Velocity Reviews - strange NAT behaviour with SMTP port

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)

- Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)

- - strange NAT behaviour with SMTP port (http://www.velocityreviews.com/forums/t34504-strange-nat-behaviour-with-smtp-port.html)

strange NAT behaviour with SMTP port

I have a Cisco 1600 router on a small network, a handful of external
addresses and a few services inside the router.
Now it is necessary ro remap the web/mail-server on a different
(internal) IP.

Everything works well with the ports 80, 110, 143, but NOT with port
25. With a packet analyzer I can see the request to outside:25 is
correctly remapped and forwarded to new-inside:25, which sends an Ack
that is again remapped and sent to the originator. Here the problem
manifests:

The return packet that arrives at the remote is marked as outside:4
instead of outside:25. If I try again, I get a reply from outside:5,
.... counting upward slowly whereby "used" port numbers are skipped.

If I remap the port back to the original machine at old-inside:25, I
get a clean connect and all reply packages are correctly marked as
outside:25

Just to make sure that my new SMTP service is working correctly, I
mapped another static inside from outside:125 to new-inside:25. As I
expected, I get a clean SMTP transmission when I connect to
outside:125

Unfortunately the original configuration was made by someone else and
my knowlege of Cisco IOS is currently more or less in the "try and
error" phase. I think I did understand most of the config file and I
know where I would want to turn the knob but it is frustrating.

Turning the SMTP protocol inspector off and on did not change
anything.

Why the heck does this damned thing readdress the reply packets from
the one IP and not from the other?

Any idea?

(IP-Addresses and passwords masked)

!
version 12.0
no service slave-log
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxxxxx
!
no logging console
!
username aaaaaaa password 7 0000000000000000000
!
!
!
!
clock timezone UTC 1
clock summer-time UTC+1 recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
no ip source-route
no ip finger
ip name-server 211.123.32.129
ip name-server 211.123.32.1
!
no ip bootp server
ip inspect name inspname cuseeme timeout 3600
ip inspect name inspname ftp timeout 3600
ip inspect name inspname http timeout 3600
ip inspect name inspname realaudio timeout 3600
ip inspect name inspname rcmd timeout 3600
ip inspect name inspname smtp timeout 3600
ip inspect name inspname tftp timeout 3600
ip inspect name inspname udp timeout 3600
ip inspect name inspname tcp timeout 3600
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
no ip directed-broadcast
!
interface Ethernet0
description ****** Connection to LAN ******
ip address 10.11.1.254 255.255.255.0
ip access-group 102 in
no ip directed-broadcast
no ip proxy-arp
ip nat inside
ip inspect inspname in
ip route-cache policy
ip policy route-map nonat
no ip mroute-cache
no cdp enable
!
interface Serial0
description connected to SAFE
ip address 211.123.34.2 255.255.255.252
ip access-group 103 in
no ip directed-broadcast
ip nat outside
no fair-queue
no cdp enable
crypto map rtp
!
ip nat pool official 211.123.56.2 211.123.56.7 netmask 255.255.255.0
ip nat inside source list 130 pool official overload
!
! FTP stays the same
ip nat inside source static tcp 10.11.1.1 21 211.123.56.1 21
extendable
!
! this is the old mapping
!ip nat inside source static tcp 10.11.1.1 25 211.123.56.1 25
extendable
!
! this is the new mapping
ip nat inside source static tcp 10.11.1.11 25 211.123.56.1 25
extendable
!
! everything here works perfectly
!
ip nat inside source static tcp 10.11.1.11 80 211.123.56.1 80
extendable
ip nat inside source static tcp 10.11.1.11 110 211.123.56.1 110
extendable
ip nat inside source static tcp 10.11.1.11 25 211.123.56.1 125
extendable
ip nat inside source static tcp 10.11.1.11 143 211.123.56.1 143
extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
access-list 100 permit ip 10.11.1.0 0.0.0.255 any
access-list 100 permit ip 10.20.0.0 0.0.255.255 host 10.11.1.254
log-input
access-list 101 deny ip any any log-input
access-list 102 deny udp any any eq netbios-dgm log-input
access-list 102 permit udp 10.11.1.0 0.0.0.255 any log-input
access-list 102 permit tcp 10.11.1.0 0.0.0.255 any log-input
access-list 102 permit icmp 10.11.1.0 0.0.0.255 any log-input
access-list 102 permit gre 10.11.1.0 0.0.0.255 any log-input
access-list 102 permit esp 10.11.1.0 0.0.0.255 any log-input
access-list 103 deny ip 10.11.1.0 0.0.0.255 any log-input
access-list 103 deny ip 172.0.0.0 0.51.255.255 any log-input
access-list 103 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 103 deny ip 224.0.0.0 31.255.255.255 any log-input
access-list 103 permit esp host 213.23.88.162 any log-input
access-list 103 permit pcp host 213.23.88.162 any log-input
access-list 103 permit udp host 213.23.88.162 any eq isakmp log-input
access-list 103 permit icmp host 213.23.88.162 any log-input
access-list 103 permit icmp any any administratively-prohibited
log-input
access-list 103 permit icmp any any echo log-input
access-list 103 permit icmp any any echo-reply log-input
access-list 103 permit icmp any any packet-too-big log-input
access-list 103 permit icmp any any time-exceeded log-input
access-list 103 permit icmp any any unreachable log-input
access-list 103 permit tcp any host 211.123.56.1 log-input
access-list 103 permit tcp any host 211.123.56.2 log-input
access-list 103 permit tcp any host 211.123.56.3 log-input
access-list 103 permit tcp any host 211.123.56.4 log-input
access-list 103 permit tcp any host 211.123.56.5 log-input
access-list 103 permit tcp any host 211.123.56.6 log-input
access-list 103 permit tcp any host 211.123.56.7 log-input
access-list 103 permit gre any any log-input
access-list 103 permit esp any any log-input
access-list 103 permit ip 10.20.0.0 0.0.255.255 10.11.1.0 0.0.0.255
log-input
access-list 103 permit ip 10.10.90.0 0.0.0.255 10.11.1.0 0.0.0.255
log-input
access-list 115 permit ip 10.11.1.0 0.0.0.255 10.20.0.0 0.0.255.255
log-input
access-list 115 permit ip 10.11.1.0 0.0.0.255 10.10.90.0 0.0.0.255
log-input
access-list 120 permit ip 10.11.1.0 0.0.0.255 10.20.0.0 0.0.255.255
log-input
access-list 120 permit ip 10.11.1.0 0.0.0.255 10.10.90.0 0.0.0.255
log-input
access-list 120 deny ip 10.11.1.0 0.0.0.255 any log-input
access-list 130 deny ip 10.11.1.0 0.0.0.255 10.10.90.0 0.0.0.255
log-input
access-list 130 deny ip 10.10.90.0 0.0.0.255 10.11.1.0 0.0.0.255
log-input
access-list 130 deny ip 10.11.1.0 0.0.0.255 10.20.0.0 0.0.255.255
log-input
access-list 130 deny ip 10.20.0.0 0.0.255.255 10.11.1.0 0.0.0.255
log-input
access-list 130 permit ip 10.11.1.0 0.0.0.255 any log-input
no cdp run
route-map nonat permit 10
match ip address 120
set ip next-hop 1.1.1.2
!
route-map nonat permit 20
!
banner motd ^CCCCCC
Unauthorized access prohibited!
Nicht authorisierter Zugang verboten!

^C
!
end

Re: strange NAT behaviour with SMTP port

I would try a "clear ip nat trans *" after making the change. Or reboot the
router just to work out any other wierdness. I see nothing wrong with the
config.

"Robert Orso" <ro@astronomie.at> wrote in message
news:918a0375.0407160602.1a795e34@posting.google.c om...
> I have a Cisco 1600 router on a small network, a handful of external
> addresses and a few services inside the router.
> Now it is necessary ro remap the web/mail-server on a different
> (internal) IP.
>
> Everything works well with the ports 80, 110, 143, but NOT with port
> 25. With a packet analyzer I can see the request to outside:25 is
> correctly remapped and forwarded to new-inside:25, which sends an Ack
> that is again remapped and sent to the originator. Here the problem
> manifests:
>
> The return packet that arrives at the remote is marked as outside:4
> instead of outside:25. If I try again, I get a reply from outside:5,
> ... counting upward slowly whereby "used" port numbers are skipped.
>
> If I remap the port back to the original machine at old-inside:25, I
> get a clean connect and all reply packages are correctly marked as
> outside:25
>
> Just to make sure that my new SMTP service is working correctly, I
> mapped another static inside from outside:125 to new-inside:25. As I
> expected, I get a clean SMTP transmission when I connect to
> outside:125
>
> Unfortunately the original configuration was made by someone else and
> my knowlege of Cisco IOS is currently more or less in the "try and
> error" phase. I think I did understand most of the config file and I
> know where I would want to turn the knob but it is frustrating.
>
> Turning the SMTP protocol inspector off and on did not change
> anything.
>
> Why the heck does this damned thing readdress the reply packets from
> the one IP and not from the other?
>
> Any idea?
>
> (IP-Addresses and passwords masked)
>
> !
> version 12.0
> no service slave-log
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname xxxxxxxx
> !
> no logging console
> !
> username aaaaaaa password 7 0000000000000000000
> !
> !
> !
> !
> clock timezone UTC 1
> clock summer-time UTC+1 recurring last Sun Mar 2:00 last Sun Oct 3:00
> ip subnet-zero
> no ip source-route
> no ip finger
> ip name-server 211.123.32.129
> ip name-server 211.123.32.1
> !
> no ip bootp server
> ip inspect name inspname cuseeme timeout 3600
> ip inspect name inspname ftp timeout 3600
> ip inspect name inspname http timeout 3600
> ip inspect name inspname realaudio timeout 3600
> ip inspect name inspname rcmd timeout 3600
> ip inspect name inspname smtp timeout 3600
> ip inspect name inspname tftp timeout 3600
> ip inspect name inspname udp timeout 3600
> ip inspect name inspname tcp timeout 3600
> !
> !
> interface Loopback0
> ip address 1.1.1.1 255.255.255.0
> no ip directed-broadcast
> !
> interface Ethernet0
> description ****** Connection to LAN ******
> ip address 10.11.1.254 255.255.255.0
> ip access-group 102 in
> no ip directed-broadcast
> no ip proxy-arp
> ip nat inside
> ip inspect inspname in
> ip route-cache policy
> ip policy route-map nonat
> no ip mroute-cache
> no cdp enable
> !
> interface Serial0
> description connected to SAFE
> ip address 211.123.34.2 255.255.255.252
> ip access-group 103 in
> no ip directed-broadcast
> ip nat outside
> no fair-queue
> no cdp enable
> crypto map rtp
> !
> ip nat pool official 211.123.56.2 211.123.56.7 netmask 255.255.255.0
> ip nat inside source list 130 pool official overload
> !
> ! FTP stays the same
> ip nat inside source static tcp 10.11.1.1 21 211.123.56.1 21
> extendable
> !
> ! this is the old mapping
> !ip nat inside source static tcp 10.11.1.1 25 211.123.56.1 25
> extendable
> !
> ! this is the new mapping
> ip nat inside source static tcp 10.11.1.11 25 211.123.56.1 25
> extendable
> !
> ! everything here works perfectly
> !
> ip nat inside source static tcp 10.11.1.11 80 211.123.56.1 80
> extendable
> ip nat inside source static tcp 10.11.1.11 110 211.123.56.1 110
> extendable
> ip nat inside source static tcp 10.11.1.11 25 211.123.56.1 125
> extendable
> ip nat inside source static tcp 10.11.1.11 143 211.123.56.1 143
> extendable
> ip classless
> ip route 0.0.0.0 0.0.0.0 Serial0
> no ip http server
> !
> access-list 100 permit ip 10.11.1.0 0.0.0.255 any
> access-list 100 permit ip 10.20.0.0 0.0.255.255 host 10.11.1.254
> log-input
> access-list 101 deny ip any any log-input
> access-list 102 deny udp any any eq netbios-dgm log-input
> access-list 102 permit udp 10.11.1.0 0.0.0.255 any log-input
> access-list 102 permit tcp 10.11.1.0 0.0.0.255 any log-input
> access-list 102 permit icmp 10.11.1.0 0.0.0.255 any log-input
> access-list 102 permit gre 10.11.1.0 0.0.0.255 any log-input
> access-list 102 permit esp 10.11.1.0 0.0.0.255 any log-input
> access-list 103 deny ip 10.11.1.0 0.0.0.255 any log-input
> access-list 103 deny ip 172.0.0.0 0.51.255.255 any log-input
> access-list 103 deny ip 127.0.0.0 0.255.255.255 any log-input
> access-list 103 deny ip 224.0.0.0 31.255.255.255 any log-input
> access-list 103 permit esp host 213.23.88.162 any log-input
> access-list 103 permit pcp host 213.23.88.162 any log-input
> access-list 103 permit udp host 213.23.88.162 any eq isakmp log-input
> access-list 103 permit icmp host 213.23.88.162 any log-input
> access-list 103 permit icmp any any administratively-prohibited
> log-input
> access-list 103 permit icmp any any echo log-input
> access-list 103 permit icmp any any echo-reply log-input
> access-list 103 permit icmp any any packet-too-big log-input
> access-list 103 permit icmp any any time-exceeded log-input
> access-list 103 permit icmp any any unreachable log-input
> access-list 103 permit tcp any host 211.123.56.1 log-input
> access-list 103 permit tcp any host 211.123.56.2 log-input
> access-list 103 permit tcp any host 211.123.56.3 log-input
> access-list 103 permit tcp any host 211.123.56.4 log-input
> access-list 103 permit tcp any host 211.123.56.5 log-input
> access-list 103 permit tcp any host 211.123.56.6 log-input
> access-list 103 permit tcp any host 211.123.56.7 log-input
> access-list 103 permit gre any any log-input
> access-list 103 permit esp any any log-input
> access-list 103 permit ip 10.20.0.0 0.0.255.255 10.11.1.0 0.0.0.255
> log-input
> access-list 103 permit ip 10.10.90.0 0.0.0.255 10.11.1.0 0.0.0.255
> log-input
> access-list 115 permit ip 10.11.1.0 0.0.0.255 10.20.0.0 0.0.255.255
> log-input
> access-list 115 permit ip 10.11.1.0 0.0.0.255 10.10.90.0 0.0.0.255
> log-input
> access-list 120 permit ip 10.11.1.0 0.0.0.255 10.20.0.0 0.0.255.255
> log-input
> access-list 120 permit ip 10.11.1.0 0.0.0.255 10.10.90.0 0.0.0.255
> log-input
> access-list 120 deny ip 10.11.1.0 0.0.0.255 any log-input
> access-list 130 deny ip 10.11.1.0 0.0.0.255 10.10.90.0 0.0.0.255
> log-input
> access-list 130 deny ip 10.10.90.0 0.0.0.255 10.11.1.0 0.0.0.255
> log-input
> access-list 130 deny ip 10.11.1.0 0.0.0.255 10.20.0.0 0.0.255.255
> log-input
> access-list 130 deny ip 10.20.0.0 0.0.255.255 10.11.1.0 0.0.0.255
> log-input
> access-list 130 permit ip 10.11.1.0 0.0.0.255 any log-input
> no cdp run
> route-map nonat permit 10
> match ip address 120
> set ip next-hop 1.1.1.2
> !
> route-map nonat permit 20
> !
> banner motd ^CCCCCC
> Unauthorized access prohibited!
> Nicht authorisierter Zugang verboten!
>
> ^C
> !
> end

Re: strange NAT behaviour with SMTP port

Hi,

I agree that it sounds like NAT.

I wouldn't be surpised if this has some thing to do with CBAC. Also
post yr IOS version and platform. I've seen this before with CBAC and
IOS upgrade fixes it, many times.