02-07-2012 10:03 AM - edited 03-07-2019 04:47 AM
Hi all,
this is really a newbie question!! i have a mail server inside my network pointed lets say by mail.mydomain.com -> X.Y.W.Z (my external ip address) on interface GigabitEthernet0:
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ETH-WAN$$FW_OUTSIDE$
ip address X.Y.W.Z 255.255.255.248 secondary
ip broadcast-address X.Y.W.Z
ip flow ingress
ip nat outside
ip ips sdm_ips_rule_ips_traffic in
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
service-policy output CCP-QoS-Policy-1
!
then i have some sub interface for the local network, in particular this one is for my DMZ
interface GigabitEthernet0/1.1
description DMZ$FW_DMZ$
encapsulation dot1Q 4
ip address 10.0.104.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security dmz-zone
!
my internal office zone:
interface GigabitEthernet0/1.2
description MZ (private zone)$FW_INSIDE$
encapsulation dot1Q 2
ip address 10.0.102.10 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
then i have the following NAT rules for smtp, imaps and pop3s:
ip nat inside source static tcp 10.0.104.12 25 X.Y.W.Z 25 extendable
ip nat inside source static tcp 10.0.104.12 993 X.Y.W.Z 993 extendable
ip nat inside source static tcp 10.0.104.12 995 X.Y.W.Z 995 extendable
this WORKS very well for the traffic from internet to my DMZ, the issue is that if i want my local clients to use the same domain (mail.mydomain.com) from inside and outside the office (think of laptops that are working from both zones) this doesnt works because the internal users are trying to get to X.Y.W.Z on port 25 for example and the nat it seems not applied.
So initially i had the same domain (mail.mydomain.com) with 2 entries: from outside on X.Y.W.Z and from inside (with a local DNS) to the mail server in the DMZ 10.0.104.12; but in this scenario the mobile devices dont refresh their DNS promtly to make the service work.
I would need to nat the traffic from 10.0.102.0/24 with destination X.Y.W.Z (ports 25,993,995) to 10.0.104.12,
I understand that the rules above are traslating only from inside to outside and viceversa but not from 10.0.102.0 to 10.0.104.0, any ideas?
Wiht this configuration the router is responding to port 25, 993 and 995 instead of 10.0.104.12. This is some basic troubleshooting:
bash-3.2# traceroute -p 25 mail.mydomain.com
traceroute to mail.mydomain.com (X.Y.W.Z), 64 hops max, 52 byte packets
1 10.0.102.10 (10.0.102.10) 1.716 ms * 1.494 ms
bash-3.2# telnet X.Y.W.Z
Trying X.Y.W.Z...
telnet: connect to address X.Y.W.Z: Connection refused
telnet: Unable to connect to remote host
bash-3.2#
there is a zone firewall but the comands above are very responsive, and i can connect directly to the mail server without issues (if i set mail.mydomain.com that points to 10.0.104.12 in my local dns).
Thanks!!
THe post has been modified and additional information added
Solved! Go to Solution.
02-08-2012 01:02 AM
If users inside gets their setting from DHCP, it will get the DNS setting as well from your internal server, if I understand correctly. Why not use an extended access list as the source for a nat (pat) mapping to your DMZ interface?
Hope this helps
Eugen
02-07-2012 03:55 PM
i've tried to vpn to the router and it works just fine:
the ip received is of the same network i'm having issues:
utun0: flags=8051
inet 10.0.102.199 --> 10.0.102.199 netmask 0xffffff00
and this is the interface of the vpn tunnel:
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
ip nat inside
ip ips sdm_ips_rule_ips_traffic in
ip virtual-reassembly
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
i've checked that the firewall on the vpn (ezvpn-zone to in-zone) had the same policies of the IN zone to DMZ zone, a part that it seems the same configuration, the only thing is that the traffic is going from internet to the GigabitEthernet0/0 (that is defined as "ip nat outside"), any ideas on how i can resolve this?
02-08-2012 01:02 AM
If users inside gets their setting from DHCP, it will get the DNS setting as well from your internal server, if I understand correctly. Why not use an extended access list as the source for a nat (pat) mapping to your DMZ interface?
Hope this helps
Eugen
02-08-2012 11:57 AM
yap ... my mistake: on the laptop the DNS was statically assigned, thats why it was not been updated by local dns!
thanks ... it works well with the original dns settings
02-08-2012 12:38 PM
Good to hear it works.
Please mark it if the question has been answered
Regards
Eugen
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: