and I'm able to ping outside host from my spam box. now how can I make a NAT rule for it to use loopback 0 to go outside and forward port 25 to that interface?
0
from_expCommented:
hm, strange.
try this:
clear ip nat translation
0
from_expCommented:
can you paste complete config of your router (only without passwords)?
0
StasilaAuthor Commented:
I have a solution I will post updates after it's done. thanks for your help.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
from_expCommented:
nice!
i'm wait for an update!
0
stasila2010Commented:
arp timeout 300 did a trick.
0
from_expCommented:
hi!
my congrats!
0
stasila2010Commented:
same account.
0
stasila2010Commented:
Please close "stasila" this is the old account.  also please dispose this question. thanks,

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.