?
Solved

Cisco Router NAT problem

Posted on 2010-01-11
14
Medium Priority
?
925 Views
Last Modified: 2012-06-21
I have setup a Cisco 1811 router and setup NAT for web, FTP, and email. Everything works except for users outside the building cannot send email. They can receive, but not send. Get a timeout error.

I'm not sure why some NAT entries are working and others aren't.

Any ideas?

Thanks
0
Comment
Question by:wiggy353
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 2
  • +1
14 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26290352
do you have e-mail server behind 1811?

if you have please make static nat to it....
in not please enable fixup smtp
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26290787
How the users outside the building connect to the mail server? Do you have a static NAT for your mail server to the internet, or do they VPN in? Are they using SMTP, POP, IMAP, RPC/https, OWA to talk to the server?
0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 26290790
Hi

please post your configuration


0
Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

 
LVL 1

Author Comment

by:wiggy353
ID: 26292375
I do have email server behind the 1811. I made a static NAT to it for pop (110), imap (143), and smtp (25). The pop and the imap work but the smtp does not for some reason.

I will post config when I get to the shop in a couple of hours this morning.
0
 
LVL 1

Author Comment

by:wiggy353
ID: 26293120
Here is the current config:

cisco1800#term len 0
cisco1800#show run
Building configuration...

Current configuration : 10213 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco1800
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$cOP8$nuHASWHU0sN6kIIu5S7d11
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -7
no ip source-route
!
!
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name office.lan
ip name-server 64.119.32.100
ip name-server 64.119.32.101
ip ssh time-out 60
ip ssh authentication-retries 2
ip port-map user-protocol--2 port tcp 3390
ip port-map user-protocol--3 port tcp 5343
ip port-map user-protocol--1 port tcp 8081
!
!
crypto pki trustpoint TP-self-signed-84208608
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-84208608
 revocation-check none
 rsakeypair TP-self-signed-84208608
!
!
crypto pki certificate chain TP-self-signed-84208608
 certificate self-signed 01
  30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 38343230 38363038 301E170D 30393132 32393137 35383432
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D383432 30383630
  3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100DBD2
  3B45BD47 BB5F07D3 70308BE5 254504E0 74EEBB1F B7E63F44 A66C257B E68B2F1E
  B44C1D3A 2EB4C492 868A1F04 D4DCB6C6 CB4B3BAA 271C1DA6 EB6CA33C F3A76555
  5B6D7B67 60970B63 C67F2DF7 6D0F51FA 8989FA23 381C44BF 68ED8FFE 033DE5BC
  CCE2AB67 5F7FDC64 5667AB03 4D384602 4B3CE372 3812E723 99D20C6B C5330203
  010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603 551D1104
  18301682 14636973 636F3138 30302E6F 66666963 652E6C61 6E301F06 03551D23
  04183016 8014C06D 1B634BFD 1101FC90 A5A248F4 747D6498 AC54301D 0603551D
  0E041604 14C06D1B 634BFD11 01FC90A5 A248F474 7D6498AC 54300D06 092A8648
  86F70D01 01040500 03818100 9E31B421 3FF04A28 5E678AF4 3839BA14 6A388C5B
  7D73DD3E E16AC26D AED51BC5 159D15F1 F7DB6203 FA2E8DEE 67207471 B3D8F08B
  32DE831E 4104977E BF02D2CA 42FC0FD3 6ABB668A 94492019 7F2F157C 171C1A05
  7D6DF588 7397EB38 F54E2386 FC0E549D 4BB11945 092AA114 1F932E9C 06ACF3A2
  365B386A 729820DB 380E5995
  quit
username wigs privilege 15 secret 5 $1$gd9i$shKkxEk6FmJhlD57z1mYN1
username alpha privilege 15 secret 5 $1$uspL$Gy32clKVeWlhkbEarODGL.
!
!
class-map type inspect match-all sdm-nat-user-protocol--3-1
 match access-group 108
 match protocol user-protocol--3
class-map type inspect match-all sdm-nat-http-1
 match access-group 102
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--2-1
 match access-group 107
 match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 105
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 101
 match protocol smtp
 match protocol imap
class-map type inspect match-all sdm-nat-imap-1
 match access-group 103
 match protocol imap
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-nat-pop3-1
 match access-group 104
 match protocol pop3
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
 match protocol http
class-map type inspect match-all sdm-nat-ftp-1
 match access-group 106
 match protocol ftp
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-smtp-1
  inspect
 class type inspect sdm-nat-http-1
  inspect
 class type inspect sdm-nat-imap-1
  inspect
 class type inspect sdm-nat-pop3-1
  inspect
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class type inspect sdm-nat-ftp-1
  inspect
 class type inspect sdm-nat-user-protocol--2-1
  inspect
 class type inspect sdm-nat-user-protocol--3-1
  inspect
 class class-default
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class class-default
policy-map type inspect ccp-permit
 class class-default
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
!
!
!
interface FastEthernet0
 description $ES_WAN$$FW_OUTSIDE$
 ip address 64.119.41.18 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 192.168.4.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 64.119.41.17
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.4.34 5343 interface FastEthernet0 5343
ip nat inside source static tcp 192.168.4.219 3390 interface FastEthernet0 3390
ip nat inside source static tcp 192.168.4.17 21 interface FastEthernet0 21
ip nat inside source static tcp 192.168.4.18 8081 interface FastEthernet0 8081
ip nat inside source static tcp 192.168.4.17 110 interface FastEthernet0 110
ip nat inside source static tcp 192.168.4.17 143 interface FastEthernet0 143
ip nat inside source static tcp 192.168.4.17 25 interface FastEthernet0 25
ip nat inside source static tcp 192.168.4.16 80 interface FastEthernet0 80
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 64.119.41.16 0.0.0.3 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.4.17
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip any host 192.168.4.16
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.4.17
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.4.17
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 192.168.4.18
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 192.168.4.17
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip any host 192.168.4.219
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip any host 192.168.4.34
no cdp run
!
!
!
!
!
!
control-plane
!
banner exec ^CC
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to
use.
 
-----------------------------------------------------------------------
^C
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 26293460
Hi

does your MAIL server has a PTR records in your DNS ???

if no
then set it a PTR record
0
 
LVL 1

Author Comment

by:wiggy353
ID: 26293733
The mail server is also our DNS and yes it has the record.
0
 
LVL 1

Author Comment

by:wiggy353
ID: 26293916
OK, the record is there, but I am starting to think that maybe it isn't configured correctly. I am going to take a closer look at it.

I am starting to think this is a DNS problem because of some other errors that I get. I have my email client on my laptop setup to use mail.servername.com for my email. It works fine on the old router inside or outside of the building.

When I hook up the new router, inside the network I can send but not receive "server denied access on port 143). Outside the network I can receive but not send (times out).

The question for me is why would one router (cheap Netgear) work the way it is setup and the other router (the cisco) not work?

Thanks
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26294835
I did some test and this is what I found:

Your SMTP server at  is working correctly. I can connect to it and was greeted with your domain name.
Your mx DNS is resolved correctly.
Your reverse DNS is resovled correctly.

I did notice that your domain DNS is ns1.simplybits.net. There is no problem unless you think that your internal DNS is also serving your domain DNS for your domain alpxxxx.com.

Also your mail server identify itself as alpxxxx.com, the same as your reverse DNS.
On the other hand, your MX record listed as mail.alpxxxx.com.
Try to make them the same and see if this make any difference.


0
 
LVL 1

Author Comment

by:wiggy353
ID: 26294950
Unfortunately, right now I have the old router setup so that our staff can do business. I can't troubleshoot this until after business hours so that business isn't interrupted.

I looked into why the previous IT guy setup a DNS inside our office and I can't find any good reason why it was setup. We should just use our ISP's. So I have stopped the DNS service on the server.

What are the tests that you ran so that I can try them after hours?
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26295553
It is common to have internal & external DNS. It is perfectly OK and a lot of times is needed. You just have to aware that. For things that are meant to be public, make sure you publish it at the external DNS. It will become problem when users keep changing setting in the internal DNS and still couldn't fix the problem because they are working on the wrong DNS.
If you intended to publish your internal DNS, e.g. zone transfer to your ISP's DNS, you also need to make sure you open the correct ports on your router and have the proper port forwarding configured.
0
 
LVL 1

Author Comment

by:wiggy353
ID: 26349737
OK, so right now I have the new router installed. Same problems going on. I tested from the outside right now and I can telnet into the server on the necessary ports and everything seems to connect fine. So I don't understand why email is not working... Any suggestions? I'm at my wit's end here...

0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26354057
If you can give me a userID, I can have my mail server try to connect to you and look at my server's error log. To protect your privacy, you only need to give me one valid userID, even a test ID which you can delete later. I already know your domain name, so no need to post it.
0
 
LVL 1

Accepted Solution

by:
wiggy353 earned 0 total points
ID: 26408991
It ended up being a configuration problem. I worked with a Cisco technician to get it resolved.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question