cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4251
Views
12
Helpful
11
Replies

Static/Dynamic - NAT/PAT multiple outside IPs to multiple Inside IPs

Ryan Young
Level 1
Level 1

Hello again,

I have some questions on how to have multiple NATs or PATs.   I have a list of IP addresses that I want to allow incoming to receive emails through SMTP (Emails go to our SPAM service, then we only allow incoming emails from that service).  But I also want to allow us to send out SMTP to everyone we are trying to email (We don't use the SPAM outgoing service).  I think I am over thinking things with ACL's and such.  I read about CBAC and am wondering if this is something I want to implement or not.  I have a Cisco 3925 router security and voice.  I have it setup and working, but will be bringing a server there, our email server (exchange).  right now I have this same server setup and working using an ASA system.  No problem, except the commands are a bit different from ASDM 6.4 on 8.3 vs IOS 15(2)M6....     so I am freaking just a tad.  Now We have 7 IP addresses that we can use, the one that is assigned to the router, and 6 others.  (the 8th is the ISP router).  With the help of this community, I was able to enact QoS on the same router I am trying to do this with. I guess I'm not sure where to start.  I have the first dynamic NAT all set up.  How will the static NAT affect the dynamic NAT I already have setup?   What changes do I need to make to Gi0/0 for ACL incoming and outgoing?  

Assumptions:
Inside IP set: 172.20.0.0/24
Outside IP set: 192.168.161.240/29
ISP Router: 192.168.161.241
Gi0/0: 192.168.161.242
Incoming trusted email server: 123.123.123.123/32
Inside Email server: 172.20.0.30  255.255.255.0

Current setup:
interface GigabitEthernet0/0
 description *** outside ***
 ip address 192.168.161.242 255.255.255.248
 ip nat outside
 duplex auto
 speed auto
 service-policy output VOICE  **community helped me with this part, thanks everyone!!**
!
interface GigabitEthernet0/1
 no ipaddress
 no shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.10
 description ***DATA***
 encapsulation dot1Q 10
 ip address 172.20.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
ip nat inside source list OUTSIDE interface GigabithEthernet0/0 overload
ip access-list extended OUTSIDE
 permit ip 172.20.0.0 0.0.0.255 any
 permit ip ***other vlans ETC***
!

How would I change the above to allow outgoing SMTP only from the email server (172.20.0.30) and allow 123.123.123.123 incoming SMTP?  We need to allow SMTP if exchange initiated an outgoing SMTP to another email server in the world.  We also need to allow https to the exchange server for everyone, and http for everyone (even though it fails).  I'm probably over thinking this.  

2 Accepted Solutions

Accepted Solutions

Ok, if I get this straight you have to configure a Port Forwarding first:

ip nat inside source static tcp 172.20.0.30 25 192.168.161.242 25

 

Verify the Settings with show ip nat translation. There should be an entry now which looks like

Pro Inside global                Inside local          Outside local         Outside global

tcp  192.168.161.242:25  172.20.0.30:25   ---                            ----

Due to the fact you only want to receive mails from a specific IP address (the spam service) you need to configure an ACL for the the gig0/0 Interface and apply it at incoming direction.

 

At global config mode:

ip access-list extanded ALLOW_WAN_ACL
permit tcp host 123.123.123.123 any eq 25
exit
interface gig0/0
ip access-group ALLOW_WAN_ACL in

 

At this Point you might consider to use CBAC, otherwise all backward Traffic for connections which was initiated from the inside will be blocked until you allow it explicit in the ALLOW_WAN_ACL. Cbac is a statefull firewall which adds the entry dynamics to your ACL on the WAN Interface. A Basic configuration is straight forward:

At global config mode type

ip inspect name FW_OUT tcp
ip inspect name FW_OUT udp
 
Interface gig0/0
ip inspect FW_OUT out

 

You can use "ip inspect name FW_OUT ?" at the global config mode to see which other protocols for inspection are supported. With the configuration above only basic Layer 4 Inspection is performed. Verify with "show ip inspect session <detail>" and "show ip inspect statistic"

 

Hope this helps

 

Kind Regards.

 

View solution in original post

You welcome,

if the FTP Server is at the inside of your network and the connection is initiated from outside you have to permit it on the ACL and you have to configure the port forwarding. you may use the range command for the acl:

permit tcp host 123.123.123.123 any range 50000 60000

At least you have to open the tcp port 21 on the WAN ACL

If you use passive FTP this may be tricky with the port forwarding. On active FTP you are fine because the NAT Entries are create from the inside and thanks to cbac you don't have to open up the ACL static.

The incoming acl on the wan interface is process before nat  so you have to use the puplic ip address in the acl or leave it just to "any"

View solution in original post

11 Replies 11

Walter Astori
Level 1
Level 1

Can you add the following command :

ip nat outside static source 123.123.123.123 172.20.0.30

I don't understand for the outgoing traffic from 172.20.0.30 because this address is in the ACL OUTSIDE (permit ip 172.20.0.0 0.0.0.255 any)

For allow SMTP to another email server in the world you need to add another "ip nat outside static" for the other IP external ip address

 

Sorry, but in my example, my "outside" IP addresses were 192.168.161.240/29.  The example of an email server that is allowed to send me emails vs the rest of the world is 123.123.123.123.  Wouldn't that be in an acl somehow?  I also need to statically map my email server inside IP to the "outside" IP, if I am correct, the following?

ip nat outside static source 192.168.161.243 172.20.30

then how do I allow only 123.123.123.123 to send me SMTP emails and no one else, or allow only 172.20.0.30 to send SMTP and no one else?

For map the email server inside IP to outside IP :

ip nat inside static source 172.20.0.30 192.168.161.243

The IP address 123.123.123.123 is a public or private IP ?

the 123.123.123.123 would be an example of one of the public email servers that is allowed to send us emails. (there are 14 total) 

For allow 123.123.123.123 to send SMTP email to inside host :

ip nat outside static source 123.123.123.123 <inside_IP_host>

 

I can't nat someone else's IP address can I?  This would be someone else's email server sending email to our IP 192.168.161.243.

In my example above, I was trying to use IP addresses that wouldn't actually be our public IP address, so in place of our real public IP i gave the 192.168.161.240/29.

Ok, if I get this straight you have to configure a Port Forwarding first:

ip nat inside source static tcp 172.20.0.30 25 192.168.161.242 25

 

Verify the Settings with show ip nat translation. There should be an entry now which looks like

Pro Inside global                Inside local          Outside local         Outside global

tcp  192.168.161.242:25  172.20.0.30:25   ---                            ----

Due to the fact you only want to receive mails from a specific IP address (the spam service) you need to configure an ACL for the the gig0/0 Interface and apply it at incoming direction.

 

At global config mode:

ip access-list extanded ALLOW_WAN_ACL
permit tcp host 123.123.123.123 any eq 25
exit
interface gig0/0
ip access-group ALLOW_WAN_ACL in

 

At this Point you might consider to use CBAC, otherwise all backward Traffic for connections which was initiated from the inside will be blocked until you allow it explicit in the ALLOW_WAN_ACL. Cbac is a statefull firewall which adds the entry dynamics to your ACL on the WAN Interface. A Basic configuration is straight forward:

At global config mode type

ip inspect name FW_OUT tcp
ip inspect name FW_OUT udp
 
Interface gig0/0
ip inspect FW_OUT out

 

You can use "ip inspect name FW_OUT ?" at the global config mode to see which other protocols for inspection are supported. With the configuration above only basic Layer 4 Inspection is performed. Verify with "show ip inspect session <detail>" and "show ip inspect statistic"

 

Hope this helps

 

Kind Regards.

 

Thank you very much!!  This helps drastically.  

To get a better understanding, for the acl, if I have a tls FTP server that uses ports 50000-60000 do I have to set each port from 50000-60000 (10,000 entries) or can I do a range in the acl?  

Also, for the acl, instead of permit tcp host 123.123.123.123 any eq 25, can I choose the external IP or internal IP?  So it can only send to that IP and no one else?  (lock it down even more?) such as would I use the internal or extrnal for that one statement?

permit tcp host 123.123.123.123 192.168.161.243 eq 25 OR

permit tcp host 123.123.123.123 172.20.0.30 eq 25 be correct?

and would:

permit tcp any 172.20.0.35 eq 50000-60000  work?

NEVERMIND....there is ip inspect name FW_OUT ftps and ftp so i'll add those and not have to deal with the stupid huge long acl.  :)  just do the acl for incoming mail servers.  THANKS!!!!

Also instead of using eq you can use range and put the start and stop in such as:

permit tcp any any range 50000 60000

but with the inspect name FW-OUT ftps and/or ftp then that would fix it.  I just need to open up all https to the mailserver for getting mail and all is good.

You welcome,

if the FTP Server is at the inside of your network and the connection is initiated from outside you have to permit it on the ACL and you have to configure the port forwarding. you may use the range command for the acl:

permit tcp host 123.123.123.123 any range 50000 60000

At least you have to open the tcp port 21 on the WAN ACL

If you use passive FTP this may be tricky with the port forwarding. On active FTP you are fine because the NAT Entries are create from the inside and thanks to cbac you don't have to open up the ACL static.

The incoming acl on the wan interface is process before nat  so you have to use the puplic ip address in the acl or leave it just to "any"

This is exactly what I needed!

 

THANK YOU.

Review Cisco Networking for a $25 gift card