03-24-2012 11:09 PM - edited 03-07-2019 05:45 AM
Hello experts
I have a network with the following structure
internet ---- cisco2911 ----cisco3750 --- internal lan
I have two email servers on different vlan
192.168.0.1 ----- 1.1.1.2 (public ip)
10.1.1.65 ---- 1.1.1.3 (public ip)
Before these servers were directly connected to the internet with two nics (Nightmare, I know). The Public IP on internet facing NIC and private ip on LAN facing nic. I'm in the process of changing this.
I'm able to access internet from my vlans and also able to send emails but cannot receive emails on these servers.
My router congif is as follows:
Building configuration...
Current configuration : 6234 bytes
!
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname test
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200
logging console critical
enable secret 5 $1$J5q4$Drx.ygmtmk73532oWME/N0
!
no aaa new-model
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
!
no ip bootp server
ip domain name yourdomain.com
ip name-server 4.4.4.4.
ip name-server 4.4.4.5
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
ip tcp synwait-time 10
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
!
interface GigabitEthernet0/1
description Inside LAN
ip address 10.0.0.2 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
description Link to internet
ip address 1.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
router rip
version 2
network 10.0.0.0
network 192.168.0.0
!
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/2 overload
ip nat inside source static 192.168.0.1 1.1.1.2
ip nat inside source static 10.1.1.65 1.1.1.3
ip route 0.0.0.0 0.0.0.0 2.2.2.2
ip route 10.1.1.0 255.255.255.0 10.0.0.1
ip route 192.168.0.0 255.255.255.0 10.0.0.1
!
logging trap debugging
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 10.1.1.0 0.0.0.255
!
no cdp run
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
scheduler allocate 20000 1000
end
03-29-2012 07:03 AM
My suggestions are:
1. It's very possible that you can initiate connection only in one direction is because there is a firewall without a explicit permition of connection initation from outside.
2. Try if you can ping 1.1.1.2 or 1.1.1.3 from Internet.
3. Try if you can access 1.1.1.2 or 1.1.1.3's web server
4. Setup monitor session or install a packet sniffer software in mail server and try if you can capture any TCP SYN from Internet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide