02-28-2016 01:58 PM - edited 03-08-2019 04:45 AM
Greetings:
I have a ASR1002 deployed with email servers behind different interfaces. One of these interfaces is NAT'd and the other is not.
My problem is that these email servers are unable to send/receive email to one another.
02-28-2016 04:27 PM
Could you supply the NAT configuration, ASR interface configuration, and IP addresses configure on the email servers.
02-28-2016 04:55 PM
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2016.02.23 20:46:09 =~=~=~=~=~=~=~=~=~=~=~=
CCAUTHORIZED ACCESS ONLY!
All login attempts monitored and logged.
Disconnect now if you are not authorized.
User Access Verification
orb-asr1002-rtr0#sh run
Building configuration...
Current configuration : 8077 bytes
!
! Last configuration change at 12:20:07 Chicago Tue Feb 23 2016 by
!
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no platform punt-keepalive disable-kernel-core
!
hostname orb-asr1002-rtr0
!
boot-start-marker
boot system flash bootflash:asr1000rp1-ipbasek9.03.12.00.S.154-2.S-std.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 1000000
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
aaa session-id common
clock timezone Chicago -6 0
clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
no ip bootp server
ip domain name
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
!
login block-for 100 attempts 3 within 30
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
username privilege 15 password 7
!
redundancy
mode none
!
!
!
ip tftp source-interface GigabitEthernet0
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
interface GigabitEthernet0/0/0
description WAN_PUBLIC_CENTURYL
ip address x.x.x.x 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description LAN_PRIVATE_CUST
ip address 172.16.1.1 255.240.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/2
description LAN_PUBLIC_CUST
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
!
interface GigabitEthernet0/0/3
description LAN_PRIVATE_CACHE
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
description LAN_PUBLIC_SERVERS
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
!
interface GigabitEthernet0/1/1
description LAN_PCB
ip address x.x.x.x 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
!
interface GigabitEthernet0/1/2
description WRRB_PUBLIC_WIFI
ip address 192.168.200.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
negotiation auto
!
interface GigabitEthernet0/1/3
description LAN_WRRB
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
negotiation auto
!
interface GigabitEthernet0/1/4
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
negotiation auto
!
interface GigabitEthernet0/1/5
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
negotiation auto
!
interface GigabitEthernet0/1/6
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
negotiation auto
!
interface GigabitEthernet0/1/7
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
negotiation auto
!
interface GigabitEthernet0
description LAN_PRIVATE_MGMT
vrf forwarding Mgmt-intf
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
negotiation auto
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation pptp-timeout 3600
ip nat translation udp-timeout 150
ip nat translation finrst-timeout 2
ip nat translation syn-timeout 2
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 30
ip nat translation max-entries 400000
ip nat pool PRIVATE_NAT_POOL x.x.x.x prefix-length 24
ip nat inside source list 1 pool PRIVATE_NAT_POOL overload
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 x.x.x.x permanent
ip route x.x.x.x 255.255.255.240 GigabitEthernet0/1/1 x.x.x.x
!
ip access-list standard MGMT_ACCESS
permit x.x.x.x 0.0.0.255
permit 172.16.0.0 0.15.255.255
permit x.x.x.x 0.0.1.255
deny any
!
!
logging trap debugging
logging facility local2
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 100 permit udp any any eq bootpc
access-list 111 permit udp 172.16.0.0 0.15.255.255 any
access-list 111 permit tcp 172.16.0.0 0.15.255.255 any
access-list 111 permit icmp 172.16.0.0 0.15.255.255 any
dialer-list 1 protocol ip permit
!
!
!
!
!
control-plane
!
banner motd ^CCCAUTHORIZED ACCESS ONLY!
All login attempts monitored and logged.
Disconnect now if you are not authorized.^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
stopbits 1
line aux 0
login authentication local_auth
transport output telnet
stopbits 1
line vty 0 4
access-class MGMT_ACCESS in
privilege level 15
password 7
login authentication local_auth
transport input telnet ssh
line vty 5 15
access-class MGMT_ACCESS in
!
!
end
orb-asr1002-rtr0#ex
02-28-2016 04:57 PM
Email server #1 is behind g0/0/2 with a public IP in the interface.
Email server #2 is behind g0/1/3 with a private IP in the interface.
02-28-2016 05:01 PM
GigabitEthernet0/0/2 has no NAT configuration, and GigabitEthernet0/1/3 has only an inside configuration. So both of these interfaces will be able to communicate freely.
Check out your email server configuration issue. That is where the issue will lie. It could be a bad default gateway, bad subnet mask, Windows firewall, or perhaps an actual email server issue.
02-28-2016 07:09 PM
I omitted the NATs ignoring their relevance (stupid me). There is no NAT for g0/0/2. Here is the NAT configuration for g0/1/3:
ip nat inside source static 10.10.10.2 x.x.x.x (public IP)
02-28-2016 07:10 PM
It is not the ASR causing your issue. The traffic will be allowed to flow freely.
02-29-2016 07:22 AM
I will do more checking, thank you for the input
03-03-2016 11:50 AM
I was able to fix an email server setting that allowed the private network to send email to the public network.
However, I am still unable to access the private network from any of my public networks via the private networks NAT'd public IP. From the public networks on the router, I can only access the private networks via the private network. I cannot access via the NAT'd public IP.
Interestingly, private devices behind g0/0/1 are able to access the other private network via both the private and public IP.
03-13-2016 09:35 AM
Any additional thoughts?
03-13-2016 01:16 PM
The NAT process takes place as traffic flows from one interface to another, from an "ip nat inside" interface to an "ip nat outside" interface, or vice versa.
I think traffic is flowing between interfaces which are btoh "ip nat inside"? If so, it wont be possible to make the public IP NAT work between these two.
03-13-2016 03:52 PM
I agree with Philip. Because the traffic is not going between 2 NAT enabled interfaces (1 inside and 1 outside) you're proposed configuration is moot. This leaves you with 2 choices:
The latter option will probably break other communication, so you will need to build a more robust NAT exemption between Gi0/0/2 and other interfaces.
PSC
03-13-2016 08:45 PM
Thank you both very much for the input.
03-13-2016 08:46 PM
It would be great if you could rate helpful answers.
03-13-2016 06:57 PM
Thanks for your reply Philip. I was hoping there was some sort of ip route command that I could issue...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide