NAT for Mail Svr

Discussion in 'Cisco' started by bobneworleans@yahoo.com, Jan 2, 2007.

  1. Guest

    Our mail server has been blacklisted so I tried to change the NATed
    address from x.x.224.173 to x.x.224.172 in the 1711. show ip nat trans
    seems to indicate that the change was made but whatsmyip.info shows
    that the mail server is still x.x.224.173.

    LandA_1711#show ip nat trans
    Pro Inside global Inside local Outside local
    Outside global
    tcp x.x.224.172:25 192.168.1.24:25 217.217.188.6:4163
    217.217.188.6:4163
    tcp x.x.224.172:25 192.168.1.24:25 --- ---

    1) Why are there two translations listed for 192.168.1.24:25?
    2) What does it mean that the second translation has dashes instead of
    outside addresses?
    3) x.x.224.173 is the outside address of the router. Why doesn't this
    match the translation?
    , Jan 2, 2007
    #1
    1. Advertising

  2. Brian V Guest

    <> wrote in message
    news:...
    > Our mail server has been blacklisted so I tried to change the NATed
    > address from x.x.224.173 to x.x.224.172 in the 1711. show ip nat trans
    > seems to indicate that the change was made but whatsmyip.info shows
    > that the mail server is still x.x.224.173.
    >
    > LandA_1711#show ip nat trans
    > Pro Inside global Inside local Outside local
    > Outside global
    > tcp x.x.224.172:25 192.168.1.24:25 217.217.188.6:4163
    > 217.217.188.6:4163
    > tcp x.x.224.172:25 192.168.1.24:25 --- ---
    >
    > 1) Why are there two translations listed for 192.168.1.24:25?
    > 2) What does it mean that the second translation has dashes instead of
    > outside addresses?
    > 3) x.x.224.173 is the outside address of the router. Why doesn't this
    > match the translation?
    >


    1, You're still going to be blacklisted. Very few filters rely strictly on
    IP address. You should find out WHY you are on the lists, relay, virus,
    whatever and fix it, then work on getting your domain name off the lists.
    2, Did you clear your translations after you made the change? clear ip nat
    trans *
    3, Post your config, perhaps there is something wrong with it.

    -Brian
    Brian V, Jan 3, 2007
    #2
    1. Advertising

  3. Bob Simon Guest

    On Tue, 2 Jan 2007 19:07:08 -0500, "Brian V" <>
    wrote:

    >
    ><> wrote in message
    >news:...
    >> Our mail server has been blacklisted so I tried to change the NATed
    >> address from x.x.224.173 to x.x.224.172 in the 1711. show ip nat trans
    >> seems to indicate that the change was made but whatsmyip.info shows
    >> that the mail server is still x.x.224.173.
    >>
    >> LandA_1711#show ip nat trans
    >> Pro Inside global Inside local Outside local
    >> Outside global
    >> tcp x.x.224.172:25 192.168.1.24:25 217.217.188.6:4163
    >> 217.217.188.6:4163
    >> tcp x.x.224.172:25 192.168.1.24:25 --- ---
    >>
    >> 1) Why are there two translations listed for 192.168.1.24:25?
    >> 2) What does it mean that the second translation has dashes instead of
    >> outside addresses?
    >> 3) x.x.224.173 is the outside address of the router. Why doesn't this
    >> match the translation?
    >>

    >
    >1, You're still going to be blacklisted. Very few filters rely strictly on
    >IP address. You should find out WHY you are on the lists, relay, virus,
    >whatever and fix it, then work on getting your domain name off the lists.


    We're working on that. In the mean time, I thought if I change my
    mail server's (public) address, we'd be able to get around the
    blacklist for now.

    >2, Did you clear your translations after you made the change? clear ip nat
    >trans *


    Yes.

    >3, Post your config, perhaps there is something wrong with it.


    Maybe so. Here are the nat statements and access list. Let me know
    if you see a problem.
    Thanks!
    Bob

    ip nat inside source list 122 interface FastEthernet0 overload
    ip nat inside source static tcp 192.168.1.56 3389 x.x.224.171 3389
    extendable
    ip nat inside source static tcp 192.168.1.24 25 x.x.224.172 25
    extendable
    ip nat inside source static tcp 192.168.1.24 110 x.x.224.172 110
    extendable
    ip nat inside source static tcp 192.168.1.24 443 x.x.224.173 443
    extendable
    !
    access-list 122 deny ip 192.168.1.0 0.0.0.255 10.3.0.0 0.0.255.255
    access-list 122 permit ip 192.168.1.0 0.0.0.255 any
    access-list 122 permit ip 10.2.0.0 0.0.255.255 any
    Bob Simon, Jan 4, 2007
    #3
  4. On Thu, 04 Jan 2007 08:27:24 -0600, Bob Simon wrote:

    >>> LandA_1711#show ip nat trans
    >>> Pro Inside global Inside local Outside local
    >>> Outside global
    >>> tcp x.x.224.172:25 192.168.1.24:25 217.217.188.6:4163
    >>> 217.217.188.6:4163
    >>> tcp x.x.224.172:25 192.168.1.24:25 --- ---
    >>>
    >>> 1) Why are there two translations listed for 192.168.1.24:25?
    >>> 2) What does it mean that the second translation has dashes instead of
    >>> outside addresses?
    >>> 3) x.x.224.173 is the outside address of the router. Why doesn't this
    >>> match the translation?


    > Maybe so. Here are the nat statements and access list. Let me know
    > if you see a problem.
    > Thanks!
    > Bob
    >
    > ip nat inside source list 122 interface FastEthernet0 overload
    > ip nat inside source static tcp 192.168.1.56 3389 x.x.224.171 3389
    > extendable
    > ip nat inside source static tcp 192.168.1.24 25 x.x.224.172 25
    > extendable
    > ip nat inside source static tcp 192.168.1.24 110 x.x.224.172 110
    > extendable
    > ip nat inside source static tcp 192.168.1.24 443 x.x.224.173 443
    > extendable
    > !
    > access-list 122 deny ip 192.168.1.0 0.0.0.255 10.3.0.0 0.0.255.255
    > access-list 122 permit ip 192.168.1.0 0.0.0.255 any
    > access-list 122 permit ip 10.2.0.0 0.0.255.255 any


    If you want your mail server to translate to x.x.224.172 for all traffic
    you will need a 1-1 static translation, i.e.

    !
    ip nat inside source static 92.168.1.24 x.x.224.172
    !

    The TCP static translation you have for port 25 is only going to be used
    by inbound connectios to your mail server. Any other connections
    initiated by the server machine will still use the overload nat statement
    and end up with Fa0's address.

    --
    Rgds,
    Martin
    Martin Gallagher, Jan 4, 2007
    #4
  5. Bob Simon Guest

    On Fri, 05 Jan 2007 08:41:02 +1100, Martin Gallagher
    <> wrote:

    >On Thu, 04 Jan 2007 08:27:24 -0600, Bob Simon wrote:
    >
    >>>> LandA_1711#show ip nat trans
    >>>> Pro Inside global Inside local Outside local
    >>>> Outside global
    >>>> tcp x.x.224.172:25 192.168.1.24:25 217.217.188.6:4163
    >>>> 217.217.188.6:4163
    >>>> tcp x.x.224.172:25 192.168.1.24:25 --- ---
    >>>>
    >>>> 1) Why are there two translations listed for 192.168.1.24:25?
    >>>> 2) What does it mean that the second translation has dashes instead of
    >>>> outside addresses?
    >>>> 3) x.x.224.173 is the outside address of the router. Why doesn't this
    >>>> match the translation?

    >
    >> Maybe so. Here are the nat statements and access list. Let me know
    >> if you see a problem.
    >> Thanks!
    >> Bob
    >>
    >> ip nat inside source list 122 interface FastEthernet0 overload
    >> ip nat inside source static tcp 192.168.1.56 3389 x.x.224.171 3389
    >> extendable
    >> ip nat inside source static tcp 192.168.1.24 25 x.x.224.172 25
    >> extendable
    >> ip nat inside source static tcp 192.168.1.24 110 x.x.224.172 110
    >> extendable
    >> ip nat inside source static tcp 192.168.1.24 443 x.x.224.173 443
    >> extendable
    >> !
    >> access-list 122 deny ip 192.168.1.0 0.0.0.255 10.3.0.0 0.0.255.255
    >> access-list 122 permit ip 192.168.1.0 0.0.0.255 any
    >> access-list 122 permit ip 10.2.0.0 0.0.255.255 any

    >
    > If you want your mail server to translate to x.x.224.172 for all traffic
    >you will need a 1-1 static translation, i.e.
    >
    >!
    >ip nat inside source static 92.168.1.24 x.x.224.172
    >!
    >
    > The TCP static translation you have for port 25 is only going to be used
    >by inbound connectios to your mail server. Any other connections
    >initiated by the server machine will still use the overload nat statement
    >and end up with Fa0's address.


    Martin,
    Thanks for the reply. Actually the policy I was asked to implement is
    to translate POP and SMTP traffic to x.x.224.172 and https traffic to
    ..173. I believe that the config snippet I included above will
    accomplish this.

    I'm starting to wonder if the address I got back from whatsmyip.info
    might have been cached. I'll check this again tomorrow.
    Bob
    Bob Simon, Jan 4, 2007
    #5
  6. wrote:
    > Our mail server has been blacklisted so I tried to change the NATed
    > address from x.x.224.173 to x.x.224.172 in the 1711. show ip nat trans
    > seems to indicate that the change was made but whatsmyip.info shows
    > that the mail server is still x.x.224.173.


    Why is your mailserver blacklisted ? Try to find the reason. My favorite
    is www.dnsstuff.com, ther you can all the tests agains IPs, names etc.
    But don't change the only the IP.
    No you have more problems than before: Wrong DNS, MX and PTR-record. If
    your complete range or your ISP is blacklisted or your server is sending
    spam, you will have the same problems a few days later.

    bye
    Christoph
    Christoph Hanle, Jan 5, 2007
    #6
  7. On Thu, 04 Jan 2007 17:13:14 -0600, Bob Simon wrote:

    >>> ip nat inside source list 122 interface FastEthernet0 overload ip nat
    >>> inside source static tcp 192.168.1.56 3389 x.x.224.171 3389 extendable
    >>> ip nat inside source static tcp 192.168.1.24 25 x.x.224.172 25
    >>> extendable
    >>> ip nat inside source static tcp 192.168.1.24 110 x.x.224.172 110
    >>> extendable
    >>> ip nat inside source static tcp 192.168.1.24 443 x.x.224.173 443
    >>> extendable
    >>> !
    >>> access-list 122 deny ip 192.168.1.0 0.0.0.255 10.3.0.0 0.0.255.255
    >>> access-list 122 permit ip 192.168.1.0 0.0.0.255 any access-list 122
    >>> permit ip 10.2.0.0 0.0.255.255 any

    >>
    >>
    >> The TCP static translation you have for port 25 is only going to be
    >> used
    >>by inbound connectios to your mail server. Any other connections
    >>initiated by the server machine will still use the overload nat
    >>statement and end up with Fa0's address.

    >
    > Thanks for the reply. Actually the policy I was asked to implement is
    > to translate POP and SMTP traffic to x.x.224.172 and https traffic to
    > .173. I believe that the config snippet I included above will
    > accomplish this.


    I agree that to connect to your SMTP and POP servers we need to use
    x.x.224.172 as the destination address, but outbound connections from your
    server machine will still be translated to x.x.224.173

    > I'm starting to wonder if the address I got back from whatsmyip.info
    > might have been cached. I'll check this again tomorrow.


    When you browse to whatsmyip.info from your server machine the
    connection will not use port 25, 110, or 443 as the source port, so the
    matching nat translation will be the dynamic translation using Fa0's
    address. I assume this is x.x.224.173 and that's the address
    whatsmyip.info will report.

    If you add this command to your router you should be able to see the
    translations as they are created and removed.

    !
    ip nat log translations syslog
    !

    http://www.cisco.com/en/US/products/ps6350/
    products_configuration_guide_chapter09186a008044edab.html#wp1056732

    --
    Rgds,
    Martin
    Martin Gallagher, Jan 6, 2007
    #7
  8. Bob Simon Guest

    On Sat, 06 Jan 2007 12:57:52 +1100, Martin Gallagher
    <> wrote:

    >On Thu, 04 Jan 2007 17:13:14 -0600, Bob Simon wrote:
    >
    >>>> ip nat inside source list 122 interface FastEthernet0 overload ip nat
    >>>> inside source static tcp 192.168.1.56 3389 x.x.224.171 3389 extendable
    >>>> ip nat inside source static tcp 192.168.1.24 25 x.x.224.172 25
    >>>> extendable
    >>>> ip nat inside source static tcp 192.168.1.24 110 x.x.224.172 110
    >>>> extendable
    >>>> ip nat inside source static tcp 192.168.1.24 443 x.x.224.173 443
    >>>> extendable
    >>>> !
    >>>> access-list 122 deny ip 192.168.1.0 0.0.0.255 10.3.0.0 0.0.255.255
    >>>> access-list 122 permit ip 192.168.1.0 0.0.0.255 any access-list 122
    >>>> permit ip 10.2.0.0 0.0.255.255 any
    >>>
    >>>
    >>> The TCP static translation you have for port 25 is only going to be
    >>> used
    >>>by inbound connectios to your mail server. Any other connections
    >>>initiated by the server machine will still use the overload nat
    >>>statement and end up with Fa0's address.

    >>
    >> Thanks for the reply. Actually the policy I was asked to implement is
    >> to translate POP and SMTP traffic to x.x.224.172 and https traffic to
    >> .173. I believe that the config snippet I included above will
    >> accomplish this.

    >
    > I agree that to connect to your SMTP and POP servers we need to use
    >x.x.224.172 as the destination address, but outbound connections from your
    >server machine will still be translated to x.x.224.173
    >
    >> I'm starting to wonder if the address I got back from whatsmyip.info
    >> might have been cached. I'll check this again tomorrow.

    >
    > When you browse to whatsmyip.info from your server machine the
    >connection will not use port 25, 110, or 443 as the source port, so the
    >matching nat translation will be the dynamic translation using Fa0's
    >address. I assume this is x.x.224.173 and that's the address
    >whatsmyip.info will report.
    >
    > If you add this command to your router you should be able to see the
    >translations as they are created and removed.
    >
    >!
    >ip nat log translations syslog
    >!
    >
    >http://www.cisco.com/en/US/products/ps6350/
    >products_configuration_guide_chapter09186a008044edab.html#wp1056732


    Martin,
    Thank you very much for the clear explanation. Now that you point out
    the TCP port issue, the results I got make complete sense.
    Bob
    Bob Simon, Jan 9, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Al Dykes
    Replies:
    8
    Views:
    577
    Walter Roberson
    Oct 29, 2003
  2. JCVD
    Replies:
    1
    Views:
    449
    Martin Gallagher
    Feb 13, 2004
  3. OOHRAH!@USMC.net

    Can I empty or delete hosts.svr file?

    OOHRAH!@USMC.net, Dec 31, 2003, in forum: Computer Support
    Replies:
    8
    Views:
    2,866
  4. Frank

    MCSE core Exams for W2k Svr

    Frank, May 8, 2008, in forum: MCSE
    Replies:
    9
    Views:
    475
  5. Giuen
    Replies:
    0
    Views:
    862
    Giuen
    Sep 12, 2008
Loading...

Share This Page