Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Mail Server behind NAT

Status
Not open for further replies.
MattSavage

MattSavage

IS-IT--Management
Joined
Aug 20, 2003
Messages
54
Location
US
How can I set up Port Mapping or PAT on a Cisco 1760 so that our Mail Server can receive incoming mail? Right now the Server is located on the DMZ with a public address, but I would like to put this on the LAN.

I tried to set this up using Static NAT inside to outside, and everything worked fine besided the fact that we could not get mail from the outside. The IP address of the LAN port on the router is 192.168.10.1, the private address I want to use for the server is 192.168.10.254, and the public address is 65.x.x.3.

I assume I need to redirect any SMTP and POP3 requests that come into the router to the appropriate ports on the private address, I just have no idea how to do this. Any help is greatly appreciated!
 
Sort by date Sort by votes
It should be as simple as adding

ip nat inside source static 192.168.10.254 65.x.x.3

Make sure that the external interface has the command
ip nat outside

And the internal interfaces are listed as
ip nat inside

I'm sure you have a firewall or access list so make sure you update it with SMTP access like

access-list 101 permit tcp any host 65.x.x.3 eq smtp

And... That should be all you need, nat should really take care of it all. I think that you'd only need PAT if you're trying to map port x externally to port y internally, which you don't need to do in this case.
 
Upvote 0 Downvote
Here is my running config:

Building configuration...

Current configuration : 6293 bytes
!
! Last configuration change at 09:58:42 America Fri Mar 19 2004
! NVRAM config last updated at 11:52:38 America Mon Mar 1 2004
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 1760
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000 debugging
logging console critical
enable secret 5 XXX
!
username XXX privilege 15 password 7 XXX
clock timezone America/New_York -5
clock summer-time America/New_York date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
!
!
no ip domain lookup
ip domain name phoenixworldwide.com
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.10.51 192.168.10.254
!
ip dhcp pool sdm-pool1
network 192.168.10.0 255.255.255.0
domain-name XXX.com
dns-server 65.xx.xx.3 65.xx.xx.4
default-router 192.168.10.1
!
!
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
no crypto isakmp enable
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect DEFAULT100 in
ip route-cache flow
speed auto
!
interface Serial0/0
description $FW_OUTSIDE$
ip address 65.xx.xx.226 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
no keepalive
!
interface Ethernet1/0
description $FW_DMZ$$ETH-LAN$
ip address 65.xx.xx.1 255.255.255.224
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
half-duplex
!
ip nat pool Phoenix 192.168.10.2 192.168.10.252 netmask 255.255.255.0
ip nat inside source list 7 interface Ethernet1/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip http server
ip http authentication local
ip http secure-server
!
!
!
logging trap debugging
logging 65.xx.xx.3
logging 65.xx.xx.4
access-list 7 remark NAT
access-list 7 remark SDM_ACL Category=2
access-list 7 permit 192.168.10.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny tcp any eq 3127 any log
access-list 102 deny tcp any any eq 3127 log
access-list 102 deny ip 192.168.10.0 0.0.0.255 any log
access-list 102 deny ip 65.xx.xx.0 0.0.0.31 any log
access-list 102 permit icmp any host 65.86.198.3
access-list 102 permit icmp any host 65.86.198.4
access-list 102 remark DNS
access-list 102 permit udp any host 65.xx.xx.3 eq domain
access-list 102 permit udp any host 65.xx.xx.4 eq domain
access-list 102 permit tcp host 216.xx.xx.59 eq domain host 65.xx.xx.3
access-list 102 permit udp host 216.xx.xx.59 eq domain host 65.xx.xx.3
access-list 102 permit tcp host 216.xx.xx.59 eq domain host 65.xx.xx.4
access-list 102 permit udp host 216.xx.xx.59 eq domain host 65.86.198.4
access-list 102 permit tcp host 216.xx.xx.50 eq domain host 65.xx.xx.3
access-list 102 permit udp host 216.xx.xx.50 eq domain host 65.xx.xx.3
access-list 102 permit tcp host 216.xx.xx.50 eq domain host 65.xx.xx.4
access-list 102 permit udp host 216.xx.xx.50 eq domain host 65.xx.xx.4
access-list 102 permit tcp any eq smtp any
access-list 102 permit tcp any eq pop3 any
access-list 102 permit tcp any eq access-list 102 permit icmp any host 65.xx.xx.226 echo-reply
access-list 102 permit icmp any host 65.xx.xx.226 time-exceeded
access-list 102 permit icmp any host 65.xx.xx.226 unreachable
access-list 102 permit tcp any host 65.xx.xx.3 eq smtp
access-list 102 permit tcp any host 65.xx.xx.4 eq smtp
access-list 102 permit tcp any host 65.xx.xx.3 eq pop3
access-list 102 permit tcp any host 65.xx.xx.4 eq pop3
access-list 102 permit tcp any host 65.xx.xx.5 eq ftp
access-list 102 permit tcp any host 65.xx.xx.5 eq ftp-data
access-list 102 permit tcp any host 65.xx.xx.6 eq ftp
access-list 102 permit tcp any host 65.xx.xx.6 eq ftp-data
access-list 102 remark MSN Messenger
access-list 102 permit tcp any eq 1863 any
access-list 102 permit udp any eq 1863 any
access-list 102 remark AOL
access-list 102 permit tcp any eq 5001 any
access-list 102 permit tcp any eq 5002 any
access-list 102 permit tcp any eq 5003 any
access-list 102 permit tcp any eq 5004 any
access-list 102 permit tcp any eq 5190 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any log
access-list 102 deny ip 172.16.0.0 0.15.255.255 any log
access-list 102 deny ip 192.168.0.0 0.0.255.255 any log
access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
access-list 102 deny ip host 255.255.255.255 any log
access-list 102 deny ip host 0.0.0.0 any log
access-list 102 deny ip any any log
no cdp run
!
!
control-plane
!
banner login ^CHello^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
end
-----------------------------------------------------------

Right now I have the mail server located on the DMZ (Ethernet0) using its Public address. I tried to move it to the LAN (FastEthernet0) using Static NAT (ip nat inside source static 192.168.10.254 65.x.x.3) and as you can see I am allowing SMTP into the server (access-list 102 permit tcp any host 65.xx.xx.3 eq smtp). Is there another acl that could be stopping incoming mail from reaching the server when i place it on the LAN, or perhaps an inspect rule that I have may be the culprit?

This is the first time I have worked with a Cisco so I really dont know what to look for. Thanks again.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

NavinNet
  • Locked
  • Question Question
Why 2 different mac addresses of a server are being shown of CISCO 6509E Layer-3 Switch ?
Replies
0
Views
276
NavinNet
NavinNet
DrB0b
  • Locked
  • Question Question
SG300 switches behind Barracuda X400 FW
Replies
11
Views
675
DrB0b
DrB0b
JDCre63
  • Locked
  • Question Question
SIP sets behind CISCO firewall connecting to public IP
Replies
1
Views
331
nyy1023
nyy1023
darktriad
  • Locked
  • Question Question
Cisco ASA 9.4: Configuring NAT
Replies
0
Views
354
darktriad
darktriad
netguy2000
  • Locked
  • Question Question
Cisco router 1841 NAT/PAT problem
Replies
0
Views
263
netguy2000
netguy2000

Part and Inventory Search

Sponsor

Back
Top