Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Redirect Internal IP to Different Internal IP on Same Subnet & Interface

Reply
Thread Tools

Redirect Internal IP to Different Internal IP on Same Subnet & Interface

 
 
EG
Guest
Posts: n/a
 
      12-29-2004
I am wondering if anyone can help me with a Cisco router redirect problem.
I would like to redirect smtp client requests currently going to one
internal server to a different internal server transparently. Both servers
are on the same router interface FE0/0 and in the same subnet. We are
currently installing a mail gateway and would like to have requests that are
currently going to 1.2.3.4 port 25 go to 5.6.7.8 port 25 without changing
the mail client settings on PC's. Currently, mail clients are set to use
1.2.3.4 port 25 for smtp.
I tried route-map on the FE0/0 interface but it did not seem to work. It
seems as though 1.2.3.4 port 25 packets not traversing this interface.

The route-map I tried looked like this:

interface fe0/0
ip policy route-map SMTP_Redirect

route-map SMTP_Redirect permit 10
match ip address 188
set ip default next-hop 5.6.7.8

access-list 188 remark Allow traffic destined for mail server
access-list 188 deny tcp any any neq smtp log
access-list 188 permit tcp any host 1.2.3.4 eq smtp log
access-list 188 deny ip any any log

What am I doing wrong?



 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      12-29-2004
In article <l4FAd.1657$(E-Mail Removed)>,
EG <(E-Mail Removed)> wrote:
:I am wondering if anyone can help me with a Cisco router redirect problem.
:I would like to redirect smtp client requests currently going to one
:internal server to a different internal server transparently. Both servers
:are on the same router interface FE0/0 and in the same subnet. We are
:currently installing a mail gateway and would like to have requests that are
:currently going to 1.2.3.4 port 25 go to 5.6.7.8 port 25 without changing
:the mail client settings on PC's.

Do the clients currently need to pass through FE0/0 in order
to get to the existing mail gateway? And with the new gateway,
would they still have to go through FE0/0 ? If the answer to
both is Yes, then the solution is to use static nat, with the side
of the mail gateway being the 'inside' and the side with the PCs being
the 'outside' for NAT purposes.

If the clients do not currently need to pass through FE0/0 in order
to get to the existing mail gateway, then a routing solution isn't
going to help: the clients would ARP for the gateway, and the router
wouldn't normally answer because it would notice that the destination
IP is in the same subnet as the target. The router would normally
only step in and proxy arp if the destination was in a different
subnet.
--
Before responding, take into account the possibility that the Universe
was created just an instant ago, and that you have not actually read
anything, but were instead created intact with a memory of having read it.
 
Reply With Quote
 
 
 
 
EG
Guest
Posts: n/a
 
      12-30-2004
"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:cqv78s$apa$(E-Mail Removed)...
> In article <l4FAd.1657$(E-Mail Removed)>,
> Do the clients currently need to pass through FE0/0 in order
> to get to the existing mail gateway? And with the new gateway,
> would they still have to go through FE0/0 ? If the answer to
> both is Yes, then the solution is to use static nat, with the side
> of the mail gateway being the 'inside' and the side with the PCs being
> the 'outside' for NAT purposes.
>
> If the clients do not currently need to pass through FE0/0 in order
> to get to the existing mail gateway, then a routing solution isn't
> going to help: the clients would ARP for the gateway, and the router
> wouldn't normally answer because it would notice that the destination
> IP is in the same subnet as the target. The router would normally
> only step in and proxy arp if the destination was in a different
> subnet.


Thanks Walter. I guess that makes perfect sense. Both are on the same side
behind the FE0/0 and on the same subnet. You're right. They are simply
arping on that flat subnet without passing into or through the router.
Although it doesn't seem likely, does anyone have any ideas how to make this
work without manually changing all of the mail client smtp server addresses?


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      12-30-2004
In article <_UHAd.1675$(E-Mail Removed)>,
EG <(E-Mail Removed)> wrote:
|I guess that makes perfect sense. Both are on the same side
|behind the FE0/0 and on the same subnet. You're right. They are simply
|arping on that flat subnet without passing into or through the router.
|Although it doesn't seem likely, does anyone have any ideas how to make this
|work without manually changing all of the mail client smtp server addresses?

The seemingly obvious answer would be to renumber the current smtp
server and put the new one in its place

As you have not chosen that path, I gather that there are other services
that run on the current server that you do not wish to disturb at
this time. If true, then the solution I would propose would be to
put in a PIX 501 (or larger PIX if there is a lot of traffic).

Number the outside interface of the PIX 501 with the current IP address
and subnet of the old server, and put both the old and new servers
inside (in a different IP address range), and use static port
translation to selectively move services from the old system to the
new. For example,

static (inside, outside) tcp interface smtp 192.168.15.3 smtp netmask 255.255.255.255
static (inside, outside) tcp interface http 192.168.15.2 http netmask 255.255.255.255

would result in smtp to the old IP being directed to machine 192.168.15.3
while http to the old IP would be directed to 192.168.15.2 instead.
--
Scintillate, scintillate, globule vivific
Fain would I fathom thy nature specific.
Loftily poised on ether capacious
Strongly resembling a gem carbonaceous. -- Anon
 
Reply With Quote
 
EG
Guest
Posts: n/a
 
      12-30-2004

"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:cqvk5d$q86$(E-Mail Removed)...
> The seemingly obvious answer would be to renumber the current smtp
> server and put the new one in its place
>
> As you have not chosen that path, I gather that there are other services
> that run on the current server that you do not wish to disturb at
> this time. If true, then the solution I would propose would be to
> put in a PIX 501 (or larger PIX if there is a lot of traffic).
>
> Number the outside interface of the PIX 501 with the current IP address
> and subnet of the old server, and put both the old and new servers
> inside (in a different IP address range), and use static port
> translation to selectively move services from the old system to the
> new. For example,
>
> static (inside, outside) tcp interface smtp 192.168.15.3 smtp netmask
> 255.255.255.255
> static (inside, outside) tcp interface http 192.168.15.2 http netmask
> 255.255.255.255
>
> would result in smtp to the old IP being directed to machine 192.168.15.3
> while http to the old IP would be directed to 192.168.15.2 instead.


Well, I did not fully explain in previous post the train of reasoning for
the changes. I am installing a Symantec Antivirus Gatway for SMTP servers
which will be on a separate "mail gateway" box. It will scan and then
forward incoming and outgoing mail to our main mail server for delivery. I
have the incoming Internet mail directed to this gatway thus far working
perfectly. It is the mail going out, from clients, that is the problem. I
appreciate your advice on the PIX box and will take it into consideration.
But it seems that for right now the proper long term solution is to manually
change the clients' smtp server settings to a FQDN such as smtp.myhost.com
and do the redirection through DNS. This will also allow any future changes
to the mail server IP to be handled by a simple change in the DNS pointing.
Thanx again for your insight,
-Ed


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      12-30-2004
In article <8TIAd.1691$(E-Mail Removed)>,
EG <(E-Mail Removed)> wrote:
:Well, I did not fully explain in previous post the train of reasoning for
:the changes. I am installing a Symantec Antivirus Gatway for SMTP servers
:which will be on a separate "mail gateway" box. It will scan and then
:forward incoming and outgoing mail to our main mail server for delivery. I
:have the incoming Internet mail directed to this gatway thus far working
erfectly. It is the mail going out, from clients, that is the problem.

The clients are currently set to the existing server, right? And you
said that incoming *and* outgoing email will be scanned by the
new mail gateway. So why not just leave outgoing email for the clients
pointed to the existing email gateway, no changes to them at all?
Sure any junk would then make it to your current gateway, but your
current gateway is going to forward out via the new Symantec gateway
which will catch the junk there.

You have two settings on the PC clients, one for where to find
incoming email, and the other for where to send the outgoing email.
The incoming email you want to be from the old server [now
defended against outside email viruses coming inwards], but
you can also leave the outgoing email setting at the old server
as well.


The big disadvantage of leaving the PCs set to go to the old
server is that if something inside does get a virus and starts
emailing all over the place, although the new gateway will prevent
it from getting out of your net, if the email is going first to
the existing server, then email to -local- users can carry the virus.

On the other hand, considering that modern viruses tend to use
multiple techniques, there's a good chance that the virus would
be able to just go around on the local LAN infecting everything
directly without going through email. There -are- some email-only
viruses [e.g., whose only infection mechanism is by an Outlook preview
vulnerability], but most viruses would go ahead and infect
executables all over the disk in hopes that someone else will copy
the infected executable and propogate the virus that way. If you
have a virus spreading from the inside, having it spread only
through internal email is probably not the greatest of your worries.


You are of course correct that in the long term, FQDN and DNS is
a better solution; I'm just indicating that in the shorter term,
you can just leave people pointed to the old server and you
will still benefit from the new gateway filtering of outgoing email.
--
Those were borogoves and the momerathsoutgrabe completely mimsy.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Pix 506e w/5 static outside IPs - How to create a rule to allow ALL tcp/udp traffic from one outside IP to an internal IP (for an internal router/NAT with it's own subnet) kyoo Cisco 22 04-12-2008 03:37 PM
Cisco 1812 subnet to subnet NAT Amadej Cisco 1 09-04-2007 06:53 PM
Add a private subnet to existing real class C subnet bubbleserver@gmail.com Cisco 5 01-18-2007 04:59 PM
cannot ping from subnet A to subnet B for a specific host soup_or_power@yahoo.com Cisco 16 08-04-2006 02:30 PM
Subnet a subnet mask? Vass Computer Support 1 08-26-2005 01:02 PM



Advertisments