Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAT & extendable problems

Status
Not open for further replies.

NettableWalker

IS-IT--Management
Joined
Jun 18, 2005
Messages
215
Location
GB
Hi everyone,

I'm trying to publish an Email server through NAT on a 837,

trying to use:
ip nat inside source static tcp 10.0.0.1 25 interface dialer1 25 extendable

But the keyword "extendable" is not accepted (IOS ver 12.3(12.8)T).

Is this stopping the NAT from working?

Normal NAT overload for inside internet access is fine.


 
Try it like the following. X=ip routeable address.


ip nat inside source static tcp 10.0.0.1 25 XXX.XXX.XXX.XXX 25 extendable

But I think how you were doing it will do the same only do not need extendable if applying it to the interface as it will use that address.

ip nat inside source static tcp 10.0.0.1 25 interface dialer1 25.
 
Hi Joamon,

This NAT appears in the show ip nat translations list, and even shows a connection to the remote IP +high port number(?) if i try to telnet in remotely on that port expecting to be telnetting into an email server.

it wouldn't be coming up against the firewall in some way would it?
 
Can you post a new config?
 
ip nat inside source static tcp 10.0.0.1 25 interface dialer1 25
The above only extends port 25 SMTP not port 23 TELNET.
If you want that as well will need to extend it also. Do you have one static or a /29 block of ip routeable addresses?
 
Hi Joamon,

I'm not sure if this is only Windows or what but If you telnet and specify the port number it should log into the server and get a banner of some sort in return to signify that a connection has been made. so that would show that port 25 was open and pointing to the right server.

As for the address range i don't know, i am sure i asked the ISP for a /29 but i don't know how to check, certainly my routing table seems to show a /32, is that right?

Here's my config:



PDC.ADSL#sh run
Building configuration...

Current configuration : 4786 bytes
!
! Last configuration change at 15:09:02 GMT Thu Mar 30 2006 by rayc
! NVRAM config last updated at 15:16:32 GMT Thu Mar 30 2006 by rayc
!
version 12.3
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname PDC.ADSL
!
boot-start-marker
boot-end-marker
!
logging console critical
enable secret xxxxxxx1
!
no aaa new-model
!
resource manager
!
clock timezone GMT 0
ip subnet-zero
!
!
no ip dhcp use vrf connected
!
!
ip cef
no ip domain lookup
ip name-server xxxxxx
ip name-server xxxxxx
no ip bootp server
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 http
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
username xx\x privilege 15 password 7 x
!
!
!
crypto isakmp policy 1
authentication pre-share
group 2
lifetime 7200
crypto isakmp key xxxxxx address xxxxxxxxx
!
crypto ipsec security-association lifetime kilobytes 5242880
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set PDCADSL esp-des esp-sha-hmac
!
crypto map pdcvpn 16 ipsec-isakmp
set peer xxxxxxxxx
set transform-set PDCADSL
set pfs group2
match address 151
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description Connected to PDC Local Network
ip address 10.0.0.203 255.255.0.0
ip access-group 102 in
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
no cdp enable
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
description Connected to ADSL Circuit
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm auto-configuration
no atm ilmi-keepalive
no atm address-registration
no atm ilmi-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
description Connected to ADSL Circuit
bandwidth 1000
ip address negotiated
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxxxxxx
ppp chap password 7xxxxxxxx
ppp pap sent-username xxxxxxxx password 7 xxxxxxxx
ppp ipcp dns request
ppp ipcp wins request
crypto map pdcvpn
hold-queue 224 in
!

ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 10.0.0.4 1494 interface Dialer1 1494
ip nat inside source static tcp 10.0.0.1 25 interface Dialer1 25
!
access-list 10 permit 1xxxx
access-list 10 remark Telnet Access
access-list 10 permit 19xxxxxx 0.0.0.15
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 100 remark ----- Inbound ACL -----
access-list 100 permit ahp host xxxxxxxx 0.0.0.0 xxxxxxxx9
access-list 100 permit esp host xxxxxxxx 0.0.0.0 xxxxxxxx9
access-list 100 permit udp host xxxxxxxx 0.0.0.0 xxxxxxx9 eq isakmp
access-list 100 permit udp host xxxxxxxx 0.0.0.0 xxxxxxxx eq non500-isakmp
access-list 100 permit ip host xxxxxxxx any
access-list 100 deny ip any any
access-list 102 deny ip 10.0.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 102 permit ip 10.0.0.0 0.255.255.255 any
access-list 151 remark VPN Access
access-list 151 permit ip 10.0.0.0 0.0.255.255 10.2.0.0 0.0.255.255
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
banner login ^CC Authorised users only, all access is logged.^C
!
line con 0
exec-timeout 300 0
login local
no modem enable
transport preferred all
transport output telnet
stopbits 1
line aux 0
login local
transport preferred all
transport output telnet
stopbits 1
line vty 0 4
session-timeout 15 output
access-class 10 in
exec-timeout 100 0
password 7 xxxxxxxxxxxxxx
login local
transport preferred all
transport input telnet ssh
transport output all
!
no scheduler max-task-time
scheduler interval 500
sntp server 10.0.0.22
end


 
I would verify with your ISP as to what your IP address or addresses are that you have to use. I would acutally recommend that if you do in fact have a /29 that you set the dialer with a static address and then assign the next address for extending the mail server.

say the dialer ip address is
64.110.225.42 255.255.255.248

You could then use .43 for the mail server.
ip nat inside source static tcp 10.0.0.1 25 64.110.225.43 25 extendable
 
Thanks Joamon, i'll try that tomorrow when i get back home.

I'll let you know if it works....
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top