Redirect Internal IP to Different Internal IP on Same Subnet & Interface

Discussion in 'Cisco' started by EG, Dec 29, 2004.

  1. EG

    EG Guest

    I am wondering if anyone can help me with a Cisco router redirect problem.
    I would like to redirect smtp client requests currently going to one
    internal server to a different internal server transparently. Both servers
    are on the same router interface FE0/0 and in the same subnet. We are
    currently installing a mail gateway and would like to have requests that are
    currently going to 1.2.3.4 port 25 go to 5.6.7.8 port 25 without changing
    the mail client settings on PC's. Currently, mail clients are set to use
    1.2.3.4 port 25 for smtp.
    I tried route-map on the FE0/0 interface but it did not seem to work. It
    seems as though 1.2.3.4 port 25 packets not traversing this interface.

    The route-map I tried looked like this:

    interface fe0/0
    ip policy route-map SMTP_Redirect

    route-map SMTP_Redirect permit 10
    match ip address 188
    set ip default next-hop 5.6.7.8

    access-list 188 remark Allow traffic destined for mail server
    access-list 188 deny tcp any any neq smtp log
    access-list 188 permit tcp any host 1.2.3.4 eq smtp log
    access-list 188 deny ip any any log

    What am I doing wrong?
    EG, Dec 29, 2004
    #1
    1. Advertising

  2. In article <l4FAd.1657$>,
    EG <> wrote:
    :I am wondering if anyone can help me with a Cisco router redirect problem.
    :I would like to redirect smtp client requests currently going to one
    :internal server to a different internal server transparently. Both servers
    :are on the same router interface FE0/0 and in the same subnet. We are
    :currently installing a mail gateway and would like to have requests that are
    :currently going to 1.2.3.4 port 25 go to 5.6.7.8 port 25 without changing
    :the mail client settings on PC's.

    Do the clients currently need to pass through FE0/0 in order
    to get to the existing mail gateway? And with the new gateway,
    would they still have to go through FE0/0 ? If the answer to
    both is Yes, then the solution is to use static nat, with the side
    of the mail gateway being the 'inside' and the side with the PCs being
    the 'outside' for NAT purposes.

    If the clients do not currently need to pass through FE0/0 in order
    to get to the existing mail gateway, then a routing solution isn't
    going to help: the clients would ARP for the gateway, and the router
    wouldn't normally answer because it would notice that the destination
    IP is in the same subnet as the target. The router would normally
    only step in and proxy arp if the destination was in a different
    subnet.
    --
    Before responding, take into account the possibility that the Universe
    was created just an instant ago, and that you have not actually read
    anything, but were instead created intact with a memory of having read it.
    Walter Roberson, Dec 29, 2004
    #2
    1. Advertising

  3. EG

    EG Guest

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:cqv78s$apa$...
    > In article <l4FAd.1657$>,
    > Do the clients currently need to pass through FE0/0 in order
    > to get to the existing mail gateway? And with the new gateway,
    > would they still have to go through FE0/0 ? If the answer to
    > both is Yes, then the solution is to use static nat, with the side
    > of the mail gateway being the 'inside' and the side with the PCs being
    > the 'outside' for NAT purposes.
    >
    > If the clients do not currently need to pass through FE0/0 in order
    > to get to the existing mail gateway, then a routing solution isn't
    > going to help: the clients would ARP for the gateway, and the router
    > wouldn't normally answer because it would notice that the destination
    > IP is in the same subnet as the target. The router would normally
    > only step in and proxy arp if the destination was in a different
    > subnet.


    Thanks Walter. I guess that makes perfect sense. Both are on the same side
    behind the FE0/0 and on the same subnet. You're right. They are simply
    arping on that flat subnet without passing into or through the router.
    Although it doesn't seem likely, does anyone have any ideas how to make this
    work without manually changing all of the mail client smtp server addresses?
    EG, Dec 30, 2004
    #3
  4. In article <_UHAd.1675$>,
    EG <> wrote:
    |I guess that makes perfect sense. Both are on the same side
    |behind the FE0/0 and on the same subnet. You're right. They are simply
    |arping on that flat subnet without passing into or through the router.
    |Although it doesn't seem likely, does anyone have any ideas how to make this
    |work without manually changing all of the mail client smtp server addresses?

    The seemingly obvious answer would be to renumber the current smtp
    server and put the new one in its place ;-)

    As you have not chosen that path, I gather that there are other services
    that run on the current server that you do not wish to disturb at
    this time. If true, then the solution I would propose would be to
    put in a PIX 501 (or larger PIX if there is a lot of traffic).

    Number the outside interface of the PIX 501 with the current IP address
    and subnet of the old server, and put both the old and new servers
    inside (in a different IP address range), and use static port
    translation to selectively move services from the old system to the
    new. For example,

    static (inside, outside) tcp interface smtp 192.168.15.3 smtp netmask 255.255.255.255
    static (inside, outside) tcp interface http 192.168.15.2 http netmask 255.255.255.255

    would result in smtp to the old IP being directed to machine 192.168.15.3
    while http to the old IP would be directed to 192.168.15.2 instead.
    --
    Scintillate, scintillate, globule vivific
    Fain would I fathom thy nature specific.
    Loftily poised on ether capacious
    Strongly resembling a gem carbonaceous. -- Anon
    Walter Roberson, Dec 30, 2004
    #4
  5. EG

    EG Guest

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:cqvk5d$q86$...
    > The seemingly obvious answer would be to renumber the current smtp
    > server and put the new one in its place ;-)
    >
    > As you have not chosen that path, I gather that there are other services
    > that run on the current server that you do not wish to disturb at
    > this time. If true, then the solution I would propose would be to
    > put in a PIX 501 (or larger PIX if there is a lot of traffic).
    >
    > Number the outside interface of the PIX 501 with the current IP address
    > and subnet of the old server, and put both the old and new servers
    > inside (in a different IP address range), and use static port
    > translation to selectively move services from the old system to the
    > new. For example,
    >
    > static (inside, outside) tcp interface smtp 192.168.15.3 smtp netmask
    > 255.255.255.255
    > static (inside, outside) tcp interface http 192.168.15.2 http netmask
    > 255.255.255.255
    >
    > would result in smtp to the old IP being directed to machine 192.168.15.3
    > while http to the old IP would be directed to 192.168.15.2 instead.


    Well, I did not fully explain in previous post the train of reasoning for
    the changes. I am installing a Symantec Antivirus Gatway for SMTP servers
    which will be on a separate "mail gateway" box. It will scan and then
    forward incoming and outgoing mail to our main mail server for delivery. I
    have the incoming Internet mail directed to this gatway thus far working
    perfectly. It is the mail going out, from clients, that is the problem. I
    appreciate your advice on the PIX box and will take it into consideration.
    But it seems that for right now the proper long term solution is to manually
    change the clients' smtp server settings to a FQDN such as smtp.myhost.com
    and do the redirection through DNS. This will also allow any future changes
    to the mail server IP to be handled by a simple change in the DNS pointing.
    Thanx again for your insight,
    -Ed
    EG, Dec 30, 2004
    #5
  6. In article <8TIAd.1691$>,
    EG <> wrote:
    :Well, I did not fully explain in previous post the train of reasoning for
    :the changes. I am installing a Symantec Antivirus Gatway for SMTP servers
    :which will be on a separate "mail gateway" box. It will scan and then
    :forward incoming and outgoing mail to our main mail server for delivery. I
    :have the incoming Internet mail directed to this gatway thus far working
    :perfectly. It is the mail going out, from clients, that is the problem.

    The clients are currently set to the existing server, right? And you
    said that incoming *and* outgoing email will be scanned by the
    new mail gateway. So why not just leave outgoing email for the clients
    pointed to the existing email gateway, no changes to them at all?
    Sure any junk would then make it to your current gateway, but your
    current gateway is going to forward out via the new Symantec gateway
    which will catch the junk there.

    You have two settings on the PC clients, one for where to find
    incoming email, and the other for where to send the outgoing email.
    The incoming email you want to be from the old server [now
    defended against outside email viruses coming inwards], but
    you can also leave the outgoing email setting at the old server
    as well.


    The big disadvantage of leaving the PCs set to go to the old
    server is that if something inside does get a virus and starts
    emailing all over the place, although the new gateway will prevent
    it from getting out of your net, if the email is going first to
    the existing server, then email to -local- users can carry the virus.

    On the other hand, considering that modern viruses tend to use
    multiple techniques, there's a good chance that the virus would
    be able to just go around on the local LAN infecting everything
    directly without going through email. There -are- some email-only
    viruses [e.g., whose only infection mechanism is by an Outlook preview
    vulnerability], but most viruses would go ahead and infect
    executables all over the disk in hopes that someone else will copy
    the infected executable and propogate the virus that way. If you
    have a virus spreading from the inside, having it spread only
    through internal email is probably not the greatest of your worries.


    You are of course correct that in the long term, FQDN and DNS is
    a better solution; I'm just indicating that in the shorter term,
    you can just leave people pointed to the old server and you
    will still benefit from the new gateway filtering of outgoing email.
    --
    Those were borogoves and the momerathsoutgrabe completely mimsy.
    Walter Roberson, Dec 30, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. This Old Man
    Replies:
    4
    Views:
    659
    This Old Man
    Oct 20, 2003
  2. UKALUM85
    Replies:
    0
    Views:
    4,331
    UKALUM85
    Jun 24, 2003
  3. Replies:
    5
    Views:
    9,066
  4. mvalpreda
    Replies:
    1
    Views:
    640
    allan16
    Sep 7, 2007
  5. barret bondon
    Replies:
    3
    Views:
    1,135
    Ciscohite
    Apr 25, 2012
Loading...

Share This Page