strange NAT behaviour with SMTP port

Discussion in 'Cisco' started by Robert Orso, Jul 16, 2004.

  1. Robert Orso

    Robert Orso Guest

    I have a Cisco 1600 router on a small network, a handful of external
    addresses and a few services inside the router.
    Now it is necessary ro remap the web/mail-server on a different
    (internal) IP.

    Everything works well with the ports 80, 110, 143, but NOT with port
    25. With a packet analyzer I can see the request to outside:25 is
    correctly remapped and forwarded to new-inside:25, which sends an Ack
    that is again remapped and sent to the originator. Here the problem
    manifests:

    The return packet that arrives at the remote is marked as outside:4
    instead of outside:25. If I try again, I get a reply from outside:5,
    .... counting upward slowly whereby "used" port numbers are skipped.

    If I remap the port back to the original machine at old-inside:25, I
    get a clean connect and all reply packages are correctly marked as
    outside:25

    Just to make sure that my new SMTP service is working correctly, I
    mapped another static inside from outside:125 to new-inside:25. As I
    expected, I get a clean SMTP transmission when I connect to
    outside:125

    Unfortunately the original configuration was made by someone else and
    my knowlege of Cisco IOS is currently more or less in the "try and
    error" phase. I think I did understand most of the config file and I
    know where I would want to turn the knob but it is frustrating.

    Turning the SMTP protocol inspector off and on did not change
    anything.

    Why the heck does this damned thing readdress the reply packets from
    the one IP and not from the other?

    Any idea?

    (IP-Addresses and passwords masked)

    !
    version 12.0
    no service slave-log
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname xxxxxxxx
    !
    no logging console
    !
    username aaaaaaa password 7 0000000000000000000
    !
    !
    !
    !
    clock timezone UTC 1
    clock summer-time UTC+1 recurring last Sun Mar 2:00 last Sun Oct 3:00
    ip subnet-zero
    no ip source-route
    no ip finger
    ip name-server 211.123.32.129
    ip name-server 211.123.32.1
    !
    no ip bootp server
    ip inspect name inspname cuseeme timeout 3600
    ip inspect name inspname ftp timeout 3600
    ip inspect name inspname http timeout 3600
    ip inspect name inspname realaudio timeout 3600
    ip inspect name inspname rcmd timeout 3600
    ip inspect name inspname smtp timeout 3600
    ip inspect name inspname tftp timeout 3600
    ip inspect name inspname udp timeout 3600
    ip inspect name inspname tcp timeout 3600
    !
    !
    interface Loopback0
    ip address 1.1.1.1 255.255.255.0
    no ip directed-broadcast
    !
    interface Ethernet0
    description ****** Connection to LAN ******
    ip address 10.11.1.254 255.255.255.0
    ip access-group 102 in
    no ip directed-broadcast
    no ip proxy-arp
    ip nat inside
    ip inspect inspname in
    ip route-cache policy
    ip policy route-map nonat
    no ip mroute-cache
    no cdp enable
    !
    interface Serial0
    description connected to SAFE
    ip address 211.123.34.2 255.255.255.252
    ip access-group 103 in
    no ip directed-broadcast
    ip nat outside
    no fair-queue
    no cdp enable
    crypto map rtp
    !
    ip nat pool official 211.123.56.2 211.123.56.7 netmask 255.255.255.0
    ip nat inside source list 130 pool official overload
    !
    ! FTP stays the same
    ip nat inside source static tcp 10.11.1.1 21 211.123.56.1 21
    extendable
    !
    ! this is the old mapping
    !ip nat inside source static tcp 10.11.1.1 25 211.123.56.1 25
    extendable
    !
    ! this is the new mapping
    ip nat inside source static tcp 10.11.1.11 25 211.123.56.1 25
    extendable
    !
    ! everything here works perfectly
    !
    ip nat inside source static tcp 10.11.1.11 80 211.123.56.1 80
    extendable
    ip nat inside source static tcp 10.11.1.11 110 211.123.56.1 110
    extendable
    ip nat inside source static tcp 10.11.1.11 25 211.123.56.1 125
    extendable
    ip nat inside source static tcp 10.11.1.11 143 211.123.56.1 143
    extendable
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0
    no ip http server
    !
    access-list 100 permit ip 10.11.1.0 0.0.0.255 any
    access-list 100 permit ip 10.20.0.0 0.0.255.255 host 10.11.1.254
    log-input
    access-list 101 deny ip any any log-input
    access-list 102 deny udp any any eq netbios-dgm log-input
    access-list 102 permit udp 10.11.1.0 0.0.0.255 any log-input
    access-list 102 permit tcp 10.11.1.0 0.0.0.255 any log-input
    access-list 102 permit icmp 10.11.1.0 0.0.0.255 any log-input
    access-list 102 permit gre 10.11.1.0 0.0.0.255 any log-input
    access-list 102 permit esp 10.11.1.0 0.0.0.255 any log-input
    access-list 103 deny ip 10.11.1.0 0.0.0.255 any log-input
    access-list 103 deny ip 172.0.0.0 0.51.255.255 any log-input
    access-list 103 deny ip 127.0.0.0 0.255.255.255 any log-input
    access-list 103 deny ip 224.0.0.0 31.255.255.255 any log-input
    access-list 103 permit esp host 213.23.88.162 any log-input
    access-list 103 permit pcp host 213.23.88.162 any log-input
    access-list 103 permit udp host 213.23.88.162 any eq isakmp log-input
    access-list 103 permit icmp host 213.23.88.162 any log-input
    access-list 103 permit icmp any any administratively-prohibited
    log-input
    access-list 103 permit icmp any any echo log-input
    access-list 103 permit icmp any any echo-reply log-input
    access-list 103 permit icmp any any packet-too-big log-input
    access-list 103 permit icmp any any time-exceeded log-input
    access-list 103 permit icmp any any unreachable log-input
    access-list 103 permit tcp any host 211.123.56.1 log-input
    access-list 103 permit tcp any host 211.123.56.2 log-input
    access-list 103 permit tcp any host 211.123.56.3 log-input
    access-list 103 permit tcp any host 211.123.56.4 log-input
    access-list 103 permit tcp any host 211.123.56.5 log-input
    access-list 103 permit tcp any host 211.123.56.6 log-input
    access-list 103 permit tcp any host 211.123.56.7 log-input
    access-list 103 permit gre any any log-input
    access-list 103 permit esp any any log-input
    access-list 103 permit ip 10.20.0.0 0.0.255.255 10.11.1.0 0.0.0.255
    log-input
    access-list 103 permit ip 10.10.90.0 0.0.0.255 10.11.1.0 0.0.0.255
    log-input
    access-list 115 permit ip 10.11.1.0 0.0.0.255 10.20.0.0 0.0.255.255
    log-input
    access-list 115 permit ip 10.11.1.0 0.0.0.255 10.10.90.0 0.0.0.255
    log-input
    access-list 120 permit ip 10.11.1.0 0.0.0.255 10.20.0.0 0.0.255.255
    log-input
    access-list 120 permit ip 10.11.1.0 0.0.0.255 10.10.90.0 0.0.0.255
    log-input
    access-list 120 deny ip 10.11.1.0 0.0.0.255 any log-input
    access-list 130 deny ip 10.11.1.0 0.0.0.255 10.10.90.0 0.0.0.255
    log-input
    access-list 130 deny ip 10.10.90.0 0.0.0.255 10.11.1.0 0.0.0.255
    log-input
    access-list 130 deny ip 10.11.1.0 0.0.0.255 10.20.0.0 0.0.255.255
    log-input
    access-list 130 deny ip 10.20.0.0 0.0.255.255 10.11.1.0 0.0.0.255
    log-input
    access-list 130 permit ip 10.11.1.0 0.0.0.255 any log-input
    no cdp run
    route-map nonat permit 10
    match ip address 120
    set ip next-hop 1.1.1.2
    !
    route-map nonat permit 20
    !
    banner motd ^CCCCCC
    Unauthorized access prohibited!
    Nicht authorisierter Zugang verboten!

    ^C
    !
    end
    Robert Orso, Jul 16, 2004
    #1
    1. Advertising

  2. Robert Orso

    PES Guest

    I would try a "clear ip nat trans *" after making the change. Or reboot the
    router just to work out any other wierdness. I see nothing wrong with the
    config.

    "Robert Orso" <> wrote in message
    news:...
    > I have a Cisco 1600 router on a small network, a handful of external
    > addresses and a few services inside the router.
    > Now it is necessary ro remap the web/mail-server on a different
    > (internal) IP.
    >
    > Everything works well with the ports 80, 110, 143, but NOT with port
    > 25. With a packet analyzer I can see the request to outside:25 is
    > correctly remapped and forwarded to new-inside:25, which sends an Ack
    > that is again remapped and sent to the originator. Here the problem
    > manifests:
    >
    > The return packet that arrives at the remote is marked as outside:4
    > instead of outside:25. If I try again, I get a reply from outside:5,
    > ... counting upward slowly whereby "used" port numbers are skipped.
    >
    > If I remap the port back to the original machine at old-inside:25, I
    > get a clean connect and all reply packages are correctly marked as
    > outside:25
    >
    > Just to make sure that my new SMTP service is working correctly, I
    > mapped another static inside from outside:125 to new-inside:25. As I
    > expected, I get a clean SMTP transmission when I connect to
    > outside:125
    >
    > Unfortunately the original configuration was made by someone else and
    > my knowlege of Cisco IOS is currently more or less in the "try and
    > error" phase. I think I did understand most of the config file and I
    > know where I would want to turn the knob but it is frustrating.
    >
    > Turning the SMTP protocol inspector off and on did not change
    > anything.
    >
    > Why the heck does this damned thing readdress the reply packets from
    > the one IP and not from the other?
    >
    > Any idea?
    >
    > (IP-Addresses and passwords masked)
    >
    > !
    > version 12.0
    > no service slave-log
    > no service pad
    > service timestamps debug uptime
    > service timestamps log uptime
    > service password-encryption
    > !
    > hostname xxxxxxxx
    > !
    > no logging console
    > !
    > username aaaaaaa password 7 0000000000000000000
    > !
    > !
    > !
    > !
    > clock timezone UTC 1
    > clock summer-time UTC+1 recurring last Sun Mar 2:00 last Sun Oct 3:00
    > ip subnet-zero
    > no ip source-route
    > no ip finger
    > ip name-server 211.123.32.129
    > ip name-server 211.123.32.1
    > !
    > no ip bootp server
    > ip inspect name inspname cuseeme timeout 3600
    > ip inspect name inspname ftp timeout 3600
    > ip inspect name inspname http timeout 3600
    > ip inspect name inspname realaudio timeout 3600
    > ip inspect name inspname rcmd timeout 3600
    > ip inspect name inspname smtp timeout 3600
    > ip inspect name inspname tftp timeout 3600
    > ip inspect name inspname udp timeout 3600
    > ip inspect name inspname tcp timeout 3600
    > !
    > !
    > interface Loopback0
    > ip address 1.1.1.1 255.255.255.0
    > no ip directed-broadcast
    > !
    > interface Ethernet0
    > description ****** Connection to LAN ******
    > ip address 10.11.1.254 255.255.255.0
    > ip access-group 102 in
    > no ip directed-broadcast
    > no ip proxy-arp
    > ip nat inside
    > ip inspect inspname in
    > ip route-cache policy
    > ip policy route-map nonat
    > no ip mroute-cache
    > no cdp enable
    > !
    > interface Serial0
    > description connected to SAFE
    > ip address 211.123.34.2 255.255.255.252
    > ip access-group 103 in
    > no ip directed-broadcast
    > ip nat outside
    > no fair-queue
    > no cdp enable
    > crypto map rtp
    > !
    > ip nat pool official 211.123.56.2 211.123.56.7 netmask 255.255.255.0
    > ip nat inside source list 130 pool official overload
    > !
    > ! FTP stays the same
    > ip nat inside source static tcp 10.11.1.1 21 211.123.56.1 21
    > extendable
    > !
    > ! this is the old mapping
    > !ip nat inside source static tcp 10.11.1.1 25 211.123.56.1 25
    > extendable
    > !
    > ! this is the new mapping
    > ip nat inside source static tcp 10.11.1.11 25 211.123.56.1 25
    > extendable
    > !
    > ! everything here works perfectly
    > !
    > ip nat inside source static tcp 10.11.1.11 80 211.123.56.1 80
    > extendable
    > ip nat inside source static tcp 10.11.1.11 110 211.123.56.1 110
    > extendable
    > ip nat inside source static tcp 10.11.1.11 25 211.123.56.1 125
    > extendable
    > ip nat inside source static tcp 10.11.1.11 143 211.123.56.1 143
    > extendable
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Serial0
    > no ip http server
    > !
    > access-list 100 permit ip 10.11.1.0 0.0.0.255 any
    > access-list 100 permit ip 10.20.0.0 0.0.255.255 host 10.11.1.254
    > log-input
    > access-list 101 deny ip any any log-input
    > access-list 102 deny udp any any eq netbios-dgm log-input
    > access-list 102 permit udp 10.11.1.0 0.0.0.255 any log-input
    > access-list 102 permit tcp 10.11.1.0 0.0.0.255 any log-input
    > access-list 102 permit icmp 10.11.1.0 0.0.0.255 any log-input
    > access-list 102 permit gre 10.11.1.0 0.0.0.255 any log-input
    > access-list 102 permit esp 10.11.1.0 0.0.0.255 any log-input
    > access-list 103 deny ip 10.11.1.0 0.0.0.255 any log-input
    > access-list 103 deny ip 172.0.0.0 0.51.255.255 any log-input
    > access-list 103 deny ip 127.0.0.0 0.255.255.255 any log-input
    > access-list 103 deny ip 224.0.0.0 31.255.255.255 any log-input
    > access-list 103 permit esp host 213.23.88.162 any log-input
    > access-list 103 permit pcp host 213.23.88.162 any log-input
    > access-list 103 permit udp host 213.23.88.162 any eq isakmp log-input
    > access-list 103 permit icmp host 213.23.88.162 any log-input
    > access-list 103 permit icmp any any administratively-prohibited
    > log-input
    > access-list 103 permit icmp any any echo log-input
    > access-list 103 permit icmp any any echo-reply log-input
    > access-list 103 permit icmp any any packet-too-big log-input
    > access-list 103 permit icmp any any time-exceeded log-input
    > access-list 103 permit icmp any any unreachable log-input
    > access-list 103 permit tcp any host 211.123.56.1 log-input
    > access-list 103 permit tcp any host 211.123.56.2 log-input
    > access-list 103 permit tcp any host 211.123.56.3 log-input
    > access-list 103 permit tcp any host 211.123.56.4 log-input
    > access-list 103 permit tcp any host 211.123.56.5 log-input
    > access-list 103 permit tcp any host 211.123.56.6 log-input
    > access-list 103 permit tcp any host 211.123.56.7 log-input
    > access-list 103 permit gre any any log-input
    > access-list 103 permit esp any any log-input
    > access-list 103 permit ip 10.20.0.0 0.0.255.255 10.11.1.0 0.0.0.255
    > log-input
    > access-list 103 permit ip 10.10.90.0 0.0.0.255 10.11.1.0 0.0.0.255
    > log-input
    > access-list 115 permit ip 10.11.1.0 0.0.0.255 10.20.0.0 0.0.255.255
    > log-input
    > access-list 115 permit ip 10.11.1.0 0.0.0.255 10.10.90.0 0.0.0.255
    > log-input
    > access-list 120 permit ip 10.11.1.0 0.0.0.255 10.20.0.0 0.0.255.255
    > log-input
    > access-list 120 permit ip 10.11.1.0 0.0.0.255 10.10.90.0 0.0.0.255
    > log-input
    > access-list 120 deny ip 10.11.1.0 0.0.0.255 any log-input
    > access-list 130 deny ip 10.11.1.0 0.0.0.255 10.10.90.0 0.0.0.255
    > log-input
    > access-list 130 deny ip 10.10.90.0 0.0.0.255 10.11.1.0 0.0.0.255
    > log-input
    > access-list 130 deny ip 10.11.1.0 0.0.0.255 10.20.0.0 0.0.255.255
    > log-input
    > access-list 130 deny ip 10.20.0.0 0.0.255.255 10.11.1.0 0.0.0.255
    > log-input
    > access-list 130 permit ip 10.11.1.0 0.0.0.255 any log-input
    > no cdp run
    > route-map nonat permit 10
    > match ip address 120
    > set ip next-hop 1.1.1.2
    > !
    > route-map nonat permit 20
    > !
    > banner motd ^CCCCCC
    > Unauthorized access prohibited!
    > Nicht authorisierter Zugang verboten!
    >
    > ^C
    > !
    > end
    PES, Jul 17, 2004
    #2
    1. Advertising

  3. Robert Orso

    Chris Guest

    Hi,

    I agree that it sounds like NAT.

    I wouldn't be surpised if this has some thing to do with CBAC. Also
    post yr IOS version and platform. I've seen this before with CBAC and
    IOS upgrade fixes it, many times.
    Chris, Jul 17, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Falcon

    Strange taskbar behaviour (notification area)

    Falcon, Aug 17, 2004, in forum: Wireless Networking
    Replies:
    0
    Views:
    696
    Falcon
    Aug 17, 2004
  2. joost68
    Replies:
    5
    Views:
    433
  3. hpoppe
    Replies:
    0
    Views:
    461
    hpoppe
    Nov 7, 2004
  4. Maurice

    a strange behaviour of FF

    Maurice, Mar 11, 2005, in forum: Firefox
    Replies:
    2
    Views:
    441
    Maurice
    Mar 11, 2005
  5. Giuseppe
    Replies:
    4
    Views:
    1,908
    Giuseppe
    Feb 6, 2008
Loading...

Share This Page