Solved

NAT on a cisco router (hosting exchange and website internally)

Posted on 2010-11-09
3
1,105 Views
Last Modified: 2012-05-10
Hi,

We were donated a new cisco 891 router.  I am trying to set it up.

I can connect to the internet but NAT is not working, for example our exchange cannot get emails because port 25 is not NAT to the internal IP of exchange.  

Please help with the proper commands to run to set this up!

Below is my config


Building configuration...

Current configuration : 6107 bytes
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 891
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 STUFF
!
no aaa new-model
!
!
!
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-4274201092
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4274201092
 revocation-check none
 rsakeypair TP-self-signed-4274201092
!
!
crypto pki certificate chain TP-self-signed-4274201092
 certificate self-signed 01
  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34323734 32303130 3932301E 170D3130 30393239 32303139
  31365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32373432
  30313039 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C8EA C7CB3918 91D93B31 E8229DFD DE5DCB1E 8F630232 E646ED1A 1B27259D
  35057997 9D279F12 2F11047F 60641ADE 805966C1 9F66FD94 D8381FD1 16AA77D4
  8D9A860B 16DC96EF E23A1229 3B34A4A3 C8D3EB04 CF0EC12E C73B40AD 9A3B4561
  34DD8439 8A6841FC FD69E57A 5BBAA9E3 A7921A15 D4229C34 41B48D6C 7D1E6949
  44F90203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
  551D1104 1D301B82 194C4441 4E59432D 3839312D 572E6C64 616E7963 2E6C6F63
  616C301F 0603551D 23041830 16801427 84DB254D 00D1C619 5DDB4889 F2D0E4C3
  F0E85D30 1D060355 1D0E0416 04142784 DB254D00 D1C6195D DB4889F2 D0E4C3F0
  E85D300D 06092A86 4886F70D 01010405 00038181 008F87F7 3606B0D1 5F9003C8
  1F60FC10 CF2E0C3E A70ED40B C8ED2C87 8B7DD541 11EFB2C1 979018FD B5FC54B2
  F9CD3444 F735CEA8 02C19FA3 4049CAB8 63743599 6E040B55 A75F3ACE C062FB49
  9C0248C9 4961562E 3DAB38F4 897C60FA F637285D 180EDD22 4946B1C8 7C2BDF0C
  C6F1CC8C D66815AC 6F796507 41F05C48 0D7EA9D6 3E
        quit
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name my.domainisfilledout
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891W-AGN-A-K9 sn FTX1435838V
!

!
!
!
!
!
!
!
!
!
interface FastEthernet0
 !
!
interface FastEthernet1
 !
!
interface FastEthernet2
 !
!
interface FastEthernet3
 !
!
interface FastEthernet4
 !
!
interface FastEthernet5
 !
!
interface FastEthernet6
 !
!
interface FastEthernet7
 !
!
interface FastEthernet8
 no ip address
 ip nat inside
 ip virtual-reassembly
 shutdown
 duplex auto
 speed auto
 !
!
interface GigabitEthernet0
 description $ES_WAN$$ETH-WAN$
 ip address PUBLIC IP 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 !
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
 arp timeout 0
 !
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 !
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$
 ip address 192.168.31.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 !
!
interface Async1
 no ip address
 encapsulation slip
 !
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat pool ME 192.168.31.1 192.168.31.255 netmask 255.255.255.0
ip nat inside source list 1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 ROUTER EXT IP permanent
!
access-list 1 permit 192.168.31.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.31.0 0.0.0.255
no cdp run

!
!
!
!
!
!
control-plane
 !
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN
CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
 login local
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
ntp update-calendar
ntp server 64.90.182.55 prefer
end

ROUTERW#
0
Comment
Question by:btny
3 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
Comment Utility
You need to add a static NAT command for the Exchange server

ip nat inside source static <protocol> <inside_IP> <port> <outside_IP> <port>

e.g.:
ip nat inside source static tcp 10.10.10.1 25 200.26.12.97 25

See http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml
0
 
LVL 3

Expert Comment

by:drpoppers
Comment Utility
I'd also turn off fixup for smtp

no fixup protocol smtp 25

This has caused me lots of grief with exchange
0
 
LVL 7

Expert Comment

by:blue-screen
Comment Utility
As a less experienced user, you might want to use the web based Cisco Configuration professional rather than the raw CLI.

www.cisco.com/go/ccp

Download the latest version, check out the quick start and user guide.

Once installed, you should be able to log into the router and work through the wizards for most common tasks.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now