jasonmichel
asked on
Allowing SMTP through 1841
Ok. we used to have all of our mail go through a symantec vpn100. we got rid of it and changed our external A and MX records to go to the WAN IP of the Cisco.. i created a nat statement to forward 80, 25 to the internal exchange server. below is the config..can you see anything missing?
!
!
ip domain name micro.net
ip name-server 192.168.57.11
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
crypto pki trustpoint TP-self-signed-383872724
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-383872724
!
!
crypto pki certificate chain TP-self-signed-383872724
certificate self-signed 01
30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383338 37323732 34301E17 0D303730 36303732 30323231
325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3338 33383732
37323430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C077D9DE 1750E10E 330D6E19 58BD6E40 7C374F99 D083E2D1 940B1A39 60BDC296
8FDB451F B50F464C 7033DEAE 50B16BBF 970176AA 2C0B48E6 F630901B 50753FBB
F67D6F6B CC1A7D2E A069FEE5 9CCF591E 51BEBD0F 49CD1755 1D0650C3 0C253122
1BA9682D E126DB7F 0FA450F8 E663178B 7E5CA7D9 24B364FD D29937EF 2CC20C81
02030100 01A37030 6E300F06 03551D13 0101FF04 05300301 01FF301B 0603551D
11041430 1282104D 575F5741 4E2E6D69 63726F2E 6E657430 1F060355 1D230418
30168014 805764C2 B35DE9CE D0DE2A24 09726D2A E825EC7A 301D0603 551D0E04
16041480 5764C2B3 5DE9CED0 DE2A2409 726D2AE8 25EC7A30 0D06092A 864886F7
0D010104 05000381 81004257 03B1DBBB A070E6E8 3FD82BFA C6EAD631 8EBDA7CA
A3CC9E7E 15564173 4975C308 E1CFF8B2 F04BB6B3 F265F5DB A05C2A1B 40EA12FE
175198B7 10DF49CA E335C642 8D76A93C F8A97779 EF8BF16E BE2D61CD 5F2F1D2D
79079226 332953BD D543039B 4129DD8D CFBB3A52 EAD7156D 0D7986A0 9A1E61AB
077DC98E D9E3AB05 D2A9
quit
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
policy-map WEBVPN_Policy
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key MW_RECTunnel address 216.207.224.5 no-xauth
crypto isakmp key MW_FDTunnel address 216.207.224.2 no-xauth
crypto isakmp key MW_WATERTunnel address 216.207.224.3 no-xauth
crypto isakmp key MW_COBVPNTunnel address 70.62.43.150 no-xauth
crypto isakmp key MW_POLTunnel address 216.207.224.4 no-xauth
crypto isakmp key MW_TJKTunnel address 74.204.74.32 no-xauth
crypto isakmp keepalive 15
!
crypto isakmp client configuration group MWVPN
key Deploy57
dns 192.168.57.11
pool VPN_POOL
acl 105
netmask 255.255.255.0
!
crypto isakmp client configuration group GROUP_VPN
!
!
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac
!
crypto dynamic-map VPN_Clients 100
set transform-set 3DES
reverse-route
!
!
crypto map VPN client authentication list USER_VPN
crypto map VPN isakmp authorization list GROUP_VPN
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp
description Tunnel to COB
set peer 70.62.43.150
set transform-set 3DES
match address MW2COB
crypto map VPN 20 ipsec-isakmp
set peer 216.207.224.4
set transform-set 3DES
match address MW2POL
crypto map VPN 30 ipsec-isakmp
description Tunnel to COB Water
set peer 216.207.224.3
set transform-set 3DES
match address MW2WAT
crypto map VPN 50 ipsec-isakmp
description Tunnel to TJK
set peer 74.204.74.32
set transform-set 3DES
match address MW2TJK
crypto map VPN 65535 ipsec-isakmp dynamic VPN_Clients
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.252
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description MW_WAN/VPN
ip address dhcp
ip accounting output-packets
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map VPN
!
interface FastEthernet0/0.1
encapsulation dot1Q 10
ip address 192.168.100.1 255.255.255.0
no ip route-cache
no cdp enable
!
interface FastEthernet0/1
description MW_LAN
ip address 192.168.57.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
ip policy route-map VPN
duplex auto
speed auto
!
ip local pool VPN_POOL 10.10.10.1 10.10.10.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route 192.168.60.0 255.255.255.0 192.168.57.2
ip route 192.168.80.0 255.255.255.0 192.168.57.2
ip route 192.168.254.0 255.255.255.0 192.168.57.2
!
!
ip http server
ip http port 8080
ip http access-class 50
ip http authentication local
no ip http secure-server
ip nat inside source route-map NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.57.90 21 75.13.63.69 21 extendable
ip nat inside source static udp 192.168.57.90 21 75.13.63.69 21 extendable
ip nat inside source static tcp 192.167.57.11 25 75.13.63.69 25 extendable
ip nat inside source static tcp 192.168.57.11 50 75.13.63.69 50 extendable
ip nat inside source static udp 192.168.57.11 50 75.13.63.69 50 extendable
ip nat inside source static tcp 192.168.57.11 80 75.13.63.69 80 extendable
ip nat inside source static tcp 192.167.57.11 110 75.13.63.69 110 extendable
ip nat inside source static tcp 192.168.57.11 5633 75.13.63.69 5633 extendable
ip nat inside source static udp 192.168.57.11 5634 75.13.63.69 5634 extendable
ip nat inside source static tcp 192.168.57.50 5888 75.13.63.69 5888 extendable
ip nat inside source static udp 192.168.57.50 5889 75.13.63.69 5889 extendable
ip nat inside source static tcp 192.168.57.50 57892 75.13.63.69 57892 extendable
!
ip access-list extended MW2COB
remark MW VPN to COB
permit ip 192.168.57.0 0.0.0.255 10.1.1.0 0.0.0.255
ip access-list extended MW2POL
permit ip 192.168.57.0 0.0.0.255 10.1.9.0 0.0.0.255
remark MW VPN to Pollution Control
ip access-list extended MW2TJK
permit ip 192.168.57.0 0.0.0.255 10.11.11.0 0.0.0.255
remark MW VPN to TJK
ip access-list extended MW2WAT
permit ip 192.168.57.0 0.0.0.255 10.1.11.0 0.0.0.255
remark MW VPN to Water Plant
ip access-list extended inet-traffic
deny ip 192.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
deny ip 192.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
deny ip 192.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip 192.168.57.0 0.0.0.255 any
!
access-list 198 permit ip 192.168.57.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 199 permit ip 192.168.57.0 0.0.0.255 10.10.10.0 0.0.0.255
snmp-server community public RW
snmp-server chassis-id CiscoRouter
no cdp run
!
route-map VPN permit 10
match ip address 198
set ip next-hop 1.1.1.2
!
route-map NAT permit 10
match ip address inet-traffic
!
!
!
!
control-plane
!
!
banner login ^C
**************************
* Unauthorized access will be prosecuted to the fullest extent *
* of the law. To avoid criminal charges, disconnect NOW *
**************************
^C
banner motd ^CLogin Successful^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
!
scheduler allocate 20000 1000
end
!
!
ip domain name micro.net
ip name-server 192.168.57.11
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
crypto pki trustpoint TP-self-signed-383872724
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-383872724
!
!
crypto pki certificate chain TP-self-signed-383872724
certificate self-signed 01
30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383338 37323732 34301E17 0D303730 36303732 30323231
325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3338 33383732
37323430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C077D9DE 1750E10E 330D6E19 58BD6E40 7C374F99 D083E2D1 940B1A39 60BDC296
8FDB451F B50F464C 7033DEAE 50B16BBF 970176AA 2C0B48E6 F630901B 50753FBB
F67D6F6B CC1A7D2E A069FEE5 9CCF591E 51BEBD0F 49CD1755 1D0650C3 0C253122
1BA9682D E126DB7F 0FA450F8 E663178B 7E5CA7D9 24B364FD D29937EF 2CC20C81
02030100 01A37030 6E300F06 03551D13 0101FF04 05300301 01FF301B 0603551D
11041430 1282104D 575F5741 4E2E6D69 63726F2E 6E657430 1F060355 1D230418
30168014 805764C2 B35DE9CE D0DE2A24 09726D2A E825EC7A 301D0603 551D0E04
16041480 5764C2B3 5DE9CED0 DE2A2409 726D2AE8 25EC7A30 0D06092A 864886F7
0D010104 05000381 81004257 03B1DBBB A070E6E8 3FD82BFA C6EAD631 8EBDA7CA
A3CC9E7E 15564173 4975C308 E1CFF8B2 F04BB6B3 F265F5DB A05C2A1B 40EA12FE
175198B7 10DF49CA E335C642 8D76A93C F8A97779 EF8BF16E BE2D61CD 5F2F1D2D
79079226 332953BD D543039B 4129DD8D CFBB3A52 EAD7156D 0D7986A0 9A1E61AB
077DC98E D9E3AB05 D2A9
quit
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
policy-map WEBVPN_Policy
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key MW_RECTunnel address 216.207.224.5 no-xauth
crypto isakmp key MW_FDTunnel address 216.207.224.2 no-xauth
crypto isakmp key MW_WATERTunnel address 216.207.224.3 no-xauth
crypto isakmp key MW_COBVPNTunnel address 70.62.43.150 no-xauth
crypto isakmp key MW_POLTunnel address 216.207.224.4 no-xauth
crypto isakmp key MW_TJKTunnel address 74.204.74.32 no-xauth
crypto isakmp keepalive 15
!
crypto isakmp client configuration group MWVPN
key Deploy57
dns 192.168.57.11
pool VPN_POOL
acl 105
netmask 255.255.255.0
!
crypto isakmp client configuration group GROUP_VPN
!
!
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac
!
crypto dynamic-map VPN_Clients 100
set transform-set 3DES
reverse-route
!
!
crypto map VPN client authentication list USER_VPN
crypto map VPN isakmp authorization list GROUP_VPN
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp
description Tunnel to COB
set peer 70.62.43.150
set transform-set 3DES
match address MW2COB
crypto map VPN 20 ipsec-isakmp
set peer 216.207.224.4
set transform-set 3DES
match address MW2POL
crypto map VPN 30 ipsec-isakmp
description Tunnel to COB Water
set peer 216.207.224.3
set transform-set 3DES
match address MW2WAT
crypto map VPN 50 ipsec-isakmp
description Tunnel to TJK
set peer 74.204.74.32
set transform-set 3DES
match address MW2TJK
crypto map VPN 65535 ipsec-isakmp dynamic VPN_Clients
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.252
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description MW_WAN/VPN
ip address dhcp
ip accounting output-packets
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map VPN
!
interface FastEthernet0/0.1
encapsulation dot1Q 10
ip address 192.168.100.1 255.255.255.0
no ip route-cache
no cdp enable
!
interface FastEthernet0/1
description MW_LAN
ip address 192.168.57.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
ip policy route-map VPN
duplex auto
speed auto
!
ip local pool VPN_POOL 10.10.10.1 10.10.10.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route 192.168.60.0 255.255.255.0 192.168.57.2
ip route 192.168.80.0 255.255.255.0 192.168.57.2
ip route 192.168.254.0 255.255.255.0 192.168.57.2
!
!
ip http server
ip http port 8080
ip http access-class 50
ip http authentication local
no ip http secure-server
ip nat inside source route-map NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.57.90 21 75.13.63.69 21 extendable
ip nat inside source static udp 192.168.57.90 21 75.13.63.69 21 extendable
ip nat inside source static tcp 192.167.57.11 25 75.13.63.69 25 extendable
ip nat inside source static tcp 192.168.57.11 50 75.13.63.69 50 extendable
ip nat inside source static udp 192.168.57.11 50 75.13.63.69 50 extendable
ip nat inside source static tcp 192.168.57.11 80 75.13.63.69 80 extendable
ip nat inside source static tcp 192.167.57.11 110 75.13.63.69 110 extendable
ip nat inside source static tcp 192.168.57.11 5633 75.13.63.69 5633 extendable
ip nat inside source static udp 192.168.57.11 5634 75.13.63.69 5634 extendable
ip nat inside source static tcp 192.168.57.50 5888 75.13.63.69 5888 extendable
ip nat inside source static udp 192.168.57.50 5889 75.13.63.69 5889 extendable
ip nat inside source static tcp 192.168.57.50 57892 75.13.63.69 57892 extendable
!
ip access-list extended MW2COB
remark MW VPN to COB
permit ip 192.168.57.0 0.0.0.255 10.1.1.0 0.0.0.255
ip access-list extended MW2POL
permit ip 192.168.57.0 0.0.0.255 10.1.9.0 0.0.0.255
remark MW VPN to Pollution Control
ip access-list extended MW2TJK
permit ip 192.168.57.0 0.0.0.255 10.11.11.0 0.0.0.255
remark MW VPN to TJK
ip access-list extended MW2WAT
permit ip 192.168.57.0 0.0.0.255 10.1.11.0 0.0.0.255
remark MW VPN to Water Plant
ip access-list extended inet-traffic
deny ip 192.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
deny ip 192.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
deny ip 192.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip 192.168.57.0 0.0.0.255 any
!
access-list 198 permit ip 192.168.57.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 199 permit ip 192.168.57.0 0.0.0.255 10.10.10.0 0.0.0.255
snmp-server community public RW
snmp-server chassis-id CiscoRouter
no cdp run
!
route-map VPN permit 10
match ip address 198
set ip next-hop 1.1.1.2
!
route-map NAT permit 10
match ip address inet-traffic
!
!
!
!
control-plane
!
!
banner login ^C
**************************
* Unauthorized access will be prosecuted to the fullest extent *
* of the law. To avoid criminal charges, disconnect NOW *
**************************
^C
banner motd ^CLogin Successful^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
!
scheduler allocate 20000 1000
end
JFrederick29
Not sure why you have a default route via 192.168.1.254? Your default route should be learned via DHCP. I would also change your static NAT's to reference the FastEthernet0/0 interface instead of the IP address since you are using DHCP.
ASKER
ok..a little add on.. we have an ADSL connection that is connected to a 2wire device.. the 192.168.1.254 is the 2 wire device. Can you see anything that should be stopping mail coming in? if we ping our mail.company it goes to the WAN interface of the Cisco..
Okay, so the DHCP on the FastEthernet0/0 interface is throwing me a little bit. What IP's are on the 2wire device? What IP is on the FastEthernet0/0 interface?
ASKER
ok we have 5 static IP's the 2wire device, it has a built in 4 port switch..per their guidelines, the devices must be dhcp, (the fa0/0 on cisco) then you can go in after it discovers it and assign it static dhcp so that it always gets the same IP. So the 2 wire actually has 5 ips with it.. We ordered an ADSL card for our 1841 so that will be another question..lol.. but we also have a symantec VPN100 device on the 2wire that we used for a tunnel and our mail used to go there. well we switched our mail to the cisco IP today. the other issue that might be helpful to know, even though the default route is the 192.168.1.254 of the 2wire, if my PC has a gateway of 192.168.57.1 (cisco LAN) i can't get to the 2wire device, however, if my gateway is 192.168.57.2(symantec device) I can..lol..does that help?
ASKER
how should my default route statement look?
The default route on the Cisco should be the same as the Symantec. I would think it isn't 192.168.1.254. Take a look at the Symantec...
ASKER
hmm..the default gateway is 75.13.63.254
Yeah, that sounds better. So try this:
conf t
no ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route 0.0.0.0 0.0.0.0 75.13.63.254
conf t
no ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route 0.0.0.0 0.0.0.0 75.13.63.254
ASKER
yeah i actually did that and still nothing...i keep thinking its the 2wire that's preventing it, even though it says the cisco is in its DMZ..so i guess...how an i see if smtp traffic is atleast getting to the cisco?
ASKER
any ideas?
What is the subnet mask on the 1841 wan interface?
ASKER
255.255.255.248
Okay, well then 75.13.63.254 isn't valid. Can you login to the 2wire device? What IP is on the LAN interface of the 2wire? The 1841 should have a default route pointing to the LAN interface of the 2wire.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
LAN ip is the 192.168.1.254..if you look at the run config...you can see there was a route in there for the 75.13.63.254..i didn't initially set this router up..thats why i'm trying to figure out...i changed the default route back to the 192.168.1.254..no luck..
when i do a sho ip nat trans...i see a bunch of smtp translations in the first column..is that incoming or outgoing?
when i do a sho ip nat trans...i see a bunch of smtp translations in the first column..is that incoming or outgoing?
ASKER
if i remove the default route..will that take down my inet?
ASKER
started working late last night...just took longer than normal for DNS to replicate i suppose...thanks for helping though