Announcement

Collapse
No announcement yet.

nat port forwarding does not work for mail server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • nat port forwarding does not work for mail server

    I have attempted to transfer my email server behind firewall (cisco router in fact 2801). I have deleted the public mail address from the server, and included the following instructions as cisco commands:

    ip nat inside source static tcp 192.168.100.119 25 62.100.68.164 25
    ip nat inside source static tcp 192.168.100.119 7 62.100.68.164 7

    The first is private and second is public address of mail server.


    That does not work. However for ssh it performs port forwarding well:

    ip nat inside source static tcp 192.168.0.112 22 200.100.68.166 19561 extendable

    My mail server can send mail to outside world but it is not receiving outside mails.

    I have done ping and tracert, and it seems that it did pass the router:
    2 <1 ms <1 ms <1 ms 216.98.153.73
    3 <1 ms <1 ms <1 ms 65.77.90.41

    20 178 ms 177 ms 177 ms 62.100.200.65
    21 175 ms 175 ms 174 ms 62.100.68.164

    There is:

    myrouter#sh ip nat trans

    Pro Inside global Inside local Outside local Outside global
    ..
    tcp 62.100.68.164 7 192.168.100.119 7 --- ---
    tcp 62.100.68.164:25 192.168.100.119:25 212.227.126.188:52133 212.227.126.188:
    52133
    tcp 62.100.68.164:25 192.168.100.119:25 212.227.126.188:52388 212.227.126.188:
    52388

    From here I can see that there is at least two child-nats to establish smtp nat rule.


  • #2
    Re: nat port forwarding does not work for mail server

    From the outside (http://www.dnsright.com) I have tested potsrcan and I have got :

    62.100.68.164:21 --> Open
    62.100.68.164:23 --> Closed
    62.100.68.164:25 --> Closed
    62.100.68.164:53 --> Closed
    62.100.68.164:79 --> Closed
    62.100.68.164:80 --> Closed
    62.100.68.164:110 --> Closed
    62.100.68.164:135 --> Closed
    62.100.68.164:139 --> Closed
    62.100.68.164:143 --> Closed


    On my mail server:

    C:\Documents and Settings\adminco>netstat -an

    Active Connections

    Proto Local Address Foreign Address State
    TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:110 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:111 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:143 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:366 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:587 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:1000 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:1044 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:3172 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:6389 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:7937 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:7938 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:8510 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:9004 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:9321 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:12345 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:23333 0.0.0.0:0 LISTENING
    TCP 192.168.200.19:110 192.168.0.129:2146 TIME_WAIT
    TCP 192.168.200.19:110 192.168.0.165:1727 TIME_WAIT
    TCP 192.168.200.19:110 192.168.0.182:3197 TIME_WAIT
    TCP 192.168.200.19:110 192.168.0.182:3199 TIME_WAIT
    TCP 192.168.200.19:110 192.168.0.184:4076 TIME_WAIT
    TCP 192.168.200.19:139 0.0.0.0:0 LISTENING
    TCP 192.168.200.19:1560 192.168.200.10:9905 ESTABLISHED
    TCP 192.168.200.19:3389 192.168.0.163:2030 ESTABLISHED
    TCP 192.168.200.19:3515 192.168.200.10:8738 ESTABLISHED
    TCP 192.168.200.19:6389 192.168.200.40:4663 TIME_WAIT
    TCP 192.168.200.19:6389 192.168.200.40:4703 TIME_WAIT
    TCP 192.168.200.19:6389 192.168.200.41:3339 TIME_WAIT
    TCP 192.168.200.19:6389 192.168.200.41:3378 TIME_WAIT
    TCP 192.168.200.19:9004 192.168.200.10:3656 ESTABLISHED
    UDP 0.0.0.0:111 *:*
    ...

    OK, when I get rid of nat rules I have with portscan what I expect:

    62.100.68.164:21 --> Open
    62.100.68.164:23 --> Closed
    62.100.68.164:25 --> Open
    62.100.68.164:53 --> Closed
    62.100.68.164:79 --> Closed
    62.100.68.164:80 --> Closed
    62.100.68.164:110 --> Open
    62.100.68.164:135 --> Closed
    62.100.68.164:139 --> Closed
    62.100.68.164:143 --> Open
    62.100.68.164:161 --> Closed
    62.100.68.164:162 --> Closed
    62.100.68.164:389 --> Closed
    62.100.68.164:443 --> Closed
    62.100.68.164:445 --> Open
    62.100.68.164:548 --> Closed
    62.100.68.164B]:1433[/B] --> Closed
    62.100.68.164:1723 --> Closed
    62.100.68.164:2000 --> Closed
    62.100.68.164:3389 --> Open
    62.100.68.164:5631 --> Closed
    62.100.68.164:5632 --> Closed
    62.100.68.164:5900 --> Closed
    62.100.68.164:8080 --> Closed


    I do not know what I have to do and how to debug the above problem. I have checked the route from and to mail server. It seems to me that they are same.
    Last edited by pereubu; 9th March 2009, 13:37. Reason: wrong ip

    Comment


    • #3
      Re: nat port forwarding does not work for mail server

      what is your email gateway are u able to see if mails are reaching to ur email gateway or not.

      Are you using WEBSENSE in your orginisation ,if yes then check with them also check with the SYSTEM ADMIN who take care of EXCHANGE in ur orginasation .


      If WEBSENSE AND SYSTEM ADMIN founds no issue then concern with the company who provides u mail excahnge

      Cheers
      DT

      Comment


      • #4
        Re: nat port forwarding does not work for mail server

        As far as I know there is no websense in my company. I do not have to much contact with my ISP provider.

        No I do not have exchange but Mdaemon, older version 8.13. yes they have some of security and antivirus. I have checked everything I belive it might be the cause of the problem.

        Comment


        • #5
          Re: nat port forwarding does not work for mail server

          I have success to make it, but partially (I had to fix some problem relating to a different input and output path).

          Now it works fine when I send mail from the outside, and in local, but when I try to send mail to outside world I am not capable to send it. The reason might be as it is stated on cisco site:

          "Once that is working, they might also want to define static mappings for a particular host using each provider's address space. The software does not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these static translations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as "extendable". For a new outside-to-inside flow, the appropriate static entry will act as a template for a full translation. For a new inside-to-outside flow, the dynamic route-map rules will be used to create a full translation "

          The problem is that I have problem from inside-to-outside to send SMTP-out, consequently I do not know about which dynamic route-map rules it is reffereing to? Do I have to create a sort of nat pool? That means that I have to put some route map?

          Like this one: ip nat inside source route-map MAP-118 pool pool-118

          from (taken for an example)

          http://www.cisco.com/en/US/tech/tk64...80093fca.shtml
          Last edited by pereubu; 17th March 2009, 10:06. Reason: my typo

          Comment

          Working...
          X