dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2240

eddysamson1
@comcastbusiness.net

eddysamson1

Anon

[Config] SMTP Between 2 routers

Hi all, I am relatively new to IOS and could use some help. We have 2 routers, 1 internal, 1 DMZ/external. Internal is a 1921, DMZ is a 891. We have an interesting setup right now where each router has its own public IP and separate connection to the modem. The 1921 handles all normal internet traffic and has our VPN server for remote access to our internals. The 891 handles our Lync Edge server and will soon have an Exchange Edge server. The I am trying to configure the 891 to forward traffic from the DMZ subnet to the internal subnet and exchange server.

I have done everything that I *think* needs to be done to get this work. My boss believes I should be able to telnet from a dmz machine to our internal exchange server over port 25 and vice versa. However, this does not work.

The 891's fastethernet8 interface is connected directly to the 1921's gigabitethernet0/0 interface.

My config is as follows:

1921(INSIDE)-

*took out anything that doesnt pertain to SMTP traffic and these 2 routers

interface GigabitEthernet0/0
description TO-DMZ
ip address 10.10.1.2 255.255.255.0
ip access-group sdm_gigabitethernet0/0_in in
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
ip policy route-map smtprule
duplex auto
speed auto
no cdp enable

ip nat inside source static tcp 192.168.1.186 25 interface GigabitEthernet0/0 25
ip nat inside source route-map smtprule interface GigabitEthernet0/0 overload

ip route 10.10.10.0 255.255.255.0 GigabitEthernet0/0

ip access-list extended sdm_gigabitethernet0/0_in
permit tcp any host 10.10.1.2 eq smtp
permit tcp any host 10.10.1.2 eq 50636
permit tcp any host 192.168.1.186 eq smtp
permit tcp any host 192.168.1.186 eq 50636
permit tcp any any eq 1723
permit gre any any
permit ip 192.168.1.0 0.0.0.255 any
permit ip host 10.10.1.2 any
permit icmp any host 10.10.1.2 administratively-prohibited
permit icmp any host 10.10.1.2 time-exceeded
permit icmp any host 10.10.1.2 unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log

access-list 151 permit tcp host 192.168.1.186 eq smtp any
access-list 151 permit tcp host 192.168.1.186 any eq smtp
access-list 151 permit ip host 192.168.1.186 any

route-map smtprule permit 5
match ip address 151
set interface GigabitEthernet0/0

891(DMZ)-

interface FastEthernet8
description TO-LAN
ip address 10.10.1.10 255.255.255.0
ip nat outside
ip policy route-map smtprule
duplex auto
speed auto

interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$
ip address 10.10.10.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452

ip nat inside source route-map smtprule interface FastEthernet8 overload

ip route 192.168.1.0 255.255.255.0 FastEthernet8

access-list 151 permit tcp host 10.10.10.3 eq smtp any
access-list 151 permit tcp host 10.10.10.3 any eq smtp
access-list 151 permit ip host 10.10.10.3 any

route-map smtprule permit 5
match ip address 151
set interface FastEthernet8

A few things to note:
*10.10.10.3 is the exchange edge server
*192.168.1.186 is the exchange serve
*in the 1921's ACL I tried both the IP of the fastethernet8(DMZ) interface and what you see currently which is the gigabitethernet0/0(inside) interface
*the route-map is just a test, I am really not sure if it was even necessary. Things are looking exactly the same since I put it in.

My boss is convinced SMTP wont flow between the two routers until I can telnet on port 25 to each respective machine, is this true? From each router I can ping machine IPs off the other router, but machines themselves can not ping machines on the other router (or the router itself). So for instance while in 891 I can ping 192.168.1.186 and while on the 1921 I can ping 10.10.10.3 but I cannot ping 192.168.1.186 from 10.10.10.3 or vice versa.

What am I missing? I was originally under the impression that static routes were the only thing I needed. After I added them it opened up the pinging I was talking about, but still cannot telnet on 25.

Please help!
eddysamson
join:2012-01-26
Burlington, VT

eddysamson

Member

This is a real headache for me atm, can anyone help?
eddysamson

eddysamson

Member

I believe I need to set up EIGRP or OSPF for this to work. Still having troubles even while using either protocol.

I have tried:

1921-

router ospf 1
network 10.10.10.0 0.0.0.255 area 0
network 10.10.1.0 0.0.0.255 area 0
neighbor 10.10.10.1

891-

router ospf 1
network 10.10.1.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
neighbor 192.168.1.1

OR

1921-

router eigrp 100
network 10.10.10.0 0.0.0.255
network 10.10.1.0 0.0.0.255

891-

router eigrp 100
network 10.10.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255

Both with no luck.

This is big time hold my projects back PLEASE HELP!
Bink
Villains... knock off all that evil
join:2006-05-14
Colorado

Bink to eddysamson1

Member

to eddysamson1
This appears to be an overly complex/”broken-by-design” architecture. Please post the entire configuration and provide a diagram.

eddysamson2
@comcastbusiness.net

eddysamson2

Anon

I dont have time to go through my two configs and omit our private information right now, but I can tell you this:

What I am trying to do is route smtp traffic from Exchange Edge on DMZ(891) to our Exchange Hub off our 1921 on port 25.

So an email comes in through the 891's outside interface, goes to our edge server @ 10.10.10.3, and then heads back out through the interface connecting my two routers, enters the internal router, and goes to the Exchange Hub @ 192.168.1.186.

It seems like a relatively simple thing. I can't be the only one trying to do a 2 router DMZ. The dual internet connections is unrelated and works fine as our Lync Edge server works perfectly it just has two nics so it doesn't need to traverse the 891->1921 connection.

I have:

DMZ Subnet 10.10.10.0
^
|
891 fastethernet8- ip address 10.10.1.10 connected directly to ->
1921 gigabitethernet0/0- ip address 10.10.1.2
|
v
Internal Subnet 192.168.1.0
aryoba
MVM
join:2002-08-22

aryoba

MVM

said by eddysamson2 :

I dont have time to go through my two configs

Since you are a new member and are probably unaware of, may I suggest that in the future you should not use these words which could be misunderstood by a lot of people here (just a friendly suggestion)
said by eddysamson2 :

and omit our private information right now

Network topology and configuration posting should not be security concern. If you prefer, you can just scrub off passwords and SNMP community strings. Further you can replace any Public IP addresses with fake one such as 1.1.1.1 and 2.2.2.2.
said by eddysamson2 :

but I can tell you this:

What I am trying to do is route smtp traffic from Exchange Edge on DMZ(891) to our Exchange Hub off our 1921 on port 25.

So an email comes in through the 891's outside interface, goes to our edge server @ 10.10.10.3, and then heads back out through the interface connecting my two routers, enters the internal router, and goes to the Exchange Hub @ 192.168.1.186.

It seems like a relatively simple thing. I can't be the only one trying to do a 2 router DMZ. The dual internet connections is unrelated and works fine as our Lync Edge server works perfectly it just has two nics so it doesn't need to traverse the 891->1921 connection.

I have:

DMZ Subnet 10.10.10.0
^
|
891 fastethernet8- ip address 10.10.1.10 connected directly to ->
1921 gigabitethernet0/0- ip address 10.10.1.2
|
v
Internal Subnet 192.168.1.0

Try to not NAT between DMZ on 1921 and the 891 unless you have compelling reason. Also there should be no need to implement routing protocol such as EIGRP or OSPF since your network should not really need them yet.
eddysamson
join:2012-01-26
Burlington, VT

eddysamson

Member

Thanks for the reply! Should I just use RIP or is even that unnecessary? I am pretty sure I have tried this without NAT and I still have been unable to telnet on 25 across the two devices.
eddysamson

eddysamson to eddysamson1

Member

to eddysamson1
Problem solved!

Removed NAT statements and 'ip nat outside' off my interfaces and it works!