02-10-2011 09:26 AM - edited 03-04-2019 11:23 AM
Hello All,
Our main internet connection went down today and I realised that I really should have a backup plan in place to handle inbound email. Luckily I had a Cisco 877 knocking around doing not much. The mail server (Microsoft Exchange) has two network connections, one to the internet with a public IP and one to our internal network with a private IP. The default route is set to the ISP's gateway.
I set up the 877 with a DSL connection using SDM (I know, but it's quick) and used NAT to forward port 25 to the internal IP address of the mailserver. Obviously the mailserver does not route the traffic back to the 877 but tries to send it through the ISP's gateway.
The question is: How can I get NAT to translate the source address of the incoming mail to the 877's local IP address?
I seem to remember that Microsoft ISA Server had a tick box on the firewall rules called something like 'Requests appear to come from the ISA server computer'. That's basically what I'm trying to do.
Any ideas?
Thanks,
Chris
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname rrir04
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 xxxx
!
no aaa new-model
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1401562236
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1401562236
revocation-check none
rsakeypair TP-self-signed-1401562236
!
!
crypto pki certificate chain TP-self-signed-1401562236
certificate self-signed 01
xxxx
quit
dot11 syslog
ip source-route
!
!
ip cef
no ip domain lookup
ip domain name xxxx
!
!
!
!
username administrator privilege 15 secret 5 xxxx
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 172.16.7.252 255.255.248.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxx
ppp chap password 7 xxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.16.0 255.255.255.0 172.16.7.254
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 172.16.0.2 25 interface Dialer0 25
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.16.0.0 0.0.7.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
02-10-2011 12:35 PM
hi,
nat line seems to be ok,
did you have to add a secondary route on the exchange server ?
also it might be that the connection you are using is home connection, and the real IP address cannot be reached with destination port 25. check with your ISP.
Regards,
Sayed
02-10-2011 02:39 PM
Hello Sayed,
Thank you for your reply. If I manually set the default gateway on the mailserver to the 877, everything works ok so I think the standard NAT config is OK.
It's fairly difficult to describe this but basically I need external requests that pass through the NAT to appear to the mailserver as though they are coming from the 877's internal interface.
Hope that makes sense.
Thanks,
Chris
02-11-2011 08:14 PM
Hello Chris,
i don't think it is possible to resolve it the way you are thinking about . Anyway, you can try the ip nat outside to translate the outside access to the inside interface, so that the traffic going to the email server appears as if it is originated from the inside interface
so it should look like this
ip access-list extended 101
permit tcp any host outside_interface_ip eq 25
route-map MAPOUTSIDE
match ip address 101
ip nat outside source route-map MAPOUTSIDE interface fa0/0
The problem that the 877 doesn't know that it must send the traffic to the exchange server, even if the traffic appears to be originating from inside interface
The nat inside that you are using works much better, but what you need to do, is to let the exchange go back on the same route that it came from. Try to add a static route to your exchange server:
route add -p 0.0.0.0 mask 0.0.0.0 172.16.7.252 metric 10
so in case the default gateway is down, this route will be preferred.
Hope it was helpfull.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide