Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1350
Views
0
Helpful
2
Replies

nat Port 25 from one Ip address

rbblue234
Level 1
Level 1

‎09-04-2011 08:45 AM - edited ‎03-11-2019 02:20 PM

I have an internal email server which i'm trying to allow our PUBLIC ip email gateway to talk to.

My goal is only allow our public email gateway to talk on port 25 to this server on our inside network.

layout....

97.107.x.x  ---> {router 174.55.x.x} --> email server {10.0.1.10}

I have enabled the necessary firewall traffic to be tcp any from the email gateway.  i think that it working for before i enabled to the rule i was unable to telnet to the router and after the rull was inplace...  i was able to get a telnet response.

interface FastEthernet0/0

ip address dhcp

ip access-group Allowed in

ip nat outside

ip inspect network out

duplex auto

speed auto


ip nat inside source list 1 interface FastEthernet0/0 overload

access-list 1 permit 10.0.1.0 0.0.0.255

ip access-list extended Allowed

permit udp any eq bootps any eq bootpc

permit icmp any any traceroute

permit icmp any any echo

permit icmp any any echo-reply

permit tcp host 97.107.x.x any

I then enabled this nat rule and i'm no longer getting blocks when i type telnet 174.5.x.x 25 from my email gateway (97.107.x.x). The connection appears to time out...

ip nat inside source static tcp 97.107.x.x 25 interface FastEthernet0/0 25

ip nat outside source static tcp 97.107.x.x 25 10.0.1.10 25 extendable

and then tried replacing the above line with...

ip nat outside source static tcp 10.0.1.10 25 97.107.x.x 25 extendable


Any thoughts on how to fix and make this work?

Labels:
0 Helpful
2 Replies 2

rbblue234
Level 1
Level 1

‎09-04-2011 10:15 AM

I'm a newb.  I fixed it!

I changed

ip nat inside source static tcp 97.107.x.x 25 interface FastEthernet0/0 25

to

ip nat inside source static tcp 10.0.1.10 25 interface FastEthernet0/0 25

0 Helpful

raga.fusionet
Level 4
Level 4

‎09-04-2011 10:17 AM

Hi There,

Could elaborate a little bit on this: "i think that it working for before i enabled to the rule i was unable to telnet to the router and after the rull was inplace...  i was able to get a telnet response". I dont think we followed.

In any case if you want to allow external hosts to access your Internal Email server all you need is this:

ip nat inside source static tcp 10.0.1.10 25 interface FastEthernet0/0 25

And then the corresponding ip nat inside and ip nat outside on the respective inside and outside interfaces (which I think you already have)

Now, to restrict the SMTP traffic to your public server only you would need to do something like this:

ip access-list extended Allowed

permit tcp host 97.107.x.x any eq 25

(Dont remove the other lines that you have on the ACL, I'm just suggesting that you need to add the line above)

BTW, make sure you remove all the other Static NATs that you configured for this host during your troubleshoting.

I hope this helps.

Raga

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card