Questions

Cisco Config w/NAT .. not doing its thing

Tags:
+
0 Votes
Locked

Cisco Config w/NAT .. not doing its thing

chuck_v
hi guys,

for some reason, an webmail script, when being processed cannot find
the email server which is on the same device as the script .. eg, the
web host server consists of .. MS Windows 2003 / IIS / 3rd Party email
server

now, i am sure you guys will ask if my email server works, and yes, it
does. note the following below

1) you can send an email to any hosted domain i have and i WILL
receive it.
2) i can send an email to anyone on the internet via my hosted email
accounts with no issues

issue,
i have a webmail script (url http://www.aais.com.au/cdosys.asp). this
just sends a test email to ad...@aais.com.au which resides on
mail.aais.com.au (and yes, this email account works (as per above)).
HOWEVER, this script cannot find the email server which is on the same
box.

so to add more detail, if i use a machine (other than the server) to
telnet into the SMTP server (mail.aais.com.au), i will get a response.
if i telnet from the SERVER itself and do the same thing, telnet
mailaais.com.au, i get cannot find server.

the questions below have been asked before (from other locations other
than EE) and i have answered them.. see below

(3) When you type in http://www.aais.com.au on your internal network
you hit your router http page instead of your server.
correct. unless i modify my host file. THIS has now been rectified as
my cisco config script has been changed to suit this.

(2) Your DNS server points for xxx.aais.com.au at your external IP
correct .. all dns entries are external IP's

(1) You have your own DNS/WEB/Email server sitting on the internal
network at 192.168.0.11
correct, all services residing on the same box .. hence all my
forwards to the one box

i am for certain this is NOT a server issue. this is (from opinions) a
cisco config routing issue. i have included said config below for your
review and comment's where available.

--- CICSO 1700 CONFIG SCRIPT ---
interface ATM0/0
description +++ CONNECTION TO ISP +++
no ip address
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0/0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0/0
description +++ LAN +++$ETH-LAN$$FW_INSIDE$
ip address 192.168.0.2 255.255.255.0
ip broadcast-address 192.168.0.255
ip access-group 100 in
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface Dialer1
description +++ Virtual Connection to ATM0/0 +++$FW_OUTSIDE$
ip address negotiated
ip access-group filter-inbound in
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname XXXXXXXXXXXX
ppp chap password XXXXXXXXXXXX
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source route-map FWD2WEBSITE interface FastEthernet0/0
overload
ip nat inside source static tcp 192.168.0.11 80 interface Dialer1 80
ip nat inside source static tcp 192.168.0.11 25 interface Dialer1 25
ip nat inside source static tcp 192.168.0.11 20 interface Dialer1 20
ip nat inside source static tcp 192.168.0.11 21 interface Dialer1 21
ip nat inside source static tcp 192.168.0.11 443 interface Dialer1 443
ip nat inside source static tcp 192.168.0.11 3200 interface Dialer1
3200
ip nat inside source static tcp 192.168.0.11 53 interface Dialer1 53
ip nat inside source static tcp 192.168.0.11 110 interface Dialer1 110
ip nat inside source static tcp 192.168.0.11 6080 interface Dialer1
6080
ip nat inside source static tcp 192.168.0.11 3389 interface Dialer1
3389
ip nat inside source static udp 192.168.0.11 53 interface Dialer1 53
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
ip access-list extended filter-inbound
permit tcp any any eq 3389
permit tcp any any eq ftp-data
permit tcp any any eq ftp
permit tcp any any eq 3200
permit tcp any any eq pop3
permit tcp any any eq smtp
permit tcp any any eq 6080
permit tcp any any eq 443
permit tcp any any eq www
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any established
permit udp host 192.231.203.2 eq domain any
permit udp host 192.231.203.3 eq domain any
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny udp any any
!
access-list 23 remark ********************
access-list 23 remark *** Local Access ONLY to Config
access-list 23 remark ********************
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 100 remark ********************
access-list 100 remark *** FE0/0 LAN
access-list 100 remark ********************
access-list 100 permit ip any any
access-list 102 remark ********************
access-list 102 remark *** Traffic NAT'ed
access-list 102 remark ********************
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 remark ********************
access-list 103 remark *** FWD2WEBSITE
access-list 103 remark ********************
access-list 103 permit ip 192.168.0.0 0.0.0.255 host 150.101.163.87
dialer-list 1 protocol ip permit
no cdp run
route-map FWD2WEBSITE permit 23
match ip address 103
set ip next-hop 192.168.0.11
--- END CONFIG ---

and if i telnet from the server to mail.aais.com.au 25, it finds the address, just cant get into the port


any help / assistance on rectifying this would be great
cheers
chuck
  • +
    0 Votes
    chuck_v

    if i have access-list 101 in the config. i wotn be able to get on the internet. seems somehow 101 is blocking me from going out, though its being told its IN and not out. dont know if that helps any

    cheers

  • +
    0 Votes
    chuck_v

    if i have access-list 101 in the config. i wotn be able to get on the internet. seems somehow 101 is blocking me from going out, though its being told its IN and not out. dont know if that helps any

    cheers