Cisco IOS & Exchange Issues

I have a Cisco 2851 router.  Right now I have my external IP for my mail server NAT'd to send all incoming traffic directly to my mail server.  I want to restrict it to just specific ports so that I can forward port 25 traffic directly to my Barracuda SPAM filter.  However, when I restrict it by port I am no longer able to send external email.   Mail just sits in the queue.  If I open it back up it will starting working again.

This way works:
ip nat inside source static tcp 192.168.xx.18 63.xx.1xx.xx route-map SDM_EMAIL extendable
access-list 138 deny   ip host 192.168.xx.18 192.168.xx.0 0.0.0.255  (VPN users)
access-list 138 deny   ip host 192.168.xx.18 192.168.xx.0 0.0.0.255  (VPN Users)
access-list 138 permit ip host 192.168.xx.18 any

When I do it this way, it doesn't work:
ip nat inside source static tcp 192.168.xx.18 25 63.xx.1xx.xx 25 route-map SDM_EMAIL extendable
access-list 138 deny ip host 192.168.xx.18 192.168.51.0 0.0.0.255
access-list 138 deny ip host 192.168.xx.18 192.168.37.0 0.0.0.255
access-list 138 permit tcp host 192.168.xx.18 eq 25 any
access-list 138 permit tcp host 192.168.xx.18 eq 443 any

Route Map:
route-map SDM_EMAIL permit 1
 match ip address 138
!

What am I doing wrong?  I receive external mail just fine.  But I can't send external email.
JLM521Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Muhammad MullaCommented:
Is this a cloud service or in your perimeter network?
0
RafaelCommented:
You have the port listed twice and it does not seem that you've listed your external source.

ip nat inside source static tcp 192.168.xx.18 25 63.xx.1xx.xx 25 route-map SDM_EMAIL extendable

Are you using a serial interface for your initial inbound traffic?

Hopefully, this link  will explain it better.

Can you post your clean show running config via the attachment link fore review.

[i]HTH
-Rafael[/i]
0
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
You could be using encrypted SSL, try also opening ports 465, 587 and try again.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

JLM521Author Commented:
Yes, here is more detail on it.  

interface Serial0/0
  ip address 157.xx.xx.xx 255.255.255.252
  ip nat outside

interface Ethernet0/0
  ip address 192.168.20.1 255.255.255.0
  ip nat inside

Mail Srvs External IP:  63.xx.1xx.xx
Internal Mail IP:  192.168.20.18

ip nat inside source static tcp 192.168.20.18 25   63.xx.1xx.xx 25   route-map SDM_EMAIL extendable
ip nat inside source static tcp 192.168.20.18 443 63.xx.1xx.xx 443 route-map SDM_EMAIL extendable
ip nat inside source static tcp 192.168.20.18 587 63.xx.1xx.xx 587 route-map SDM_EMAIL extendable

access-list 138 deny ip host 192.168.20.18 192.168.51.0 0.0.0.255
access-list 138 deny ip host 192.168.20.18 192.168.37.0 0.0.0.255
access-list 138 permit tcp host 192.168.20.18 eq 25 any
access-list 138 permit tcp host 192.168.20.18 eq 443 any

If I go to my exchange server and telnet to a Google mail server on port 25, it works just fine, with all ports open.  But when I try with the ports restricted it fails.   It's like port 25 stops working.  I was watching the nat logging on the router and it seems like it gets out to Google just fine on port 25 but when it tries to come back, it isn't on port 25 anymore.  

I can do MX DNS lookups just fine from the mail server when the ports are restricted, it just won't send the messages through.
0
JLM521Author Commented:
Forgot to add to post above, but 587 is also in the access list.

access-list 138 deny ip host 192.168.20.18 192.168.51.0 0.0.0.255
access-list 138 deny ip host 192.168.20.18 192.168.37.0 0.0.0.255
access-list 138 permit tcp host 192.168.20.18 eq 25 any
access-list 138 permit tcp host 192.168.20.18 eq 443 any
access-list 138 permit tcp host 192.168.20.18 eq 587 any
0
JLM521Author Commented:
The problem is resolved.  587 was the port I was missing!  Thanks!
0
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
I am glad it worked for you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.