Stasila
asked on
NAT problem on cisco 1841
Hi Experts,
We have exchange server behind Cisco 1841 and Im using NAT rules to forward port 25 to my exchanger server. Recently we purchased a Barracuda box and here is the problem.
I add one more NAT rule to forward port 25 to a new Loopback that I want to use for Barracuda box.. I can telnet to SPAM filter inside my network but NAT rules is not applying to a new loopback interface so I can telnet port 25 from outside.
Here is running config.
interface Loopback0 ( this loopback I want to use for barracuda spam filter)
ip address 206.186.26.3 255.255.255.255
!
interface Loopback1
description NAT Outside
ip address 206.186.26.1 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface Loopback2
ip address 206.186.26.2 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0
description LAN
ip address 10.1.1.18 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
description WAN / Rogers Internet
ip address 206.186.248.22 255.255.255.252
ip nat outside
ip virtual-reassembly
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback2
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
ip local pool SDM_POOL_1 10.1.1.220 10.1.1.225
ip local pool SDM_POOL_2 10.1.1.230 10.1.1.240
ip route 0.0.0.0 0.0.0.0 206.186.248.21
!
!
ip http server
ip http secure-server
ip nat inside source list 97 interface Loopback0 overload
ip nat inside source list 98 interface Loopback2 overload
ip nat inside source list 99 interface Loopback1 overload
ip nat inside source static tcp 10.1.1.6 80 206.186.26.1 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.1 110 extendable
ip nat inside source static tcp 10.1.1.11 443 206.186.26.1 443 extendable
ip nat inside source static tcp 10.1.1.11 25 206.186.26.2 25 extendable
ip nat inside source static tcp 10.1.1.6 80 206.186.26.2 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.2 110 extendable
ip nat inside source static tcp 10.1.1.11 443 206.186.26.2 443 extendable
ip nat inside source static tcp 10.1.1.229 25 206.186.26.3 25 extendable
!
access-list 97 permit 10.1.1.229
access-list 98 permit 10.1.1.11
access-list 99 permit 10.1.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
10.1.1.11 is my Exchange with MX mail.castgroupinc.com
10.1.1229 is SPAM box with MX mail2.castgroupinc.com
Any help will be appreciating.
We have exchange server behind Cisco 1841 and Im using NAT rules to forward port 25 to my exchanger server. Recently we purchased a Barracuda box and here is the problem.
I add one more NAT rule to forward port 25 to a new Loopback that I want to use for Barracuda box.. I can telnet to SPAM filter inside my network but NAT rules is not applying to a new loopback interface so I can telnet port 25 from outside.
Here is running config.
interface Loopback0 ( this loopback I want to use for barracuda spam filter)
ip address 206.186.26.3 255.255.255.255
!
interface Loopback1
description NAT Outside
ip address 206.186.26.1 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface Loopback2
ip address 206.186.26.2 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0
description LAN
ip address 10.1.1.18 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
description WAN / Rogers Internet
ip address 206.186.248.22 255.255.255.252
ip nat outside
ip virtual-reassembly
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback2
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
ip local pool SDM_POOL_1 10.1.1.220 10.1.1.225
ip local pool SDM_POOL_2 10.1.1.230 10.1.1.240
ip route 0.0.0.0 0.0.0.0 206.186.248.21
!
!
ip http server
ip http secure-server
ip nat inside source list 97 interface Loopback0 overload
ip nat inside source list 98 interface Loopback2 overload
ip nat inside source list 99 interface Loopback1 overload
ip nat inside source static tcp 10.1.1.6 80 206.186.26.1 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.1 110 extendable
ip nat inside source static tcp 10.1.1.11 443 206.186.26.1 443 extendable
ip nat inside source static tcp 10.1.1.11 25 206.186.26.2 25 extendable
ip nat inside source static tcp 10.1.1.6 80 206.186.26.2 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.2 110 extendable
ip nat inside source static tcp 10.1.1.11 443 206.186.26.2 443 extendable
ip nat inside source static tcp 10.1.1.229 25 206.186.26.3 25 extendable
!
access-list 97 permit 10.1.1.229
access-list 98 permit 10.1.1.11
access-list 99 permit 10.1.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
10.1.1.11 is my Exchange with MX mail.castgroupinc.com
10.1.1229 is SPAM box with MX mail2.castgroupinc.com
Any help will be appreciating.
conf t
interface Loopback0
ip address 206.186.26.3 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface Loopback0
ip address 206.186.26.3 255.255.255.255
ip nat outside
ip virtual-reassembly
!
ASKER
I did it before and nothing work try to telnet to 206.186.26.3 25 it's not responding.
Even if I change IP from my exchange server to SPAM box it will not respond to port 25.
interface Loopback0
ip address 206.186.26.3 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface Loopback1
description NAT Outside
ip address 206.186.26.1 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface Loopback2
ip address 206.186.26.2 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0
description LAN
ip address 10.1.1.18 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
description WAN / Rogers Internet
ip address 206.186.248.22 255.255.255.252
ip nat outside
ip virtual-reassembly
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback2
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
ip local pool SDM_POOL_1 10.1.1.220 10.1.1.225
ip local pool SDM_POOL_2 10.1.1.230 10.1.1.240
ip route 0.0.0.0 0.0.0.0 206.186.248.21
!
!
ip http server
ip http secure-server
ip nat inside source list 97 interface Loopback0 overload
ip nat inside source list 98 interface Loopback2 overload
ip nat inside source list 99 interface Loopback1 overload
ip nat inside source static tcp 10.1.1.6 80 206.186.26.1 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.1 110 extendable
ip nat inside source static tcp 10.1.1.11 443 206.186.26.1 443 extendable
ip nat inside source static tcp 10.1.1.11 25 206.186.26.2 25 extendable
ip nat inside source static tcp 10.1.1.6 80 206.186.26.2 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.2 110 extendable
ip nat inside source static tcp 10.1.1.229 25 206.186.26.3 25 extendable
!
access-list 97 permit 10.1.1.229
access-list 98 permit 10.1.1.11
access-list 99 permit 10.1.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
scheduler allocate 20000 1000
end
Even if I change IP from my exchange server to SPAM box it will not respond to port 25.
interface Loopback0
ip address 206.186.26.3 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface Loopback1
description NAT Outside
ip address 206.186.26.1 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface Loopback2
ip address 206.186.26.2 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0
description LAN
ip address 10.1.1.18 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
description WAN / Rogers Internet
ip address 206.186.248.22 255.255.255.252
ip nat outside
ip virtual-reassembly
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback2
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
ip local pool SDM_POOL_1 10.1.1.220 10.1.1.225
ip local pool SDM_POOL_2 10.1.1.230 10.1.1.240
ip route 0.0.0.0 0.0.0.0 206.186.248.21
!
!
ip http server
ip http secure-server
ip nat inside source list 97 interface Loopback0 overload
ip nat inside source list 98 interface Loopback2 overload
ip nat inside source list 99 interface Loopback1 overload
ip nat inside source static tcp 10.1.1.6 80 206.186.26.1 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.1 110 extendable
ip nat inside source static tcp 10.1.1.11 443 206.186.26.1 443 extendable
ip nat inside source static tcp 10.1.1.11 25 206.186.26.2 25 extendable
ip nat inside source static tcp 10.1.1.6 80 206.186.26.2 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.2 110 extendable
ip nat inside source static tcp 10.1.1.229 25 206.186.26.3 25 extendable
!
access-list 97 permit 10.1.1.229
access-list 98 permit 10.1.1.11
access-list 99 permit 10.1.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
scheduler allocate 20000 1000
end
ok, does your spam box configured with default gw, can it pit your router and can it access internet?
ASKER
yes, IP network mask and DG assign to barracuda spam box. i can ping any outside host from it.
ASKER
I just find out that I actually can't ping outside hosts only inside my network. dg and IP is correct it seems like cisco router is not letting it out.
ASKER
I add one of my machine to access-list 97 to see if I be able to exist from a network using a loopback 0 interface (206.186.26.3) and it's working just fine. any other ideas why NAT rules is not working for SPAM box?
does your box has any ips configured
ASKER
yes. 10.1.1.229 and dg 10.1.1.18
ASKER
Do I need to create any ACL rules for this interface to let port 25 in and out?
nope, everything should like for your exchange.
actually, if possible, you can disconnect your exchange for a while, configure your spam box with exchange's ip and try to telnet from the outside.
actually, if possible, you can disconnect your exchange for a while, configure your spam box with exchange's ip and try to telnet from the outside.
ASKER
I change the IP in my NAT rule from exchange ip to spam ip and can't telnet.
ASKER
OK I change local IP and I'm able to ping outside host from my spam box. now how can I make a NAT rule for it to use loopback 0 to go outside and forward port 25 to that interface?
hm, strange.
try this:
clear ip nat translation
try this:
clear ip nat translation
can you paste complete config of your router (only without passwords)?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
nice!
i'm wait for an update!
i'm wait for an update!
arp timeout 300 did a trick.
hi!
my congrats!
my congrats!
same account.
Please close "stasila" this is the old account. also please dispose this question. thanks,
ip address 206.186.26.3 255.255.255.255
ip nat outside
ip virtual-reassembly
!