12-08-2005 08:43 PM - edited 03-03-2019 11:11 AM
Hi, I have a problem of my WAN IP address, please help me.
bellow is my IP:
WAN Connections
Router Serial Port IP (ISP Site) : 203.92.70.121
Router Serial Port IP (Installation site) : 203.92.70.122
Netmask Number : 255.255.255.252
LAN Connections
Network IP address : 203.92.72.32 - 203.92.72.39
Netmask Number : 255.255.255.248
I've configured that my Email server to use IP 203.92.72.33 and can receive emails successfully.
But when sending out emails, other email servers read my IP as 203.92.70.122, so if the server checks the reverse DNS record against my IP, my mail will be rejected. How can I configure the router to let other people see my IP as 203.92.72.33 ~ 203.92.72.38 instead of my Router Serial Port IP?
12-08-2005 09:24 PM
Looks like you are doing PAT on the router.
Just create a static NAT for your Email server as noted below. In your config, use your server's private (inside local) address in place of 10.1.1.1
ip nat inside source static (10.1.1.1) 203.92.72.33
This will make all traffic from your server to the outside world to be sourced from 203.92.72.33.
HTH,
Sundar
12-08-2005 10:30 PM
Thanks sundar.
I created few static NAT like this previously:
ip nat inside source static tcp 192.168.1.200 110 203.92.72.33 110 extendable
ip nat inside source static tcp 192.168.1.200 23 203.92.72.33 23 extendable
...
...
I wanted to allow only certain ports to be opened.
So as you said, does it mean that I have to map everything of the server to this IP?
By the way, how to delete these entries in the access-list?
12-08-2005 11:01 PM
Hello,
in order to avoid confusion: you have been assigned 203.92.72.32 - 203.92.72.39 for use on your LAN ?
Can you post the full configuration of your router ?
Regards,
GP
12-08-2005 11:03 PM
I have assign 203.92.72.33 to my domain name mail.oco.sg. My mail server's LAN IP is 192.168.1.200 and is mapped to global IP 203.92.72.33.
and when I ping my domain from outside, it shows:
Reply from: 203.92.72.122: TTL has expired in transit
......
Bellow is my running-config.
Current configuration : 2314 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Genesis
!
enable password 7 0703264D490C1700041B18
!
clock timezone gmt 8
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
ip cef
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip route-cache flow
hold-queue 100 out
!
interface ATM0
ip address 203.92.70.122 255.255.255.252
ip nat outside
ip route-cache flow
no atm ilmi-keepalive
pvc 8/35
protocol ip 203.92.70.121 broadcast
encapsulation aal5snap
!
dsl operating-mode auto
!
ip nat inside source list 100 interface ATM0 overload
ip nat inside source static udp 192.168.1.200 53 203.92.72.38 53 extendable
ip nat inside source static tcp 192.168.1.200 53 203.92.72.38 53 extendable
ip nat inside source static tcp 192.168.1.200 2443 203.92.72.33 2443 extendable
ip nat inside source static tcp 192.168.1.200 2443 203.92.72.33 2443 extendable
ip nat inside source static tcp 192.168.1.200 3443 203.92.72.33 3443 extendable
ip nat inside source static tcp 192.168.1.200 443 203.92.72.33 443 extendable
ip nat inside source static tcp 192.168.1.32 3399 203.92.72.38 3399 extendable
ip nat inside source static tcp 192.168.1.200 3389 203.92.72.38 3389 extendable
ip nat inside source static tcp 192.168.1.200 25 203.92.72.33 25 extendable
ip nat inside source static tcp 192.168.1.200 110 203.92.72.33 110 extendable
ip nat inside source static tcp 192.168.1.200 6000 203.92.72.33 6000 extendable
ip nat inside source static udp 192.168.1.200 6000 203.92.72.33 6000 extendable
ip nat inside source static tcp 192.168.1.200 489 203.92.72.33 489 extendable
ip nat inside source static udp 192.168.1.200 489 203.92.72.33 489 extendable
ip nat inside source static tcp 192.168.1.200 143 203.92.72.33 143 extendable
ip nat inside source static tcp 192.168.1.200 6021 203.92.72.33 6021 extendable
ip nat inside source static udp 192.168.1.200 6021 203.92.72.33 6021 extendable
ip nat inside source static tcp 192.168.1.200 80 203.92.72.33 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 203.92.70.121
ip http server
!
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
snmp-server community lga-adsl-827 RO
!
line con 0
stopbits 1
line vty 0 4
password 7 04570C070824424B1A1016
login
!
scheduler max-task-time 5000
end
12-08-2005 11:33 PM
Hello,
the configuration looks good, I wonder if it makes a difference if you exclude the IP address of the mail server from the access list used as the source for the PAT:
-->access-list 100 deny host 192.168.1.200 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
and then clear all dynamic translations with the command:
clear ip nat translation *
Regards,
GP
12-08-2005 11:52 PM
I'm sorry GP, I'm very new to Cisco Router, can you explain in more detail?
if I do "access-list 100 deny host 192.168.1.200 any" will my mail server be able to connect to internet?
if I clear all the "ip nat inside source static ...", will my mail server still map to the IP 203.92.72.33
if possible, can you give me a step by step config demo?
Thank you so much.
12-09-2005 12:02 AM
Hello,
if you exclude the IP address of the mail server from the access list, anything coming from the mail server will never have IP address 203.92.70.122, because it is never dynamically translated. It will always only use the static entries you have configured (through the ports you have specified), so your access to the Internet is not affected.
What I meant by clearing the dynamic NAT entries: just enter the command:
clear ip nat translation *
at the command prompt, this will clear any entries your mail server has with IP address 203.92.70.122. So you actually do not change anything in your configuration except for the access list, as mentioned:
-->access-list 100 deny ip host 192.168.1.200 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
Hope that makes sense...
GP
12-09-2005 12:14 AM
Thank you so much GP.
I've entered the commands, but seems no different. I enter "show ip nat translation" after I cleared it, 192.168.1.200 still have mapping to some other ports,
tcp 203.92.70.122:2712 192.168.1.200:2712 194.30.193.13:25 194.30.193.13:25
tcp 203.92.70.122:2716 192.168.1.200:2716 194.30.193.11:25 194.30.193.11:25
tcp 203.92.70.122:2713 192.168.1.200:2713 194.30.193.14:25 194.30.193.14:25
tcp 203.92.70.122:2717 192.168.1.200:2717 194.30.193.12:25 194.30.193.12:25
tcp 203.92.70.122:2714 192.168.1.200:2714 194.30.193.15:25 194.30.193.15:25
tcp 203.92.70.122:2718 192.168.1.200:2718 194.30.193.13:25 194.30.193.13:25
tcp 203.92.70.122:2719 192.168.1.200:2719 194.30.193.14:25 194.30.193.14:25
tcp 203.92.70.122:2724 192.168.1.200:2724 194.30.193.10:25 194.30.193.10:25
tcp 203.92.70.122:2720 192.168.1.200:2720 194.30.193.15:25 194.30.193.15:25
tcp 203.92.70.122:2725 192.168.1.200:2725 194.30.193.11:25 194.30.193.11:25
tcp 203.92.70.122:2722 192.168.1.200:2722 194.30.193.15:25 194.30.193.15:25
tcp 203.92.70.122:2721 192.168.1.200:2721 194.30.193.16:25 194.30.193.16:25
tcp 203.92.70.122:2726 192.168.1.200:2726 194.30.193.12:25 194.30.193.12:25
tcp 203.92.70.122:2723 192.168.1.200:2723 194.30.193.16:25 194.30.193.16:25
tcp 203.92.70.122:2727 192.168.1.200:2727 194.30.193.13:25 194.30.193.13:25
tcp 203.92.70.122:2728 192.168.1.200:2728 194.30.193.14:25 194.30.193.14:25
and I still receive error message from other mail server:
3644 delivery deferral: abc@hol.gr, remote server said (194.30.193.12) : 451 4.1.8 Possibly forged hostname for 203.92.70.122
do I need to restart the router? any command can restart the router?
12-09-2005 12:32 AM
Hello,
I am starting to think that maybe your service provider is not routing your address space correctly, when I do a PING or TRACEROUTE, it bounces between 203.92.70.121 and 203.92.70.122. Besides, the IP addresses are translated as following:
host-203-92-70-122.lga.net.sg [203.92.70.122]
host-203-92-70-121.lga.net.sg [203.92.70.121]
and the mail server as
host-203-92-72-33.lga.net.sg [203.92.72.33]
Can you check with your provider if they are correctly routing your addresses ?
Regards,
GP
12-09-2005 12:37 AM
I called them, they say that it's the problem of my router. If they come to my site to check the router, they will charge $100 to 200 dollars.
My mail server is accessable from out side, can receive email and provide web services. But cannot ping, when ping to 203.92.72.33, it shows
reply from 203.92.70.122: TTL expired in transit
12-09-2005 12:48 AM
Hello,
ok. Maybe you should try and reboot the router, there should not be any dynamic entries in the NAT table if you have excluded the IP address of the mail server from the access list. Can you save the running configuration to the startup configuration with the command:
copy run start
then reboot the router, and check the entries in the NAT table ?
Regards,
GP
12-09-2005 01:06 AM
I restart the router already, but i still get these entries in the translation list:
tcp 203.92.70.122:3056 192.168.1.200:3056 194.30.193.10:25 194.30.193.10:25
tcp 203.92.70.122:3057 192.168.1.200:3057 194.30.193.11:25 194.30.193.11:25
tcp 203.92.70.122:3058 192.168.1.200:3058 194.30.193.12:25 194.30.193.12:25
seems that deny doesn't work.
12-09-2005 01:15 AM
Hello,
I don´t want to sound stupid, but can you check what access list 100 looks like exactly ? If you just add the new line to the access list, it will be added at the bottom of the access list without effect. You need to remove the access list with the ´no access-list 100´ command, and then reenter the entire access list, with the deny statement first...
Regards,
GP
12-09-2005 01:26 AM
Sorry GP if I made you fed up. But this is really a very first time I configure the Cisco Router. I did read the guide but no very understand it.
this is my access-list 100, please have a look:
Genesis#show access-list 100
Extended IP access list 100
deny ip host 192.168.1.200 any (15 matches)
permit ip 192.168.1.0 0.0.0.255 any (10 matches)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide