=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2016.02.23 20:46:09 =~=~=~=~=~=~=~=~=~=~=~=
CCAUTHORIZED ACCESS ONLY!
All login attempts monitored and logged.
Disconnect now if you are not authorized.
User Access Verification

orb-asr1002-rtr0#sh run
Building configuration...

Current configuration : 8077 bytes
!
! Last configuration change at 12:20:07 Chicago Tue Feb 23 2016 by
!
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no platform punt-keepalive disable-kernel-core
!
hostname orb-asr1002-rtr0
!
boot-start-marker
boot system flash bootflash:asr1000rp1-ipbasek9.03.12.00.S.154-2.S-std.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 1000000
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
aaa session-id common
clock timezone Chicago -6 0
clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
no ip bootp server
ip domain name
ip name-server 8.8.8.8
ip name-server 8.8.4.4

!
!
!
login block-for 100 attempts 3 within 30
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
username  privilege 15 password 7
!
redundancy
 mode none
!
!
!
ip tftp source-interface GigabitEthernet0
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
interface GigabitEthernet0/0/0
 description WAN_PUBLIC_CENTURYL
 ip address x.x.x.x 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 negotiation auto
!
interface GigabitEthernet0/0/1
 description LAN_PRIVATE_CUST
 ip address 172.16.1.1 255.240.0.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 negotiation auto
!
interface GigabitEthernet0/0/2
 description LAN_PUBLIC_CUST
 ip address x.x.x.x 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 negotiation auto
!
interface GigabitEthernet0/0/3
 description LAN_PRIVATE_CACHE
 ip address 192.168.100.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 shutdown
 negotiation auto
!
interface GigabitEthernet0/1/0
 description LAN_PUBLIC_SERVERS
 ip address x.x.x.x 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 negotiation auto
!
interface GigabitEthernet0/1/1
 description LAN_PCB
 ip address x.x.x.x 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 negotiation auto
!
interface GigabitEthernet0/1/2
 description WRRB_PUBLIC_WIFI
 ip address 192.168.200.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 negotiation auto
!
interface GigabitEthernet0/1/3
 description LAN_WRRB
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 negotiation auto
!
interface GigabitEthernet0/1/4
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 negotiation auto
!
interface GigabitEthernet0/1/5
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 negotiation auto
!
interface GigabitEthernet0/1/6
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 negotiation auto
!
interface GigabitEthernet0/1/7
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 negotiation auto
!
interface GigabitEthernet0
 description LAN_PRIVATE_MGMT
 vrf forwarding Mgmt-intf
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 negotiation auto
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation pptp-timeout 3600
ip nat translation udp-timeout 150
ip nat translation finrst-timeout 2
ip nat translation syn-timeout 2
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 30
ip nat translation max-entries 400000
ip nat pool PRIVATE_NAT_POOL x.x.x.x prefix-length 24
ip nat inside source list 1 pool PRIVATE_NAT_POOL overload
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 x.x.x.x permanent
ip route x.x.x.x 255.255.255.240 GigabitEthernet0/1/1 x.x.x.x
!
ip access-list standard MGMT_ACCESS
 permit x.x.x.x 0.0.0.255
 permit 172.16.0.0 0.15.255.255
 permit x.x.x.x 0.0.1.255
 deny   any
!
!
logging trap debugging
logging facility local2
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 100 permit udp any any eq bootpc
access-list 111 permit udp 172.16.0.0 0.15.255.255 any
access-list 111 permit tcp 172.16.0.0 0.15.255.255 any
access-list 111 permit icmp 172.16.0.0 0.15.255.255 any
dialer-list 1 protocol ip permit
!
!
!
!
!
control-plane
!
banner motd ^CCCAUTHORIZED ACCESS ONLY!
All login attempts monitored and logged.
Disconnect now if you are not authorized.^C
!
line con 0
 exec-timeout 5 0
 login authentication local_auth
 transport output telnet
 stopbits 1
line aux 0
 login authentication local_auth
 transport output telnet
 stopbits 1
line vty 0 4
 access-class MGMT_ACCESS in
 privilege level 15
 password 7
 login authentication local_auth
 transport input telnet ssh
line vty 5 15
 access-class MGMT_ACCESS in
!
!
end

orb-asr1002-rtr0#ex

Email server #1 is behind g0/0/2 with a public IP in the interface.

Email server #2 is behind g0/1/3 with a private IP in the interface.

GigabitEthernet0/0/2 has no NAT configuration, and GigabitEthernet0/1/3 has only an inside configuration.  So both of these interfaces will be able to communicate freely.

Check out your email server configuration issue.  That is where the issue will lie.  It could be a bad default gateway, bad subnet mask, Windows firewall, or perhaps an actual email server issue.

I omitted the NATs ignoring their relevance (stupid me). There is no NAT for g0/0/2. Here is the NAT configuration for g0/1/3:

ip nat inside source static 10.10.10.2 x.x.x.x (public IP)

It is not the ASR causing your issue.  The traffic will be allowed to flow freely.

I will do more checking, thank you for the input

I was able to fix an email server setting that allowed the private network to send email to the public network.

However, I am still unable to access the private network from any of my public networks via the private networks NAT'd public IP. From the public networks on the router, I can only access the private networks via the private network. I cannot access via the NAT'd public IP.

Interestingly, private devices behind g0/0/1 are able to access the other private network via both the private and public IP.

Any additional thoughts?

The NAT process takes place as traffic flows from one interface to another, from an "ip nat inside" interface to an "ip nat outside" interface, or vice versa.

I think traffic is flowing between interfaces which are btoh "ip nat inside"?  If so, it wont be possible to make the public IP NAT work between these two.

I agree with Philip.  Because the traffic is not going between 2 NAT enabled interfaces (1 inside and 1 outside) you're proposed configuration is moot.  This leaves you with 2 choices:

1. Set your mail servers to forward to each other via private IPs (static IP setting, internal DNS, hosts file, etc...)
2. Enable "ip nat outside" on interface Gi0/0/2.

The latter option will probably break other communication, so you will need to build a more robust NAT exemption between Gi0/0/2 and other interfaces.

PSC

Thank you both very much for the input.

It would be great if you could rate helpful answers.

Thanks for your reply Philip. I was hoping there was some sort of ip route command that I could issue...