Clueless needs Cisco 2801 Nat help

Discussion in 'Cisco' started by The Other Mike, Dec 26, 2006.

  1. Kinda thrown into administration of a cisco 2801 router and am really
    not sure what to do about an issue we have. Below are the relevant
    parts of our config with IP's changed. The issue is, with this
    config, we are natting all internal IP's going to the Internet as a
    single IP (PAT?)...same IP as the external interface. The issue this
    is causing are bounced emails sent to domains who are doing reverse
    lookups...our mail server was assigned the 65.199.20.20 address and
    receiving mail to that address is no problem. But when sending, the
    IP in the mail header is the Serial interface IP. How do I make the
    mail server IP the same for incoming and outgoing? Do I need a nat
    pool?

    interface FastEthernet0/0
    description Connection to Pix
    bandwidth 1544
    ip address 192.168.70.2 255.255.255.240
    ip nat inside
    speed 100
    full-duplex
    no cdp enable
    !
    interface Serial0/1/0
    description Verizon MCI
    no ip address
    encapsulation frame-relay IETF
    no fair-queue
    service-module t1 timeslots 1-24
    frame-relay lmi-type ansi
    !
    interface Serial0/1/0.500 point-to-point
    ip address 63.81.10.10 255.255.255.252
    ip nat outside
    frame-relay interface-dlci 500
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0/1/0.500
    !
    no ip http server
    ip nat inside source list 7 interface Serial0/1/0.500 overload
    ip nat inside source list 8 interface Serial0/1/0.500 overload
    ip nat inside source list 9 interface Serial0/1/0.500 overload
    ip nat inside source static tcp 192.168.70.6 25 65.199.20.20 25
    extendable
    ip nat inside source static tcp 192.168.70.7 80 65.199.20.20 80
    extendable
    ip nat inside source static 192.168.70.5 65.199.20.20
    !
    logging history alerts
    access-list 7 permit 192.168.50.0 0.0.0.255
    access-list 8 permit 10.0.0.0 0.0.0.255
    access-list 9 permit 192.168.70.0 0.0.0.255
     
    The Other Mike, Dec 26, 2006
    #1
    1. Advertising

  2. The Other Mike

    Guest

    The Other Mike wrote:
    > Kinda thrown into administration of a cisco 2801 router and am really
    > not sure what to do about an issue we have. Below are the relevant
    > parts of our config with IP's changed. The issue is, with this
    > config, we are natting all internal IP's going to the Internet as a
    > single IP (PAT?)...same IP as the external interface. The issue this
    > is causing are bounced emails sent to domains who are doing reverse
    > lookups...our mail server was assigned the 65.199.20.20 address and
    > receiving mail to that address is no problem. But when sending, the
    > IP in the mail header is the Serial interface IP. How do I make the
    > mail server IP the same for incoming and outgoing? Do I need a nat
    > pool?
    >
    > interface FastEthernet0/0
    > description Connection to Pix
    > ip address 192.168.70.2 255.255.255.240
    > ip nat inside
    > !
    > interface Serial0/1/0
    > description Verizon
    > encapsulation frame-relay IETF
    > service-module t1 timeslots 1-24
    > frame-relay lmi-type ansi
    > !
    > interface Serial0/1/0.500 point-to-point
    > ip address 63.81.10.10 255.255.255.252
    > ip nat outside
    > frame-relay interface-dlci 500
    > !
    > ip nat inside source list 7 interface Serial0/1/0.500 overload
    > ip nat inside source list 8 interface Serial0/1/0.500 overload
    > ip nat inside source list 9 interface Serial0/1/0.500 overload
    > ip nat inside source static tcp 192.168.70.6 25 65.199.20.20 25
    > extendable
    > ip nat inside source static tcp 192.168.70.7 80 65.199.20.20 80
    > extendable
    > ip nat inside source static 192.168.70.5 65.199.20.20
    >
    > access-list 7 permit 192.168.50.0 0.0.0.255
    > access-list 8 permit 10.0.0.0 0.0.0.255
    > access-list 9 permit 192.168.70.0 0.0.0.255


    The issue that you have is that the the wrong nat
    statement is grabbing and natting your outbound traffic.
    As far as I know the order of net statement's evaluation
    is not specified.

    What you need to do is to force the correct nat statement
    to be used with access lists.

    You don't say precisely enough what you want to be sure
    but I think you need to move to Extended access-lists.

    Here is what I would put.

    Access-l 7, 8, and 9 can be combined, lets do that too.
    Also I now always use names access-lists were possible.


    ! You want to end up with:-
    ip nat inside source list ACL.nat interface Serial0/1/0.500 overload
    ip nat inside source static tcp 192.168.70.6 25 65.199.20.20 25
    extendable
    ip nat inside source static tcp 192.168.70.7 80 65.199.20.20 80
    extendable
    ip nat inside source static 192.168.70.5 65.199.20.20


    ip access-l extended ACL.nat
    deny 192.168.70.6 any eq 25 ! < -- Outbound smtp
    permit 192.168.50.0 0.0.0.255 any
    permit 192.168.70.0 0.0.0.255 any
    permit 10.0.0.0 0.0.0.255 any

    ! You need to remove the unwanted statements

    no ip nat inside source list 7 interface Serial0/1/0.500 overload
    no ip nat inside source list 8 interface Serial0/1/0.500 overload
    no ip nat inside source list 9 interface Serial0/1/0.500 overload
    no access-list 7
    no access-list 8
    no access-list 9

    All the Cisco examples call an an ACL like this
    "nonat" but that just makes my head hurt.

    This config will still leave all other traffic from your mail server,
    and other servers too, overload NATted to the outside address.

    show ip nat translations ! to see what is going on.
    clear ip nat tr * ! to get rid of old rubbish (and kill existing
    sessions)
     
    , Dec 26, 2006
    #2
    1. Advertising

  3. On Tue, 26 Dec 2006 09:37:38 -0500, The Other Mike <>
    wrote:

    >ip nat inside source static tcp 192.168.70.6 25 65.199.20.20 25
    >extendable
    >ip nat inside source static tcp 192.168.70.7 80 65.199.20.20 80
    >extendable
    >ip nat inside source static 192.168.70.5 65.199.20.20
    >!


    Sorry...this is a typo...should be as follows...

    >ip nat inside source static tcp 192.168.70.6 25 65.199.20.20 25
    >extendable
    >ip nat inside source static tcp 192.168.70.7 80 65.199.20.21 80
    >extendable
    >ip nat inside source static 192.168.70.5 65.199.20.22
     
    The Other Mike, Dec 26, 2006
    #3
  4. On Tue, 26 Dec 2006 10:24:11 -0500, The Other Mike <>
    wrote:

    >ip nat inside source static tcp 192.168.70.6 25 65.199.20.20 25
    >>extendable
    >>ip nat inside source static tcp 192.168.70.7 80 65.199.20.21 80
    >>extendable
    >>ip nat inside source static 192.168.70.5 65.199.20.22


    Forget this post...figured out what I was doing wrong. Just took out
    the port 25 static and made it a full static nat and the issue is
    resolved.
     
    The Other Mike, Dec 26, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Amanda

    Clueless, have patience...

    Amanda, Aug 7, 2004, in forum: Wireless Networking
    Replies:
    1
    Views:
    879
  2. =?Utf-8?B?Sm9obiBF?=

    Clueless on home networking through ethernet jacks

    =?Utf-8?B?Sm9obiBF?=, Dec 21, 2005, in forum: Wireless Networking
    Replies:
    2
    Views:
    1,840
  3. Vani
    Replies:
    1
    Views:
    10,626
  4. Warwick
    Replies:
    1
    Views:
    309
    Warwick
    Jun 25, 2004
  5. acydgod

    VPN through 2801 NAT to PIX

    acydgod, Mar 19, 2009, in forum: Cisco
    Replies:
    0
    Views:
    439
    acydgod
    Mar 19, 2009
Loading...

Share This Page