Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Clueless needs Cisco 2801 Nat help (http://www.velocityreviews.com/forums/t433450-clueless-needs-cisco-2801-nat-help.html)

The Other Mike 12-26-2006 02:37 PM

Clueless needs Cisco 2801 Nat help
 
Kinda thrown into administration of a cisco 2801 router and am really
not sure what to do about an issue we have. Below are the relevant
parts of our config with IP's changed. The issue is, with this
config, we are natting all internal IP's going to the Internet as a
single IP (PAT?)...same IP as the external interface. The issue this
is causing are bounced emails sent to domains who are doing reverse
lookups...our mail server was assigned the 65.199.20.20 address and
receiving mail to that address is no problem. But when sending, the
IP in the mail header is the Serial interface IP. How do I make the
mail server IP the same for incoming and outgoing? Do I need a nat
pool?

interface FastEthernet0/0
description Connection to Pix
bandwidth 1544
ip address 192.168.70.2 255.255.255.240
ip nat inside
speed 100
full-duplex
no cdp enable
!
interface Serial0/1/0
description Verizon MCI
no ip address
encapsulation frame-relay IETF
no fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0/1/0.500 point-to-point
ip address 63.81.10.10 255.255.255.252
ip nat outside
frame-relay interface-dlci 500
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1/0.500
!
no ip http server
ip nat inside source list 7 interface Serial0/1/0.500 overload
ip nat inside source list 8 interface Serial0/1/0.500 overload
ip nat inside source list 9 interface Serial0/1/0.500 overload
ip nat inside source static tcp 192.168.70.6 25 65.199.20.20 25
extendable
ip nat inside source static tcp 192.168.70.7 80 65.199.20.20 80
extendable
ip nat inside source static 192.168.70.5 65.199.20.20
!
logging history alerts
access-list 7 permit 192.168.50.0 0.0.0.255
access-list 8 permit 10.0.0.0 0.0.0.255
access-list 9 permit 192.168.70.0 0.0.0.255

Bod43@hotmail.co.uk 12-26-2006 03:18 PM

Re: Clueless needs Cisco 2801 Nat help
 

The Other Mike wrote:
> Kinda thrown into administration of a cisco 2801 router and am really
> not sure what to do about an issue we have. Below are the relevant
> parts of our config with IP's changed. The issue is, with this
> config, we are natting all internal IP's going to the Internet as a
> single IP (PAT?)...same IP as the external interface. The issue this
> is causing are bounced emails sent to domains who are doing reverse
> lookups...our mail server was assigned the 65.199.20.20 address and
> receiving mail to that address is no problem. But when sending, the
> IP in the mail header is the Serial interface IP. How do I make the
> mail server IP the same for incoming and outgoing? Do I need a nat
> pool?
>
> interface FastEthernet0/0
> description Connection to Pix
> ip address 192.168.70.2 255.255.255.240
> ip nat inside
> !
> interface Serial0/1/0
> description Verizon
> encapsulation frame-relay IETF
> service-module t1 timeslots 1-24
> frame-relay lmi-type ansi
> !
> interface Serial0/1/0.500 point-to-point
> ip address 63.81.10.10 255.255.255.252
> ip nat outside
> frame-relay interface-dlci 500
> !
> ip nat inside source list 7 interface Serial0/1/0.500 overload
> ip nat inside source list 8 interface Serial0/1/0.500 overload
> ip nat inside source list 9 interface Serial0/1/0.500 overload
> ip nat inside source static tcp 192.168.70.6 25 65.199.20.20 25
> extendable
> ip nat inside source static tcp 192.168.70.7 80 65.199.20.20 80
> extendable
> ip nat inside source static 192.168.70.5 65.199.20.20
>
> access-list 7 permit 192.168.50.0 0.0.0.255
> access-list 8 permit 10.0.0.0 0.0.0.255
> access-list 9 permit 192.168.70.0 0.0.0.255


The issue that you have is that the the wrong nat
statement is grabbing and natting your outbound traffic.
As far as I know the order of net statement's evaluation
is not specified.

What you need to do is to force the correct nat statement
to be used with access lists.

You don't say precisely enough what you want to be sure
but I think you need to move to Extended access-lists.

Here is what I would put.

Access-l 7, 8, and 9 can be combined, lets do that too.
Also I now always use names access-lists were possible.


! You want to end up with:-
ip nat inside source list ACL.nat interface Serial0/1/0.500 overload
ip nat inside source static tcp 192.168.70.6 25 65.199.20.20 25
extendable
ip nat inside source static tcp 192.168.70.7 80 65.199.20.20 80
extendable
ip nat inside source static 192.168.70.5 65.199.20.20


ip access-l extended ACL.nat
deny 192.168.70.6 any eq 25 ! < -- Outbound smtp
permit 192.168.50.0 0.0.0.255 any
permit 192.168.70.0 0.0.0.255 any
permit 10.0.0.0 0.0.0.255 any

! You need to remove the unwanted statements

no ip nat inside source list 7 interface Serial0/1/0.500 overload
no ip nat inside source list 8 interface Serial0/1/0.500 overload
no ip nat inside source list 9 interface Serial0/1/0.500 overload
no access-list 7
no access-list 8
no access-list 9

All the Cisco examples call an an ACL like this
"nonat" but that just makes my head hurt.

This config will still leave all other traffic from your mail server,
and other servers too, overload NATted to the outside address.

show ip nat translations ! to see what is going on.
clear ip nat tr * ! to get rid of old rubbish (and kill existing
sessions)


The Other Mike 12-26-2006 03:24 PM

Re: Clueless needs Cisco 2801 Nat help
 
On Tue, 26 Dec 2006 09:37:38 -0500, The Other Mike <Noone@nowhere.com>
wrote:

>ip nat inside source static tcp 192.168.70.6 25 65.199.20.20 25
>extendable
>ip nat inside source static tcp 192.168.70.7 80 65.199.20.20 80
>extendable
>ip nat inside source static 192.168.70.5 65.199.20.20
>!


Sorry...this is a typo...should be as follows...

>ip nat inside source static tcp 192.168.70.6 25 65.199.20.20 25
>extendable
>ip nat inside source static tcp 192.168.70.7 80 65.199.20.21 80
>extendable
>ip nat inside source static 192.168.70.5 65.199.20.22


The Other Mike 12-26-2006 05:42 PM

Re: Clueless needs Cisco 2801 Nat help
 
On Tue, 26 Dec 2006 10:24:11 -0500, The Other Mike <Noone@nowhere.com>
wrote:

>ip nat inside source static tcp 192.168.70.6 25 65.199.20.20 25
>>extendable
>>ip nat inside source static tcp 192.168.70.7 80 65.199.20.21 80
>>extendable
>>ip nat inside source static 192.168.70.5 65.199.20.22


Forget this post...figured out what I was doing wrong. Just took out
the port 25 static and made it a full static nat and the issue is
resolved.



All times are GMT. The time now is 01:35 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.