Cisco Policy Routing to Forward SMTP to Different Server

Discussion in 'Cisco' started by EG, Feb 16, 2005.

  1. EG

    EG Guest

    Hi all. We have installed a virus gateway and want to forward smtp packets
    coming in from our WAN sites to a different smtp server without changing the
    mail settings on the client machines (PC's). IE. we would like to forward
    any tcp destined for server111.222.333.8 port 25 to server 111.222.333.244
    port 25.
    Sites are coming in via serial ports on cisco router (IOS 12.2.8).
    111.222.333.244 is hung off of ethernet 0/0 on same router. I tried the
    following on one of the serial ports and I cannot see anything coming

    interface Serial0/ point-to-point
    bandwidth 128
    ip address
    ip load-sharing per-packet
    ip policy route-map SMTPMAP
    no cdp enable
    frame-relay interface-dlci xxx

    ip access-list extended SMTPCATCH
    remark ACL Catch Filter to Forward SMTP from Server1 to Server2
    permit tcp any host 111.222.333.8 eq smtp log

    route-map SMTPMAP permit 20
    match ip address SMTPCATCH
    set ip next-hop 111.222.333.244

    Anyone see any problems with the above config? Thanks in advance for any
    Ed G.
    EG, Feb 16, 2005
    1. Advertisements

  2. :we would like to forward
    :any tcp destined for server111.222.333.8 port 25 to server 111.222.333.244
    :port 25.
    :Sites are coming in via serial ports on cisco router (IOS 12.2.8).
    :111.222.333.244 is hung off of ethernet 0/0 on same router.

    When you say that 111.222.333.244 is hung off of ethernet 0/0,
    do you mean that ethernet 0/0 is in the same subnet as 111.222.333.244,
    or do you mean that 111.222.333.244 can be reached by way of a
    connection that goes through ethernet 0/0 ? If the latter case,
    then you have the difficulty that setting the next hop IP does not
    change the IP header and so when the device reaches the next
    router in line, the setting of the next-hop will essentially
    be erased.

    :I tried the
    :following on one of the serial ports and I cannot see anything coming

    One difficulty with the setup you used is that the system
    111.222.333.244 is going to have to listen for the IP address
    111.222.333.8 or else it will not know to process the smtp
    packets. But if 111.222.333.8 still exists, you are going to have
    a bit of a conflict...

    Seeing as 111.222.333.8 and 111.222.333.244 are likely on the same
    subnet, and so the routing would normally head out the same interface
    anyhow, there is another approach you may wish to take that will likely
    serve you better. What I would suggest is that you use static PAT (port
    address translation), with the serial interface being the "outside"
    interface and the ethernet interface being the "inside" interface. You
    would have the match be against the destination address 111.222.333.8
    port 25, and you would map that case to 111.222.333.244 port 25.

    :IOS 12.2.8

    I am only familiar with configuring PAT under IOS from reading
    a bit about it; if memory serves me, there is a complication for
    static PAT (but I'm not sure). When you configure a single destination
    IP for the translation, IOS normally reads that as you wanting
    to do dynamic PAT rather than static PAT. My all-too-falable
    memory is prompting me that it is IOS version 12.3(4)T that
    introduces the possibility of true static PAT such as you would
    Walter Roberson, Feb 17, 2005
    1. Advertisements

  3. EG

    EG Guest

    111.222.333.244 and 111.222.333.8 are on the same subnet on a switch hung
    directly off of Eth0/0. The clients in question accessing them are on
    separate subnets via WAN routers directly off of serial ports.

    I see what you are getting at with your suggestion on PAT. We are currently
    running NAT with PAT (overload) for inside to outside translation of
    internal to external ip's. Nat is running "inside" on Eth0/0 and on the WAN
    serial interfaces to supply translation for Internet-bound services. It is
    running "outside" on our serial interface to the Internet. The question
    here is can I run the PAT for this problem without affecting the NAT that is
    already deployed?

    Current NAT config:

    ip nat pool nat-pool2 333.222.111.53 333.222.111.62 netmask
    ip nat inside source list 2 pool nat-pool2 overload

    interface Serial0/2:0.213 point-to-point
    description FR line to WAN site
    bandwidth 128
    ip address 10.1.x.x
    ip load-sharing per-packet
    ip nat inside
    no cdp enable
    frame-relay interface-dlci xxx

    interface Serial0/3:0
    description Internet Access Port
    ip address
    ip nat outside

    interface FastEthernet0/0
    ip address 111.222.333.201
    ip nat inside

    EG, Feb 17, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.