Our main internet connection went down today and I realised that I really should have a backup plan in place to handle inbound email. Luckily I had a Cisco 877 knocking around doing not much. The mail server (Microsoft Exchange) has two network connections, one to the internet with a public IP and one to our internal network with a private IP. The default route is set to the ISP's gateway.
I set up the 877 with a DSL connection using SDM (I know, but it's quick) and used NAT to forward port 25 to the internal IP address of the mailserver. Obviously the mailserver does not route the traffic back to the 877 but tries to send it through the ISP's gateway.
The question is: How can I get NAT to translate the source address of the incoming mail to the 877's local IP address?
I seem to remember that Microsoft ISA Server had a tick box on the firewall rules called something like 'Requests appear to come from the ISA server computer'. That's basically what I'm trying to do.
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 xxxx
no aaa new-model
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-1401562236
crypto pki certificate chain TP-self-signed-1401562236
certificate self-signed 01
no ip domain lookup
ip domain name xxxx
username administrator privilege 15 secret 5 xxxx
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
encapsulation aal5mux ppp dialer
dialer pool-member 1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 172.16.7.252 255.255.248.0
ip nat inside
ip tcp adjust-mss 1452
ip address negotiated
ip nat outside
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxx
ppp chap password 7 xxxx
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.16.0 255.255.255.0 172.16.7.254
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 172.16.0.2 25 interface Dialer0 25
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.16.0.0 0.0.7.255
dialer-list 1 protocol ip permit
no cdp run
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
nat line seems to be ok,
did you have to add a secondary route on the exchange server ?
also it might be that the connection you are using is home connection, and the real IP address cannot be reached with destination port 25. check with your ISP.
Thank you for your reply. If I manually set the default gateway on the mailserver to the 877, everything works ok so I think the standard NAT config is OK.
It's fairly difficult to describe this but basically I need external requests that pass through the NAT to appear to the mailserver as though they are coming from the 877's internal interface.
Hope that makes sense.
i don't think it is possible to resolve it the way you are thinking about . Anyway, you can try the ip nat outside to translate the outside access to the inside interface, so that the traffic going to the email server appears as if it is originated from the inside interface
so it should look like this
ip access-list extended 101
permit tcp any host outside_interface_ip eq 25
match ip address 101
ip nat outside source route-map MAPOUTSIDE interface fa0/0
The problem that the 877 doesn't know that it must send the traffic to the exchange server, even if the traffic appears to be originating from inside interface
The nat inside that you are using works much better, but what you need to do, is to let the exchange go back on the same route that it came from. Try to add a static route to your exchange server:
route add -p 0.0.0.0 mask 0.0.0.0 172.16.7.252 metric 10
so in case the default gateway is down, this route will be preferred.
Hope it was helpfull.