• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 795
  • Last Modified:

NAT problem on cisco 1841

Hi Experts,

We have exchange server behind Cisco 1841 and Im using NAT rules to forward port 25 to my exchanger server. Recently we purchased a Barracuda box and here is the problem.
I add one more NAT rule to forward port 25 to a new Loopback that I want to use for Barracuda box.. I can telnet to SPAM filter inside my network but NAT rules is not applying to a new loopback interface so I can telnet port 25 from outside.

Here is running config.

interface Loopback0 ( this loopback I want to use for barracuda spam filter)
 ip address 206.186.26.3 255.255.255.255
!
interface Loopback1
 description NAT Outside
 ip address 206.186.26.1 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
interface Loopback2
 ip address 206.186.26.2 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
interface FastEthernet0/0
 description LAN
 ip address 10.1.1.18 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 description WAN / Rogers Internet
 ip address 206.186.248.22 255.255.255.252
 ip nat outside
 ip virtual-reassembly
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
ip local pool SDM_POOL_1 10.1.1.220 10.1.1.225
ip local pool SDM_POOL_2 10.1.1.230 10.1.1.240
ip route 0.0.0.0 0.0.0.0 206.186.248.21
!
!
ip http server
ip http secure-server
ip nat inside source list 97 interface Loopback0 overload
ip nat inside source list 98 interface Loopback2 overload
ip nat inside source list 99 interface Loopback1 overload
ip nat inside source static tcp 10.1.1.6 80 206.186.26.1 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.1 110 extendable
ip nat inside source static tcp 10.1.1.11 443 206.186.26.1 443 extendable
ip nat inside source static tcp 10.1.1.11 25 206.186.26.2 25 extendable
ip nat inside source static tcp 10.1.1.6 80 206.186.26.2 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.2 110 extendable
ip nat inside source static tcp 10.1.1.11 443 206.186.26.2 443 extendable
ip nat inside source static tcp 10.1.1.229 25 206.186.26.3 25 extendable
!
access-list 97 permit 10.1.1.229
access-list 98 permit 10.1.1.11
access-list 99 permit 10.1.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 10.1.1.0 0.0.0.255 any



10.1.1.11 is my Exchange with MX mail.castgroupinc.com
10.1.1229 is SPAM box with MX mail2.castgroupinc.com

Any help will be appreciating.







0
Stasila
Asked:
Stasila
  • 9
  • 9
  • 3
1 Solution
 
from_expCommented:
interface Loopback0
 ip address 206.186.26.3 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
0
 
from_expCommented:
conf t
interface Loopback0
 ip address 206.186.26.3 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
0
 
StasilaAuthor Commented:
I did it before and nothing work try to telnet to 206.186.26.3 25  it's not responding.
Even if I change IP from my exchange server to SPAM box it will not respond to port 25.


interface Loopback0
 ip address 206.186.26.3 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
interface Loopback1
 description NAT Outside
 ip address 206.186.26.1 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
interface Loopback2
 ip address 206.186.26.2 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
interface FastEthernet0/0
 description LAN
 ip address 10.1.1.18 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 description WAN / Rogers Internet
 ip address 206.186.248.22 255.255.255.252
 ip nat outside
 ip virtual-reassembly
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
ip local pool SDM_POOL_1 10.1.1.220 10.1.1.225
ip local pool SDM_POOL_2 10.1.1.230 10.1.1.240
ip route 0.0.0.0 0.0.0.0 206.186.248.21
!
!
ip http server
ip http secure-server
ip nat inside source list 97 interface Loopback0 overload
ip nat inside source list 98 interface Loopback2 overload
ip nat inside source list 99 interface Loopback1 overload
ip nat inside source static tcp 10.1.1.6 80 206.186.26.1 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.1 110 extendable
ip nat inside source static tcp 10.1.1.11 443 206.186.26.1 443 extendable
ip nat inside source static tcp 10.1.1.11 25 206.186.26.2 25 extendable
ip nat inside source static tcp 10.1.1.6 80 206.186.26.2 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.2 110 extendable
ip nat inside source static tcp 10.1.1.229 25 206.186.26.3 25 extendable
!
access-list 97 permit 10.1.1.229
access-list 98 permit 10.1.1.11
access-list 99 permit 10.1.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 10.1.1.0 0.0.0.255 any

scheduler allocate 20000 1000
end

0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 
from_expCommented:
ok, does your spam box configured with default gw, can it pit your router and can it access internet?
0
 
StasilaAuthor Commented:
yes, IP network mask and DG assign to barracuda spam box. i can ping any outside host from it.
0
 
StasilaAuthor Commented:
I just find out that I actually can't ping outside hosts only inside my network. dg and IP is correct it seems like cisco router is not letting it out.
0
 
StasilaAuthor Commented:
I add one of my machine to access-list 97 to see if I be able to exist from a network using a loopback 0 interface (206.186.26.3) and it's working just fine. any other ideas why NAT rules is not working for SPAM box?
0
 
from_expCommented:
does your box has any ips configured
0
 
StasilaAuthor Commented:
yes. 10.1.1.229 and dg 10.1.1.18
0
 
StasilaAuthor Commented:
Do I need to create any ACL rules for this interface to let port 25 in and out?
 
0
 
from_expCommented:
nope, everything should like for your exchange.
actually, if possible, you can disconnect your exchange for a while, configure your spam box with exchange's ip and try to telnet from the outside.
0
 
StasilaAuthor Commented:
I change the IP in my NAT rule from exchange ip to spam ip and can't telnet.
0
 
StasilaAuthor Commented:
OK I change local IP and I'm able to ping outside host from my spam box. now how can I make a NAT rule for it to use loopback 0 to go outside and forward port 25 to that interface?
0
 
from_expCommented:
hm, strange.
try this:
clear ip nat translation
0
 
from_expCommented:
can you paste complete config of your router (only without passwords)?
0
 
StasilaAuthor Commented:
I have a solution I will post updates after it's done. thanks for your help.
0
 
from_expCommented:
nice!
i'm wait for an update!
0
 
stasila2010Commented:
arp timeout 300 did a trick.
0
 
from_expCommented:
hi!
my congrats!
0
 
stasila2010Commented:
same account.
0
 
stasila2010Commented:
Please close "stasila" this is the old account.  also please dispose this question. thanks,

0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 9
  • 9
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now