Firewall Wizards mailing list archives

Cisco configuration question

From: Michael Bitow <mbitow () harborbank net>
Date: Mon, 7 Feb 2000 14:56:57 -0800

Hi,

  I am currently working out a small problem that I can't seem to get past.
I'm trying to get our mail server, an Exchange box, out of the DMZ, and
behind a Cisco 3640.  Right now, it looks like this:


                                  1.2.3.5
             |----------|          |`````````````````|
|``````````````````````|
-------------| DSL   |-----|----| Exchange |---------------------|
|
             |----------|     |    |-----------------| 10.1.1.2        |
|  10.1.1.x
                              |                                           |
hub to network |-----
                              |                                           |
|
                              |              |```````````|10.1.1.1     |
|
                              |--------------|  3640  |                 |
|
                                             |w/NAT |-----------------|
|
                                  1.2.3.4 |-----------|
|-----------------------|
                                                  |
                                                  | 10.1.3.x etc
                                           To other networks


 One interface the Exchange and one on the 3640 have public addresses, the
rest of the network is private.  The problem I am having is mail connections
were getting rejected .  I had the router doing NAT, allowing all
connections.  I figured I would tighten it up one I got it working.  The DSL
is a bridge only, no routing.  

  Is there a way to have the mail server behind the router when doing NAT?
I believe there is, but have been unable to get it to work.  Currently, I
only have basic knowledge in router configuration.  The configuration I
tried was:

interface FastEthernet0/0
 description connected LAN
 ip address 10.1.1.1 255.255.255.0
 no ip directed-broadcast
 ip nat inside

interface FastEthernet2/0
 description connected to Internet
 ip address 1.2.3.4 255.255.255.0
 no ip directed-broadcast
 ip nat outside

ip nat inside source list 1 interface FastEthernet2/0 overload
ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet2/0
ip route 10.1.1.0 255.255.255.0 10.1.1.1

access-list 1 permit 10.1.1.0 0.0.0.255 
access-list 101 permit tcp any 1.2.3.0 0.0.0.255 established
access-list 101 permit tcp any host 10.1.1.2 eq smtp

 I thought it should work, it didn't.

  Ultimately, I would like to use one outside address, have all the traffic
go through  the router, with the Exchange box behind the router.

 Any ideas on how I was mucking it up?



Thanks

Michael Bitow

Current thread:

Cisco configuration question Michael Bitow (Feb 10)
- RE: Cisco configuration question Andrew J. Luca (Feb 12)
- <Possible follow-ups>
- RE: Cisco configuration question Ben Nagy (Feb 11)