Solved: Routing incoming traffic

billseymour · ‎05-01-2024

This is getting really frustrating. Every time I try to ask this question it's tacked on to a different thread about a different question that is already answered, so no one answers. I am trying to routing incoming traffic to my Exchange server. As far as I can tell things are not getting through, so I'm not getting any email. My email has been down five days now trying to get this dealt with.

I'm using a 2911 with IOS 15.4, the Internet side of things is getting it's address using DHCP and it's on G0/0. The intranet is on two subnets, 172.20.0.0/24 on G0/1 and 172.20.1.0/24 on G0/2. There's an additional NAT using my mesh system behind G0/2 that shouldn't be relevant to this issue. Here's my config:

Using 5913 out of 262136 bytes
!
! Last configuration change at 17:10:06 UTC Tue Apr 30 2024 by billsey
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
ip dhcp excluded-address 172.20.0.1
ip dhcp excluded-address 172.20.1.1
ip dhcp excluded-address 172.20.0.248
ip dhcp excluded-address 172.20.0.1 172.20.0.20
!
ip dhcp pool mail-web-pool
import all
network 172.20.0.0 255.255.255.0
default-router 172.20.0.248
dns-server 71.10.216.1 71.10.216.2
lease 0 2
!
ip dhcp pool local-pool
import all
network 172.20.1.0 255.255.255.0
default-router 172.20.1.1
dns-server 71.10.216.1 71.10.216.2
lease 0 2
!
ip domain name mydomain.com
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-806451679
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-806451679
revocation-check none
rsakeypair TP-self-signed-806451679
!
crypto pki certificate chain TP-self-signed-806451679
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
license udi pid CISCO2911/K9 sn FJC2010A1TJ
!
username billsey privilege 15 secret 5 <password>
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description INTERNET_UPLINK
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description INTRANET_MAIL_WEB
ip address 172.20.0.248 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
load-interval 30
duplex auto
speed auto
!
interface GigabitEthernet0/2
description INTRANET_ACCESS
ip address 172.20.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
load-interval 30
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list LAN_SUBNETS interface GigabitEthernet0/0 overload
ip nat inside source static tcp 172.20.0.5 25 interface GigabitEthernet0/0 25
ip nat inside source static tcp 172.20.0.5 587 interface GigabitEthernet0/0 587
ip nat inside source static tcp 172.20.0.5 110 interface GigabitEthernet0/0 110
ip nat inside source static tcp 172.20.0.5 995 interface GigabitEthernet0/0 995
ip nat inside source static tcp 172.20.0.5 993 interface GigabitEthernet0/0 993
ip nat inside source static tcp 172.20.0.5 143 interface GigabitEthernet0/0 143
ip nat inside source static tcp 172.20.0.5 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 172.20.0.5 443 interface GigabitEthernet0/0 443
ip nat inside source static udp 172.20.0.5 25 interface GigabitEthernet0/0 25
ip nat inside source static udp 172.20.0.5 80 interface GigabitEthernet0/0 80
ip nat inside source static udp 172.20.0.5 443 interface GigabitEthernet0/0 443
ip nat inside source static udp 172.20.0.5 587 interface GigabitEthernet0/0 587
ip nat inside source static udp 172.20.0.5 110 interface GigabitEthernet0/0 110
ip nat inside source static udp 172.20.0.5 995 interface GigabitEthernet0/0 995
ip nat inside source static udp 172.20.0.5 993 interface GigabitEthernet0/0 993
ip nat inside source static udp 172.20.0.5 143 interface GigabitEthernet0/0 143
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended LAN_SUBNETS
permit ip 172.20.0.0 0.0.0.255 any
permit ip 172.20.1.0 0.0.0.255 any
!
control-plane
!
banner exec ^C
-----------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

I have no idea why I'm not getting email traffic through, it looks like I have all the correct ports forwarded. I don't have a good test bed for trying to send traffic through manually, since I am on the inside...

billseymour · ‎05-02-2024

And I think I have it working. I did add the entries for DNS port 53 but that by itself didn't provide the breakthrough. It looks like the root cause of the issue wasn't in the 2611 itself, but in the way Hyper-V handles virtual networks. I pared down those to the minimum required for my usage case and traffic started flowing. I didn't realize it immediately because my mail client still wasn't seeing new emails. That is caused by the client being in the intranet side of the equation, when it attempts to connect to the public address on the internet side of the router traffic isn't sent through. I fired up a VPN on my client machine, and things connected up, though I haven't seen most of what I expect is queued up coming through yet. I did receive a few emails from last Saturday and it looks like I was able to send one as well.

View solution in original post

Georg Pauwen · ‎05-01-2024

Hello,

the ports you have configured look good indeed. Try and remove the 'ip verify unicast reverse-path' command from your interfaces, does that make a difference ?

EDIT: I think for name resolution you also might need TCP/UDP 53:

ip nat inside source static tcp 172.20.0.5 53 interface GigabitEthernet0/0 53
ip nat inside source static udp 172.20.0.5 53 interface GigabitEthernet0/0 53

balaji.bandi · ‎05-02-2024

Look at the configuration looks ok

How is your DNS Configuration ? (your ISP keep changing the IP address)

is your external IP is mapped with your DNS to resolve ?

Make sure Router can reach the mail server IP internal - depends on the setup. (in the path any other Firewalls ?)

run debug and try from external connecting to telnet mydomain.com port 25 (see is that packet reaching your NAT router- before you go further?)

Also we have seen some ISP provider block some ports so check that and make that note.

from Router also check telnet localip 25 to check the ports open there is no Windows Firewall blocking ?

Note : you also using http service on router, that may conflict with your http and https, change the router http and https different ports.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

billseymour · ‎05-02-2024

And I think I have it working. I did add the entries for DNS port 53 but that by itself didn't provide the breakthrough. It looks like the root cause of the issue wasn't in the 2611 itself, but in the way Hyper-V handles virtual networks. I pared down those to the minimum required for my usage case and traffic started flowing. I didn't realize it immediately because my mail client still wasn't seeing new emails. That is caused by the client being in the intranet side of the equation, when it attempts to connect to the public address on the internet side of the router traffic isn't sent through. I fired up a VPN on my client machine, and things connected up, though I haven't seen most of what I expect is queued up coming through yet. I did receive a few emails from last Saturday and it looks like I was able to send one as well.