11-17-2012 01:21 PM - edited 03-04-2019 06:10 PM
I am trying to publish my exchange server through a router using static nat :
ip nat inside source static 192.168.X.X Public_IP_Address
Everything work well
For improved security I wanted to use static Pat with the following:
ip nat inside source static tcp 192.168.X.X 25 Public_IP_Address 25
ip nat inside source static tcp 192.168.X.X 110 Public_IP_Address 110
ip nat inside source static tcp 192.168.X.X 443 Public_IP_Address 443
ip nat inside source static tcp 192.168.X.X 80 Public_IP_Address 80
ip nat inside source static tcp 192.168.X.X 587 Public_IP_Address 587
No ACL applied on the inside and outside interfaces of the router.
Emails are being received on my exchange server from the internet but when a user from the inside send an email, the recipient wont receive it and the email is being stuck in the exchange queue. Once I revert back to the static nat everything works fine again! Any ideas?
Solved! Go to Solution.
11-18-2012 06:15 AM
Hi
From your explanation, it is not very clear if you have added dynamic nat for traffic from exchange server to outiside
ip nat inside source list
You need to have static nat with ports + dynamic nat
Thank you
Raju
11-17-2012 03:35 PM
Can others get out to the internet? What does the rest of your NAT config look like?
11-17-2012 06:11 PM
Hi Wissam,
Static nat is basically allowing traffic from outside to inside. But if you specify without any tcp ports, it works fine from inside to outside and outside to inside
Add another NAT configuration for inside to outside communication
ip nat inside source list
This shouldn't affect your security concern becasue it wil allow return traffic only for session orginated from inside
Thank you
Raju
11-18-2012 05:39 AM
Hi Collin,
My exchange DNS is internal (192.168.2.5) and can reach public DNS through the internet with the rest of the internal users :
ip nat pool
ip nat inside source list 120 pool
access-list 120 permit ip 192.168.2.0 255.255.255.0 any
Hi Raju,
Static nat is working fine, but it is like exposing my exchange server on the internet and I want to know what are the possible causes of not lettin emails from being sent.
By the way I tried my static nat with some acl applied on the outside interface, and I am having the same problem, emails received but not being sent !! Maybe an acl with tcp establish (tcp inspection) should be added for the return traffic but I didnt try it.
ip access-list ex Outside-In
permit tcp any host Exchange_Public_IP eq smtp
permit tcp any host Exchange_Public_IP eq pop3
permit tcp any host Exchange_Public_IP www
permit tcp any host Exchange_Public_IP eq 443
permit ip any host 2.2.2.2 (Overloaded Public IP)
11-18-2012 06:15 AM
Hi
From your explanation, it is not very clear if you have added dynamic nat for traffic from exchange server to outiside
ip nat inside source list
You need to have static nat with ports + dynamic nat
Thank you
Raju
11-18-2012 06:49 AM
You are right Raju, I dont have a dynamic nat for traffic from exchange, the dynamic nat is only configured for the internal users. I thought static nat with ports will have the same effect as static nat without port, meaning that it will allow traffic from inside to outside and outside to the inside on these specific ports. I will try to add a dynamic nat for my exchange and i think that it will work! Ill revert back, thank you !
11-18-2012 02:45 PM
Hi Raju,
My config became like the following:
ip nat pool Exchange 1.1.1.1 1.1.1.1 prefix-length X
ip nat inside source list 2 pool Exchange
ip nat inside source static tcp 192.168.X.X 25 1.1.1.1 25 extendable
ip nat inside source static tcp 192.168.X.X 443 1.1.1.1 443 extendable
ip nat inside source static tcp 192.168.X.X 110 1.1.1.1 110 extendable
ip nat inside source static tcp 192.168.X.X 587 1.1.1.1 587 extendable
ip nat inside source static tcp 192.168.X.X 80 1.1.1.1 80 extendable
I added the dynamic nat for the exchange using a pool holding the unique public IP 1.1.1.1 of the exchange but it had the same effect as static nat (Everything is opened in both direction) eventhough the static nat with specified ports is there for the same IP. I had to add the overload command to the dynamic nat so the tcp ports took effect:
ip nat inside source list 2 pool Exchange overload
Thanks
11-18-2012 07:07 PM
Hi
There is difference between static nat and dynamic nat you are using here
Static nat allows any traffic from outside to inside
Dynamic nat will allow traffic from outside to inside, only if there a trafic originated from inside to outside
if somebody tries to access any tcp port on your exchange server which is not part of your static nat, it will be rejected by router. It will allow only reply for the communications initiated from inside
Thank you
Raju
11-19-2012 09:28 AM
Hi Raju,
I totally agree about what you are saying but the problem is that im having a weird issue; I can ping my exchange, connect to it remotely ... eventhough I am specifying the ports in my static pat. If I add the overload command to my Exchange pool then its blocking all the unspecified ports in my static pat. Am I missing something in the following config?
Exchange public ip: 1.1.1.1 - Internal: 192.168.10.10
Users Public IP: 2.2.2.2 - Internal (192.168.1.0)
ip nat pool Exchange 1.1.1.1 1.1.1.1 prefix-length 30
ip nat pool Client_Access 2.2.2.2 2.2.2.2 prefix-length 30
ip nat inside source list 120 pool Client_Access overload
ip nat inside source list 121 pool Exchange
ip nat inside source static tcp 192.168.10.10 25 1.1.1.1 25 extendable
ip nat inside source static tcp 192.168.10.10 80 1.1.1.1 80 extendable
ip nat inside source static tcp 192.168.10.10 110 1.1.1.1 110 extendable
ip nat inside source static tcp 192.168.10.10 443 1.1.1.1 443 extendable
ip nat inside source static tcp 192.168.10.10 587 1.1.1.1 587 extendable
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 permit ip host 192.168.2.5 any
access-list 120 permit ip host 192.168.2.6 any
access-list 120 permit ip host 192.168.10.3 any
access-list 121 permit ip host 192.168.10.10 any
11-20-2012 08:48 AM
Use different Global IP for Dynamic NAT
I forgot to mention that
Thank you
Raju
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide