Re: Not sure how to title this!

tsgcisco · ‎06-07-2005

We have an internet T1 coming into a 2651 router. Seems when emails go out to the internet from the server behind this router, the IP address that shows up when you look into headers of an email is not the address it should be showing as where it comes from.

I am probably not explaining this very good. Let me show some of the config to better understand the problem I am having.

Here is the basics of the config:

ip nat translation timeout 10800

ip nat pool net-pool 109.216.160.200 109.216.160.200 netmask 255.255.255.192

ip nat inside source list 100 pool net-pool overload

ip nat inside source static tcp 10.202.32.29 443 109.216.160.194 443 extendable

ip nat inside source static tcp 10.202.32.29 80 109.216.160.194 80 extendable

ip nat inside source static tcp 10.202.32.33 1494 109.216.160.197 1494 extendable

ip nat inside source static tcp 10.202.32.29 25 109.216.160.194 25 extendable

access-list 105 remark WWW service for OWA

access-list 105 permit tcp any host 109.216.160.194 eq www

access-list 105 permit tcp any host 109.216.160.194 eq 443

access-list 105 remark Mail Server Access for the Public

access-list 105 permit tcp any host 109.216.160.194 eq smtp

access-list 105 permit icmp any any

access-list 105 deny ip any any log

Ok, so the mail servers external IP address is: 109.216.160.194

However when you send an email to the outside world and check the headers, the email appears to come from 109.216.160.200 rather then 109.216.160.194

Any ideas on how to make sure that emails are sourced from 109.216.160.194 ?

paddyxdoyle · ‎06-07-2005

Hi,

It looks as thought your internal mail servers address is being PATed to 109.216.160.200 because its IP address falls within your NAT access-list 100

Try adding another static NAT statement such as

ip nat inside source static 10.202.32.29 109.216.160.194

This means that all traffic from your inside NAT interface sourced from 10.202.32.29 will be NATed to 109.216.160.194 when leaving your outside NAT interface, it shouldn't affect your Port translations that you are using from the outside.

I believe that having a static NAT statement will take precedence over having a dynamic NAT as the static NAT will already be in the NAT table.

HTH

Paddy

tsgcisco · ‎06-07-2005

Funny thing about adding that statement you mentioned, I failed to tell you but in my efforts to resolve this on my own, I actually put that very statement in:

ip nat inside source static 10.202.32.29 109.216.160.194

When I did that, all hell broke loose. The mail server started reporting an IP address conflict. I had to remove that statement and things worked fine again. That is what prompted me to come here and ask for some opinions.

Richard Burts · ‎06-07-2005

I see that in the posting your translation references access list 100. Your posting includes access list 105 but not 100. Does the translation really reference access list 100 on the router (and if so what is in that access list) or have you introduced confusion in trying to change things in the config to protect your privacy?

HTH

Rick

HTH

Rick

tsgcisco · ‎06-07-2005

Here is some more info:

interface Serial0/0

bandwidth 1544

ip address 109.216.160.193 255.255.255.240

ip access-group 105 in

ip nat outside

ip inspect internet out

ip route-cache flow

no ip mroute-cache

service-module t1 timeslots 1-24

no cdp enable

Someone mentioned the access group 100, that is accurate and it does exist. Here is that info:

access-list 100 deny ip 10.202.32.0 0.0.0.255 10.121.0.0 0.0.255.255

access-list 100 deny ip host 10.202.32.13 host 181.204.143.190

access-list 100 deny ip host 10.202.32.13 host 181.204.143.189

access-list 100 permit ip 10.202.0.0 0.0.255.255 any

Obviously I have changed the IP's to protect the network, but every thing is consistent.