Link to home
Start Free TrialLog in
Avatar of Stasila
Stasila

asked on

NAT problem on cisco 1841

Hi Experts,

We have exchange server behind Cisco 1841 and Im using NAT rules to forward port 25 to my exchanger server. Recently we purchased a Barracuda box and here is the problem.
I add one more NAT rule to forward port 25 to a new Loopback that I want to use for Barracuda box.. I can telnet to SPAM filter inside my network but NAT rules is not applying to a new loopback interface so I can telnet port 25 from outside.

Here is running config.

interface Loopback0 ( this loopback I want to use for barracuda spam filter)
 ip address 206.186.26.3 255.255.255.255
!
interface Loopback1
 description NAT Outside
 ip address 206.186.26.1 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
interface Loopback2
 ip address 206.186.26.2 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
interface FastEthernet0/0
 description LAN
 ip address 10.1.1.18 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 description WAN / Rogers Internet
 ip address 206.186.248.22 255.255.255.252
 ip nat outside
 ip virtual-reassembly
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
ip local pool SDM_POOL_1 10.1.1.220 10.1.1.225
ip local pool SDM_POOL_2 10.1.1.230 10.1.1.240
ip route 0.0.0.0 0.0.0.0 206.186.248.21
!
!
ip http server
ip http secure-server
ip nat inside source list 97 interface Loopback0 overload
ip nat inside source list 98 interface Loopback2 overload
ip nat inside source list 99 interface Loopback1 overload
ip nat inside source static tcp 10.1.1.6 80 206.186.26.1 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.1 110 extendable
ip nat inside source static tcp 10.1.1.11 443 206.186.26.1 443 extendable
ip nat inside source static tcp 10.1.1.11 25 206.186.26.2 25 extendable
ip nat inside source static tcp 10.1.1.6 80 206.186.26.2 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.2 110 extendable
ip nat inside source static tcp 10.1.1.11 443 206.186.26.2 443 extendable
ip nat inside source static tcp 10.1.1.229 25 206.186.26.3 25 extendable
!
access-list 97 permit 10.1.1.229
access-list 98 permit 10.1.1.11
access-list 99 permit 10.1.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 10.1.1.0 0.0.0.255 any



10.1.1.11 is my Exchange with MX mail.castgroupinc.com
10.1.1229 is SPAM box with MX mail2.castgroupinc.com

Any help will be appreciating.







Avatar of from_exp
from_exp
Flag of Latvia image
interface Loopback0
 ip address 206.186.26.3 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
Avatar of from_exp
from_exp
Flag of Latvia image
conf t
interface Loopback0
 ip address 206.186.26.3 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
Avatar of Stasila
Stasila

ASKER

I did it before and nothing work try to telnet to 206.186.26.3 25  it's not responding.
Even if I change IP from my exchange server to SPAM box it will not respond to port 25.


interface Loopback0
 ip address 206.186.26.3 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
interface Loopback1
 description NAT Outside
 ip address 206.186.26.1 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
interface Loopback2
 ip address 206.186.26.2 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
interface FastEthernet0/0
 description LAN
 ip address 10.1.1.18 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 description WAN / Rogers Internet
 ip address 206.186.248.22 255.255.255.252
 ip nat outside
 ip virtual-reassembly
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
ip local pool SDM_POOL_1 10.1.1.220 10.1.1.225
ip local pool SDM_POOL_2 10.1.1.230 10.1.1.240
ip route 0.0.0.0 0.0.0.0 206.186.248.21
!
!
ip http server
ip http secure-server
ip nat inside source list 97 interface Loopback0 overload
ip nat inside source list 98 interface Loopback2 overload
ip nat inside source list 99 interface Loopback1 overload
ip nat inside source static tcp 10.1.1.6 80 206.186.26.1 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.1 110 extendable
ip nat inside source static tcp 10.1.1.11 443 206.186.26.1 443 extendable
ip nat inside source static tcp 10.1.1.11 25 206.186.26.2 25 extendable
ip nat inside source static tcp 10.1.1.6 80 206.186.26.2 80 extendable
ip nat inside source static tcp 10.1.1.11 110 206.186.26.2 110 extendable
ip nat inside source static tcp 10.1.1.229 25 206.186.26.3 25 extendable
!
access-list 97 permit 10.1.1.229
access-list 98 permit 10.1.1.11
access-list 99 permit 10.1.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 10.1.1.0 0.0.0.255 any

scheduler allocate 20000 1000
end

Avatar of from_exp
from_exp
Flag of Latvia image
ok, does your spam box configured with default gw, can it pit your router and can it access internet?
Avatar of Stasila
Stasila

ASKER

yes, IP network mask and DG assign to barracuda spam box. i can ping any outside host from it.
Avatar of Stasila
Stasila

ASKER

I just find out that I actually can't ping outside hosts only inside my network. dg and IP is correct it seems like cisco router is not letting it out.
Avatar of Stasila
Stasila

ASKER

I add one of my machine to access-list 97 to see if I be able to exist from a network using a loopback 0 interface (206.186.26.3) and it's working just fine. any other ideas why NAT rules is not working for SPAM box?
Avatar of from_exp
from_exp
Flag of Latvia image
does your box has any ips configured
Avatar of Stasila
Stasila

ASKER

yes. 10.1.1.229 and dg 10.1.1.18
Avatar of Stasila
Stasila

ASKER

Do I need to create any ACL rules for this interface to let port 25 in and out?
 
Avatar of from_exp
from_exp
Flag of Latvia image
nope, everything should like for your exchange.
actually, if possible, you can disconnect your exchange for a while, configure your spam box with exchange's ip and try to telnet from the outside.
Avatar of Stasila
Stasila

ASKER

I change the IP in my NAT rule from exchange ip to spam ip and can't telnet.
Avatar of Stasila
Stasila

ASKER

OK I change local IP and I'm able to ping outside host from my spam box. now how can I make a NAT rule for it to use loopback 0 to go outside and forward port 25 to that interface?
Avatar of from_exp
from_exp
Flag of Latvia image
hm, strange.
try this:
clear ip nat translation
Avatar of from_exp
from_exp
Flag of Latvia image
can you paste complete config of your router (only without passwords)?
ASKER CERTIFIED SOLUTION
Avatar of Stasila
Stasila
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of from_exp
from_exp
Flag of Latvia image
nice!
i'm wait for an update!
Avatar of stasila2010
stasila2010
Flag of Canada image
arp timeout 300 did a trick.
Avatar of from_exp
from_exp
Flag of Latvia image
hi!
my congrats!
Avatar of stasila2010
stasila2010
Flag of Canada image
same account.
Avatar of stasila2010
stasila2010
Flag of Canada image
Please close "stasila" this is the old account.  also please dispose this question. thanks,