?
Solved

Allowing SMTP through 1841

Posted on 2008-11-04
17
Medium Priority
?
316 Views
Last Modified: 2012-05-05
Ok. we used to have all of our mail go through a symantec vpn100. we got rid of it and changed our external A and MX records to go to the WAN IP of the Cisco.. i created a nat statement to forward 80, 25 to the internal exchange server.   below is the config..can you see anything missing?

!
!
ip domain name micro.net
ip name-server 192.168.57.11
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
crypto pki trustpoint TP-self-signed-383872724
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-383872724
 revocation-check none
 rsakeypair TP-self-signed-383872724
!
!
crypto pki certificate chain TP-self-signed-383872724
 certificate self-signed 01
  30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33383338 37323732 34301E17 0D303730 36303732 30323231
  325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3338 33383732
  37323430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  C077D9DE 1750E10E 330D6E19 58BD6E40 7C374F99 D083E2D1 940B1A39 60BDC296
  8FDB451F B50F464C 7033DEAE 50B16BBF 970176AA 2C0B48E6 F630901B 50753FBB
  F67D6F6B CC1A7D2E A069FEE5 9CCF591E 51BEBD0F 49CD1755 1D0650C3 0C253122
  1BA9682D E126DB7F 0FA450F8 E663178B 7E5CA7D9 24B364FD D29937EF 2CC20C81
  02030100 01A37030 6E300F06 03551D13 0101FF04 05300301 01FF301B 0603551D
  11041430 1282104D 575F5741 4E2E6D69 63726F2E 6E657430 1F060355 1D230418
  30168014 805764C2 B35DE9CE D0DE2A24 09726D2A E825EC7A 301D0603 551D0E04
  16041480 5764C2B3 5DE9CED0 DE2A2409 726D2AE8 25EC7A30 0D06092A 864886F7
  0D010104 05000381 81004257 03B1DBBB A070E6E8 3FD82BFA C6EAD631 8EBDA7CA
  A3CC9E7E 15564173 4975C308 E1CFF8B2 F04BB6B3 F265F5DB A05C2A1B 40EA12FE
  175198B7 10DF49CA E335C642 8D76A93C F8A97779 EF8BF16E BE2D61CD 5F2F1D2D
  79079226 332953BD D543039B 4129DD8D CFBB3A52 EAD7156D 0D7986A0 9A1E61AB
  077DC98E D9E3AB05 D2A9
  quit

!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
policy-map WEBVPN_Policy
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key MW_RECTunnel address 216.207.224.5 no-xauth
crypto isakmp key MW_FDTunnel address 216.207.224.2 no-xauth
crypto isakmp key MW_WATERTunnel address 216.207.224.3 no-xauth
crypto isakmp key MW_COBVPNTunnel address 70.62.43.150 no-xauth
crypto isakmp key MW_POLTunnel address 216.207.224.4 no-xauth
crypto isakmp key MW_TJKTunnel address 74.204.74.32 no-xauth
crypto isakmp keepalive 15
!
crypto isakmp client configuration group MWVPN
 key Deploy57
 dns 192.168.57.11
 pool VPN_POOL
 acl 105
 netmask 255.255.255.0
!
crypto isakmp client configuration group GROUP_VPN
!
!
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac
!
crypto dynamic-map VPN_Clients 100
 set transform-set 3DES
 reverse-route
!
!
crypto map VPN client authentication list USER_VPN
crypto map VPN isakmp authorization list GROUP_VPN
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp
 description Tunnel to COB
 set peer 70.62.43.150
 set transform-set 3DES
 match address MW2COB
crypto map VPN 20 ipsec-isakmp
 set peer 216.207.224.4
 set transform-set 3DES
 match address MW2POL
crypto map VPN 30 ipsec-isakmp
 description Tunnel to COB Water
 set peer 216.207.224.3
 set transform-set 3DES
 match address MW2WAT
crypto map VPN 50 ipsec-isakmp
 description Tunnel to TJK
 set peer 74.204.74.32
 set transform-set 3DES
 match address MW2TJK
crypto map VPN 65535 ipsec-isakmp dynamic VPN_Clients
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.252
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description MW_WAN/VPN
 ip address dhcp
 ip accounting output-packets
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 crypto map VPN
!
interface FastEthernet0/0.1
 encapsulation dot1Q 10
 ip address 192.168.100.1 255.255.255.0
 no ip route-cache
 no cdp enable
!
interface FastEthernet0/1
 description MW_LAN
 ip address 192.168.57.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 ip policy route-map VPN
 duplex auto
 speed auto
!
ip local pool VPN_POOL 10.10.10.1 10.10.10.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route 192.168.60.0 255.255.255.0 192.168.57.2
ip route 192.168.80.0 255.255.255.0 192.168.57.2
ip route 192.168.254.0 255.255.255.0 192.168.57.2
!
!
ip http server
ip http port 8080
ip http access-class 50
ip http authentication local
no ip http secure-server
ip nat inside source route-map NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.57.90 21 75.13.63.69 21 extendable
ip nat inside source static udp 192.168.57.90 21 75.13.63.69 21 extendable
ip nat inside source static tcp 192.167.57.11 25 75.13.63.69 25 extendable
ip nat inside source static tcp 192.168.57.11 50 75.13.63.69 50 extendable
ip nat inside source static udp 192.168.57.11 50 75.13.63.69 50 extendable
ip nat inside source static tcp 192.168.57.11 80 75.13.63.69 80 extendable
ip nat inside source static tcp 192.167.57.11 110 75.13.63.69 110 extendable
ip nat inside source static tcp 192.168.57.11 5633 75.13.63.69 5633 extendable
ip nat inside source static udp 192.168.57.11 5634 75.13.63.69 5634 extendable
ip nat inside source static tcp 192.168.57.50 5888 75.13.63.69 5888 extendable
ip nat inside source static udp 192.168.57.50 5889 75.13.63.69 5889 extendable
ip nat inside source static tcp 192.168.57.50 57892 75.13.63.69 57892 extendable
!
ip access-list extended MW2COB
 remark MW VPN to COB
 permit ip 192.168.57.0 0.0.0.255 10.1.1.0 0.0.0.255
ip access-list extended MW2POL
 permit ip 192.168.57.0 0.0.0.255 10.1.9.0 0.0.0.255
 remark MW VPN to Pollution Control
ip access-list extended MW2TJK
 permit ip 192.168.57.0 0.0.0.255 10.11.11.0 0.0.0.255
 remark MW VPN to TJK
ip access-list extended MW2WAT
 permit ip 192.168.57.0 0.0.0.255 10.1.11.0 0.0.0.255
 remark MW VPN to Water Plant
ip access-list extended inet-traffic
 deny   ip 192.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
 deny   ip 192.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
 deny   ip 192.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 permit ip 192.168.57.0 0.0.0.255 any
!
access-list 198 permit ip 192.168.57.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 199 permit ip 192.168.57.0 0.0.0.255 10.10.10.0 0.0.0.255
snmp-server community public RW
snmp-server chassis-id CiscoRouter
no cdp run
!
route-map VPN permit 10
 match ip address 198
 set ip next-hop 1.1.1.2
!
route-map NAT permit 10
 match ip address inet-traffic
!
!
!

!
control-plane
!
!
banner login ^C
*****************************************************************
* Unauthorized access will be prosecuted to the fullest extent  *
* of the law.  To avoid criminal charges, disconnect NOW        *
*****************************************************************
^C
banner motd ^CLogin Successful^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet

!
scheduler allocate 20000 1000
end
                         
0
Comment
Question by:jasonmichel
  • 10
  • 7
17 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22880124
Not sure why you have a default route via 192.168.1.254?  Your default route should be learned via DHCP.  I would also change your static NAT's to reference the FastEthernet0/0 interface instead of the IP address since you are using DHCP.
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 22880159
ok..a little add on.. we have an ADSL connection that is connected to a 2wire device.. the 192.168.1.254 is the 2 wire device.  Can you see anything that should be stopping mail coming in?  if we ping our mail.company  it goes to the WAN interface of the Cisco..
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22880223
Okay, so the DHCP on the FastEthernet0/0 interface is throwing me a little bit.  What IP's are on the 2wire device?  What IP is on the FastEthernet0/0 interface?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 1

Author Comment

by:jasonmichel
ID: 22880386
ok we have 5 static IP's the 2wire device, it has a built in 4 port switch..per their guidelines, the devices must be dhcp, (the fa0/0 on cisco) then you can go in after it discovers it and assign it static dhcp so that it always gets the same IP.  So the 2 wire actually has 5 ips with it.. We ordered an ADSL card for our 1841 so that will be another question..lol.. but we also have a symantec VPN100 device on the 2wire that we used for a tunnel and our mail used to go there. well we switched our mail to the cisco IP today.  the other issue that might be helpful to know, even though the default route is the 192.168.1.254 of the 2wire, if my PC has a gateway of 192.168.57.1 (cisco LAN) i can't get to the 2wire device, however, if my gateway is 192.168.57.2(symantec device) I can..lol..does that help?
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 22880473
how should my default route statement look?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22880517
The default route on the Cisco should be the same as the Symantec.  I would think it isn't 192.168.1.254.  Take a look at the Symantec...
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 22880601
hmm..the default gateway is 75.13.63.254
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22880626
Yeah, that sounds better.  So try this:

conf t
no ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route 0.0.0.0 0.0.0.0 75.13.63.254
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 22880720
yeah i actually did that and still nothing...i keep thinking its the 2wire that's preventing it, even though it says the cisco is in its DMZ..so i guess...how an i see if smtp traffic is atleast getting to the cisco?
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 22881284
any ideas?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22881539
What is the subnet mask on the 1841 wan interface?
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 22881929
255.255.255.248
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22881960
Okay, well then 75.13.63.254 isn't valid.  Can you login to the 2wire device?  What IP is on the LAN interface of the 2wire?  The 1841 should have a default route pointing to the LAN interface of the 2wire.
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 22881975
Also try removing the default route from the 1841 and the post a "show ip route"
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 22882656
LAN ip is the 192.168.1.254..if you look at the run config...you can see there was a route in there for the 75.13.63.254..i didn't initially set this router up..thats why i'm trying to figure out...i changed the default route back to the 192.168.1.254..no luck..

when i do a sho ip nat trans...i see a bunch of smtp translations in the first column..is that incoming or outgoing?
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 22882660
if i remove the default route..will that take down my inet?
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 22884751
started working late last night...just took longer than normal for DNS to replicate i suppose...thanks for helping though
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question