06-07-2005 06:48 AM - edited 03-03-2019 09:45 AM
We have an internet T1 coming into a 2651 router. Seems when emails go out to the internet from the server behind this router, the IP address that shows up when you look into headers of an email is not the address it should be showing as where it comes from.
I am probably not explaining this very good. Let me show some of the config to better understand the problem I am having.
Here is the basics of the config:
ip nat translation timeout 10800
ip nat pool net-pool 109.216.160.200 109.216.160.200 netmask 255.255.255.192
ip nat inside source list 100 pool net-pool overload
ip nat inside source static tcp 10.202.32.29 443 109.216.160.194 443 extendable
ip nat inside source static tcp 10.202.32.29 80 109.216.160.194 80 extendable
ip nat inside source static tcp 10.202.32.33 1494 109.216.160.197 1494 extendable
ip nat inside source static tcp 10.202.32.29 25 109.216.160.194 25 extendable
access-list 105 remark WWW service for OWA
access-list 105 permit tcp any host 109.216.160.194 eq www
access-list 105 permit tcp any host 109.216.160.194 eq 443
access-list 105 remark Mail Server Access for the Public
access-list 105 permit tcp any host 109.216.160.194 eq smtp
access-list 105 permit icmp any any
access-list 105 deny ip any any log
Ok, so the mail servers external IP address is: 109.216.160.194
However when you send an email to the outside world and check the headers, the email appears to come from 109.216.160.200 rather then 109.216.160.194
Any ideas on how to make sure that emails are sourced from 109.216.160.194 ?
06-07-2005 07:20 AM
Hi,
It looks as thought your internal mail servers address is being PATed to 109.216.160.200 because its IP address falls within your NAT access-list 100
Try adding another static NAT statement such as
ip nat inside source static 10.202.32.29 109.216.160.194
This means that all traffic from your inside NAT interface sourced from 10.202.32.29 will be NATed to 109.216.160.194 when leaving your outside NAT interface, it shouldn't affect your Port translations that you are using from the outside.
I believe that having a static NAT statement will take precedence over having a dynamic NAT as the static NAT will already be in the NAT table.
HTH
Paddy
06-07-2005 10:09 AM
Funny thing about adding that statement you mentioned, I failed to tell you but in my efforts to resolve this on my own, I actually put that very statement in:
ip nat inside source static 10.202.32.29 109.216.160.194
When I did that, all hell broke loose. The mail server started reporting an IP address conflict. I had to remove that statement and things worked fine again. That is what prompted me to come here and ask for some opinions.
06-07-2005 07:22 AM
I see that in the posting your translation references access list 100. Your posting includes access list 105 but not 100. Does the translation really reference access list 100 on the router (and if so what is in that access list) or have you introduced confusion in trying to change things in the config to protect your privacy?
HTH
Rick
06-07-2005 10:06 AM
Here is some more info:
interface Serial0/0
bandwidth 1544
ip address 109.216.160.193 255.255.255.240
ip access-group 105 in
ip nat outside
ip inspect internet out
ip route-cache flow
no ip mroute-cache
service-module t1 timeslots 1-24
no cdp enable
Someone mentioned the access group 100, that is accurate and it does exist. Here is that info:
access-list 100 deny ip 10.202.32.0 0.0.0.255 10.121.0.0 0.0.255.255
access-list 100 deny ip host 10.202.32.13 host 181.204.143.190
access-list 100 deny ip host 10.202.32.13 host 181.204.143.189
access-list 100 permit ip 10.202.0.0 0.0.255.255 any
Obviously I have changed the IP's to protect the network, but every thing is consistent.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide