Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
903
Views
0
Helpful
3
Replies

Simple NAT

Chris Shaw
Level 1
Level 1

‎02-10-2011 09:26 AM - edited ‎03-04-2019 11:23 AM

Hello All,

Our main internet connection went down today and I realised that I really should have a backup plan in place to handle inbound email. Luckily I had a Cisco 877 knocking around doing not much. The mail server (Microsoft Exchange) has two network connections, one to the internet with a public IP and one to our internal network with a private IP. The default route is set to the ISP's gateway.

I set up the 877 with a DSL connection using SDM (I know, but it's quick) and used NAT to forward port 25 to the internal IP address of the mailserver. Obviously the mailserver does not route the traffic back to the 877 but tries to send it through the ISP's gateway.

The question is: How can I get NAT to translate the source address of the incoming mail to the 877's local IP address?

I seem to remember that Microsoft ISA Server had a tick box on the firewall rules called something like 'Requests appear to come from the ISA server computer'. That's basically what I'm trying to do.

Any ideas?

Thanks,


Chris

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname rrir04

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200 warnings

enable secret 5 xxxx

!

no aaa new-model

clock timezone PCTime 0

clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-1401562236

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1401562236

revocation-check none

rsakeypair TP-self-signed-1401562236

!

!

crypto pki certificate chain TP-self-signed-1401562236

certificate self-signed 01

  xxxx

  quit

dot11 syslog

ip source-route

!

!

ip cef

no ip domain lookup

ip domain name xxxx

!

!

!

!

username administrator privilege 15 secret 5 xxxx

!

!

!

archive

log config

  hidekeys

!

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description $ES_WAN$$FW_OUTSIDE$

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 172.16.7.252 255.255.248.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname xxxx

ppp chap password 7 xxxx

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 192.168.16.0 255.255.255.0 172.16.7.254

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 172.16.0.2 25 interface Dialer0 25

!

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 172.16.0.0 0.0.7.255

dialer-list 1 protocol ip permit

no cdp run


!

!

!

!

control-plane

!

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

Labels:
0 Helpful
3 Replies 3

289114
Level 1
Level 1

‎02-10-2011 12:35 PM

hi,

nat line seems to be ok,
did you have to add a secondary route on the exchange server ?
also it might be that the connection you are using is home connection, and the real IP address cannot be reached with destination port 25. check with your ISP.

Regards,

Sayed

0 Helpful

Chris Shaw
Level 1
Level 1
In response to 289114

‎02-10-2011 02:39 PM

Hello Sayed,

Thank you for your reply. If I manually set the default gateway on the mailserver to the 877, everything works ok so I think the standard NAT config is OK.

It's fairly difficult to describe this but basically I need external requests that pass through the NAT to appear to the mailserver as though they are coming from the 877's internal interface.

Hope that makes sense.

Thanks,

Chris

0 Helpful

289114
Level 1
Level 1
In response to Chris Shaw

‎02-11-2011 08:14 PM

Hello Chris,

i don't think it is possible to resolve it the way you are thinking about . Anyway, you can try the ip nat outside to translate the outside access to the inside interface, so that the traffic going to the email server appears as if it is originated from the inside interface

so it should look like this

ip access-list extended 101
permit tcp any host outside_interface_ip eq 25

route-map MAPOUTSIDE

match ip address 101

ip nat outside source route-map MAPOUTSIDE interface fa0/0


The problem that the 877 doesn't know that it must send the traffic to the exchange server, even if the traffic appears to be originating from inside interface


The nat inside that you are using works much better, but what you need to do, is to let the exchange go back on the same route that it came from. Try to add a static route to your exchange server:

route add -p 0.0.0.0 mask 0.0.0.0 172.16.7.252 metric 10
so in case the default gateway is down, this route will be preferred.

Hope it was helpfull.
Regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card