cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4171
Views
0
Helpful
9
Replies

Static PAT for MS Exchange on a router

wissamnad
Level 1
Level 1

I am trying to publish my exchange server through a router using static nat :

ip nat inside source static 192.168.X.X Public_IP_Address

Everything work well

For improved security I wanted to use static Pat with the following:

ip nat inside source static tcp 192.168.X.X 25 Public_IP_Address 25

ip nat inside source static tcp 192.168.X.X 110 Public_IP_Address 110

ip nat inside source static tcp 192.168.X.X 443 Public_IP_Address 443

ip nat inside source static tcp 192.168.X.X 80 Public_IP_Address 80

ip nat inside source static tcp 192.168.X.X 587 Public_IP_Address 587

No ACL applied on the inside and outside interfaces of the router.

Emails are being received on my exchange server from the internet but when a user from the inside send an email, the recipient wont receive it and the email is being stuck in the exchange queue. Once I revert back to the static nat everything works fine again! Any ideas?

1 Accepted Solution

Accepted Solutions

Hi

From your explanation, it is not very clear if you have added dynamic nat for traffic from exchange server to outiside

ip nat inside source list pool ==>> Dynamic nat to allow traffic from exchange server to outside

You need to have static nat with ports + dynamic nat

Thank you

Raju

View solution in original post

9 Replies 9

Collin Clark
VIP Alumni
VIP Alumni

Can others get out to the internet? What does the rest of your NAT config look like?

Raju Sekharan
Cisco Employee
Cisco Employee

Hi Wissam,

Static nat is basically allowing traffic from outside to inside. But if you specify without any tcp ports, it works fine from inside to outside and outside to inside

Add another NAT configuration for inside to outside communication

ip nat inside source list pool

This shouldn't affect your security concern becasue it wil allow return traffic only for session orginated from inside

Thank you

Raju

Hi Collin,

My exchange DNS is internal (192.168.2.5) and can reach public DNS through the internet with the rest of the internal users :

ip nat pool 2.2.2.2 2.2.2.2 prefix 30

ip nat inside source list 120 pool overload

access-list 120 permit ip 192.168.2.0 255.255.255.0 any

Hi Raju,

Static nat is working fine, but it is like exposing my exchange server on the internet and I want to know what are the possible causes of not lettin emails from being sent.

By the way I tried my static nat with some acl applied on the outside interface, and I am having the same problem, emails received but not being sent !! Maybe an acl with tcp establish (tcp inspection) should be added for the return traffic but I didnt try it.

ip access-list ex Outside-In

permit tcp any host Exchange_Public_IP eq smtp

permit tcp any host Exchange_Public_IP eq pop3

permit tcp any host Exchange_Public_IP www

permit tcp any host Exchange_Public_IP eq 443

permit ip any host 2.2.2.2 (Overloaded Public IP)

Hi

From your explanation, it is not very clear if you have added dynamic nat for traffic from exchange server to outiside

ip nat inside source list pool ==>> Dynamic nat to allow traffic from exchange server to outside

You need to have static nat with ports + dynamic nat

Thank you

Raju

You are right Raju, I dont have a dynamic nat for traffic from exchange,  the dynamic nat is only configured for the internal users. I thought  static nat with ports will have the same effect as static nat without  port, meaning that it will allow traffic from inside to outside and  outside to the inside on these specific ports. I will try to add a dynamic nat for my exchange and i think that it  will work! Ill revert back, thank you !

Hi Raju,

My config became like the following:

ip nat pool Exchange 1.1.1.1 1.1.1.1 prefix-length X

ip nat inside source list 2 pool Exchange

ip nat inside source static tcp 192.168.X.X 25 1.1.1.1 25 extendable

ip nat inside source static tcp 192.168.X.X 443 1.1.1.1 443 extendable

ip nat inside source static tcp 192.168.X.X 110 1.1.1.1 110 extendable

ip nat inside source static tcp 192.168.X.X 587 1.1.1.1 587 extendable

ip nat inside source static tcp 192.168.X.X 80 1.1.1.1 80 extendable

I added the dynamic nat for the exchange using a pool holding the unique  public IP 1.1.1.1 of the exchange but it had the same effect as static nat  (Everything is opened in both direction) eventhough the static nat with  specified ports is there for the same IP. I had to add the overload  command to the dynamic nat so the tcp ports took effect:

ip nat inside source list 2 pool Exchange overload

Thanks

Hi

There is difference between static nat and dynamic nat you are using here

Static nat allows any traffic from outside to inside

Dynamic nat will allow traffic from outside to inside, only if there a trafic originated from inside to outside

if somebody tries to access any tcp port on your exchange server which is not part of your static nat, it will be rejected by router. It will allow only reply for the communications initiated from inside

Thank you

Raju

Hi Raju,

I totally agree about what you are saying but the problem is that im having a weird issue; I can ping my exchange, connect to it remotely ... eventhough I am specifying the ports in my static pat. If I add the overload command to my Exchange pool then its blocking all the unspecified ports in my static pat. Am I missing something in the following config?

Exchange public ip: 1.1.1.1 - Internal: 192.168.10.10

Users Public IP: 2.2.2.2 - Internal (192.168.1.0)

ip nat pool Exchange 1.1.1.1 1.1.1.1 prefix-length 30

ip nat pool Client_Access 2.2.2.2 2.2.2.2 prefix-length 30

ip nat inside source list 120 pool Client_Access overload

ip nat inside source list 121 pool Exchange

ip nat inside source static tcp 192.168.10.10 25 1.1.1.1 25 extendable

ip nat inside source static tcp 192.168.10.10 80 1.1.1.1 80 extendable

ip nat inside source static tcp 192.168.10.10 110 1.1.1.1 110 extendable

ip nat inside source static tcp 192.168.10.10 443 1.1.1.1 443 extendable

ip nat inside source static tcp 192.168.10.10 587 1.1.1.1 587 extendable

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 120 permit ip 192.168.1.0 0.0.0.255 any

access-list 120 permit ip host 192.168.2.5 any

access-list 120 permit ip host 192.168.2.6 any

access-list 120 permit ip host 192.168.10.3 any

access-list 121 permit ip host 192.168.10.10 any

Use different Global IP for Dynamic NAT

I forgot to mention that

Thank you

Raju