dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5139
share rss forum feed

balag

join:2012-04-03
Raymond, IA

[HELP] CISCO 2911 Router configuration

Device cisco 2911 router configuration support required.

I have exchange server 2010 configured and working without any errors
the problem is in cisco router configuration when exchange server sends emails out the receives WAN IP not the public ip.
I have configured RDNS lookups with our MX record IP addesses that match the FQDN but all our emails are rejected because it does not match with the public ip.
Receiving mails problem is not an problem all mails are coming through.
i am sure i am missing something on the router configuration that does not sends the public ip, can any one help me to solve this issue.

Note; i got 1 WAN IP & 8 Public IP from ISP .


RyanG1
Premium
join:2002-02-10
San Antonio, TX
kudos:1
You will need to do a static 1-to-1 mapping for the IP; Can you post a sanitized running config so we know what we are looking at/working with?

Ryan

balag

join:2012-04-03
Raymond, IA
reply to balag
Here is my configuration for review, please help me to find the solution...

Current configuration : 2734 bytes
!
! Last configuration change at 06:32:13 UTC Tue Apr 3 2012
! NVRAM config last updated at 06:32:14 UTC Tue Apr 3 2012
! NVRAM config last updated at 06:32:14 UTC Tue Apr 3 2012
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname BSBG-LL
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $x$xHrxxxxx5ox0
enable password 7 xx23xx5FxxE1xx044
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip flow-cache timeout active 1
ip domain name yourdomain.com
ip name-server 213.42.20.20
ip name-server 195.229.241.222
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2911/K9
!
!
username bsbg
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.0.9 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed 100
no cdp enable
!
interface GigabitEthernet0/1
ip address 213.42.xx.x2 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 120 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.0.4 25 94.56.89.100 25 extendable
ip nat inside source static tcp 192.168.0.4 53 94.56.89.100 53 extendable
ip nat inside source static udp 192.168.0.4 53 94.56.89.100 53 extendable
ip nat inside source static tcp 192.168.0.4 110 94.56.89.100 110 extendable
ip nat inside source static tcp 192.168.0.4 443 94.56.89.100 443 extendable
ip nat inside source static tcp 192.168.0.4 587 94.56.89.100 587 extendable
ip nat inside source static tcp 192.168.0.4 995 94.56.89.100 995 extendable
ip nat inside source static tcp 192.168.0.4 3389 94.56.89.100 3389 extendable
ip nat inside source static tcp 192.168.0.4 443 94.56.89.101 443 extendable
ip nat inside source static tcp 192.168.0.12 80 94.56.89.102 80 extendable
ip nat inside source static tcp 192.168.0.12 443 94.56.89.102 443 extendable
ip nat inside source static tcp 192.168.0.12 3389 94.56.89.102 3389 extendable
ip route 0.0.0.0 0.0.0.0 213.42.69.41
!
access-list 120 permit ip 192.168.0.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 5 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 xx64xxD530D26086Dxx
login
transport input all
!
scheduler allocate 20000 1000
end


RyanG1
Premium
join:2002-02-10
San Antonio, TX
kudos:1
reply to balag
This will create a one-to-one static nat:

ip nat inside source static 192.168.0.4 94.56.89.100
 

you may need to remove static nat port mappings first though.

Ryan

--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

balag

join:2012-04-03
Raymond, IA
Thanks Ryan.
It is working, Thanks you soo much.


RyanG1
Premium
join:2002-02-10
San Antonio, TX
kudos:1
reply to balag
no problem, glad its working for you.


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
reply to balag
/me wonders why people still configure "enable password". Its so insecure, Im surprised it still exists as a configurable option!


Da Geek Kid

join:2003-10-11
::1
kudos:1
/you wonders why most corp/isp use enable pass everywhere, too?


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
I started working for ISPs in 2004, and havent seen it in use since at least then.

Even before that when I was studying CCNA, it was mentioned in my study material, but discouraged due to it being reversible. "enable secret" is preferred as it is not reversible.

Cisco also discourages "enable password": »www.cisco.com/en/US/tech/tk59/te···a7.shtml

You can make your passwords as strong as you want, but as soon as you stick it in your config as a type 7 password, its a sitting duck. There are plenty of free tools available to decrypt them at the click of a button. A type 5 password like "enable secret" could only be brute forced at best.

Basically, I would only use type 7 passwords where they must be used, such as for PPP passwords. Otherwise, type 5 all the way.


battleop

join:2005-09-28
00000
"the first public release of such a program of which Cisco is aware was in early 1995."

Cisco cares more about money than security. If they cared about security every image that they put out in the last 10 years should have had SSH and the option to create an enable password would not exist among other things.
--
I do not, have not, and will not work for AT&T/Comcast/Verizon/Charter or similar sized company.


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
Sometimes its fun to cast big corporations as only concerned about the bottom line, but I dont think that its necessarily Ciscos fault on the SSH part.

SSH is an encryption feature, and certain countries prohibit the import of encryption software. Thats why there are also two JunOS images for any given release: worldwide and domestic. Only domestic includes SSH (IPSEC et al) IIRC.

As for enable password, no idea why that still exists, except perhaps for the same reason as above maybe...

So theres a good enough reason why telnet still exists and SSH is not default for most network devices: oppressive governments. Lets bash them instead.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
Telnet in many large corporations are still in used as standard. From my observation, such organizational policy of either using SSH instead of Telnet, or using enable secret instead of enable password depends on how the organization lawyers interpret the laws and regulations. Telnet and enable password could still be considered secure assuming no physical breach to the equipments, telnet client and server reside within the same security zone, communication between telnet client and server always reside within the same security zone, all users are authenticated in order to read router's configuration; among other things.

Of course there are always companies that have no ideas of how network security and protection should be in place practically. These kind of companies tend to go beyond and above without practical sense. For example, there is a company that put security lock at bathroom doors. Every time you need to use bathroom, you need to scan your badge ID to enter. When the auditors see that your badge is being used "too often" to enter the bathroom (i.e. 20 times a day), your manager gets a call from auditors to find out what happen

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to TomS_
said by TomS_:

As for enable password, no idea why that still exists, except perhaps for the same reason as above maybe...

Same reason 3.5" floppies, BIOS, single-threaded apps, and a whole slew of "legacy" stuff still hangs around likely.
Face it, IT may claim cutting edge, but it's often notoriously conservative.

Regards


Da Geek Kid

join:2003-10-11
::1
kudos:1
I still got some working 5.25" disks...

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
I have a box of 8" floppies. (~10lbs of 'em in fact)

Yes, encryption is the reason SSH is not in every IOS image. "enable password" still exists because people use it. It's only really a problem where there's ZERO security all around. Telnet... well, telnet is so dirt simple it's hard to argue against it -- anything that can bind a tcp socket can talk "telnet" (you don't have to actually do *any* of the actual protocol... open a socket and start typing); ssh is a great deal of work for both the client and server. (and I've seen TOO MANY custom ssh implementations that simply do not work well with others.)