06-21-2007 08:20 AM - edited 03-05-2019 04:53 PM
I have an emergecy where I need to use the router for NAT and PAT. It is short term until we swing the firewall.
I can build nat and get out bound web surfing and ping but I need inbound email.
I cannot seem to get the PAT working
Config is below
I have a 667 vlan for the internat and the email server is on the 192 vlan. Users are on vlan 10
interface FastEthernet0/0
ip address 10.1.1.20 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex full
speed 10
no mop enabled
!
interface FastEthernet0/0.667
encapsulation dot1Q 667
ip address X.X.X.214 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1.10
description Data Vlan
encapsulation dot1Q 10
ip address 172.20.10.254 255.255.255.0
ip helper-address 192.168.1.10
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/1.11
description Voice Vlan
encapsulation dot1Q 11
ip address 172.20.11.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
!
interface FastEthernet0/1.192
encapsulation dot1Q 192
ip address 192.168.1.254 255.255.255.0
ip helper-address 192.168.1.10
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/1.254
encapsulation dot1Q 254
ip address 172.20.254.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
!
router eigrp 101
network 172.21.0.0
network 172.22.0.0
auto-summary
!
ip route 0.0.0.0 0.0.0.0 66.162.50.213
ip route 172.21.0.0 255.255.0.0 10.1.1.21
ip route 172.22.0.0 255.255.0.0 10.1.1.22
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool TGO-MSP X.X.X.214 X.X.X.214 netmask 255.255.255.252
ip nat inside source list 101 pool TGO-MSP overload
ip nat inside source static tcp 192.168.1.10 25 X.X.X.214 25 extendable
!
access-list 101 permit ip any any log
access-list 102 permit tcp any host X.X.X.214 eq smtp
!
06-21-2007 08:47 AM
I don't see any ip-access-group in/out interface statements in your config for applying your access list 102 for inbound/outbound smtp.
06-21-2007 09:10 AM
Which Interface should I go? I would usually have a firewall so I have not had to setup and enviroent like this .
Thanks
06-21-2007 09:26 AM
interface FastEthernet0/0.667
ip access-group 102 in
06-21-2007 09:25 AM
since you have static nat for the smtp server
the ip access-group 102 in and out should be placed in the interface where the inbound smtp request is expected and if the outboud is expected to go out the same interface then you place the ip access-group 102 in/out on that interface.
in your case smtp is in x.x.x.214 subnet on interface FastEthernet0/0.667
ip access-group 102 in
ip access-group 102 out
HTH
Jorge
06-21-2007 09:35 AM
Thanks Guys but no luck??
sh ip nat trans loks good
TGO-MSP-WFC-Router#sh access-lists
Extended IP access list 101
10 permit ip any any log (4567 matches)
Extended IP access list 102
10 permit tcp any host 66.162.50.214 eq smtp (180 matches)
Extended IP access list 103
10 permit tcp any host 192.168.1.10 eq smtp
access looks OK
still cannot get a connection?
Thanks
06-21-2007 09:40 AM
I think I am good. That server is on another subnet and it has a default gateway that still lives there. My guess is in bound is coming n but being directed out the other gateway.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide