Καλημέρα σε όλους,

Παρακάτω υπάρχει το configuration ενός 836 με Firewall VPN και ΝΑΤ.
Oι IP Adresses από τον provider είναι 16: 17.1.1.208 - 17.1.1.223
Στο εσωτερικό δίκτυο τρέχουν 2 web servers (ο ένας με SSL) (17.1.1.216 17.1.1.219) και ένας exchange server (17.1.1.217).
Επίσης υπάρχει ΝΑΤ για τις πόρτες 14662 (e-mule) και 19354 (BitTorrent Client).
Υπάρχει reverse DNS (από τον Provider) για τις 17.1.1.216 17.1.1.217 17.1.1.219
Ολα δουλεύουν υπέροχα εκτός από ένα μικρο πρόβλημα ....
Οταν ο Exchange στέλνει mail χρησιμοποιεί σαν address την 17.1.1.222 που είναι η address του Dialer IF.
Επειδή ορισμένοι mail servers απαιτούν reverse lookup για να δεχθούν mail θα ήθελα η address του SMTP να είναι η 17.1.1.217 για την οποία υπάρχει reverse lookup.
Υπαρχει τρόπος να γίνει κάτι τετοιο;
Εχω ήδη κάνει προσπάθειες του τύπου:

ip nat outside source static tcp 17.1.1.217 25 192.168.1.17 25
αλλά δεν δουλεύει έτσι ... Καμμιά άλλη ιδέα ;
Ευχαριστώ.

836 cfg:


!
!----------------------------------------------------------------------------
!version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname dsl-eth0
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
logging buffered 16384 informational
enable secret 5 *****************************
!
username admin privilege 15 secret 5 ******************************
username ahead privilege 0 secret 5 *******************************
username vpn-admin privilege 15 secret 5 *********************************
username ahead-patra privilege 15 secret 5 ********************************
clock timezone Athens 2
clock summer-time Athens date Mar 30 2003 3:00 Oct 26 2003 4:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
!
!
!
!
ip domain name domain.com
ip name-server 194.30.220.117
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name sdm_ins_in_100 cuseeme
ip inspect name sdm_ins_in_100 ftp
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 netshow
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 realaudio
ip inspect name sdm_ins_in_100 rtsp
ip inspect name sdm_ins_in_100 esmtp
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 streamworks
ip inspect name sdm_ins_in_100 tftp
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 vdolive
ip ips sdf location flash://sdmips.sdf
ip ips notify SDEE
no ip ips notify log
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
group 2
!
crypto isakmp client configuration group ADMIN
key 99workatahead
dns 192.168.1.1
wins 192.168.1.1
domain aheadrm.local
pool SDM_POOL_2
acl 102
!
crypto isakmp client configuration group PATRA
key 99workatpatra
dns 192.168.1.1
wins 192.168.1.1
domain aheadrm.local
pool SDM_POOL_1
acl 101
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Ethernet0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$FW_INSIDE$
ip address 192.168.1.99 255.255.255.0
ip access-group 103 in
ip verify unicast reverse-path
ip nat inside
ip virtual-reassembly
!
interface Ethernet2
no ip address
shutdown
!
interface BRI0
no ip address
shutdown
!
interface ATM0
bandwidth 288
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
description $FW_OUTSIDE$
bandwidth 1024
ip address negotiated
ip access-group 104 in
ip nat outside
ip inspect sdm_ins_in_100 in
ip inspect DEFAULT100 out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ********
ppp chap password 7 ******************
ppp pap sent-username ********** password 7 **************
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.1.251 192.168.1.254
ip local pool SDM_POOL_2 192.168.1.70 192.168.1.80
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source static udp 192.168.1.106 19354 interface Dialer0 19354
ip nat inside source static tcp 192.168.1.106 19354 interface Dialer0 19354
ip nat inside source static tcp 192.168.1.106 14662 interface Dialer0 14662
ip nat inside source static udp 192.168.1.106 14662 interface Dialer0 14662
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.16 20 17.1.1.216 20 extendable
ip nat inside source static tcp 192.168.1.16 21 17.1.1.216 21 extendable
ip nat inside source static tcp 192.168.1.16 80 17.1.1.216 80 extendable
ip nat inside source static tcp 192.168.1.17 25 17.1.1.217 25 extendable
ip nat inside source static tcp 192.168.1.17 80 17.1.1.217 80 extendable
ip nat inside source static tcp 192.168.1.17 110 17.1.1.217 110 extendable
ip nat inside source static tcp 192.168.1.17 443 17.1.1.217 443 extendable
ip nat inside source static tcp 192.168.1.19 25 17.1.1.219 25 extendable
ip nat inside source static udp 192.168.1.19 53 17.1.1.219 53 extendable
ip nat inside source static tcp 192.168.1.19 80 17.1.1.219 80 extendable
ip nat inside source static tcp 192.168.1.19 443 17.1.1.219 443 extendable
ip nat inside source static udp 192.168.1.16 53 17.1.1.220 53 extendable
!
!
ip access-list extended IPS_INBOUND
remark SDM_ACL Category=1
permit ip any host 17.1.1.219
permit ip any host 17.1.1.216
permit ip any host 17.1.1.217
ip access-list extended IPS_RULES
remark SDM_ACL Category=1
permit ip any 192.168.1.0 0.0.0.255
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=2
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.251
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.252
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.253
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.254
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.70
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.71
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.72
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.73
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.74
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.75
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.76
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.77
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.78
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.79
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.80
access-list 100 deny ip any host 192.168.1.251
access-list 100 deny ip any host 192.168.1.252
access-list 100 deny ip any host 192.168.1.253
access-list 100 deny ip any host 192.168.1.254
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 remark Auto generated by SDM for NTP (123) 216.27.190.202
access-list 103 permit udp host 216.27.190.202 eq ntp host 192.168.1.99 eq ntp
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit gre any host 17.1.1.222
access-list 104 remark Auto generated by SDM for NTP (123) time.berkeley.netdot.net
access-list 104 permit udp host 216.27.190.202 eq ntp any eq ntp
access-list 104 permit tcp any host 17.1.1.222 eq 5050
access-list 104 permit tcp any host 17.1.1.222 eq 1863
access-list 104 permit tcp any host 17.1.1.222 eq 19354
access-list 104 permit udp any host 17.1.1.222 eq 19354
access-list 104 permit udp any host 17.1.1.222 eq 14662
access-list 104 permit tcp any host 17.1.1.222 eq 14662
access-list 104 permit tcp any host 17.1.1.219 eq 443
access-list 104 permit tcp any host 17.1.1.219 eq www
access-list 104 permit tcp any host 17.1.1.219 eq smtp
access-list 104 permit tcp any host 17.1.1.217 eq 443
access-list 104 permit tcp any host 17.1.1.217 eq pop3
access-list 104 permit tcp any host 17.1.1.217 eq www
access-list 104 permit tcp any host 17.1.1.217 eq smtp
access-list 104 permit tcp any host 17.1.1.219 eq ftp-data
access-list 104 permit tcp any host 17.1.1.219 eq ftp
access-list 104 permit tcp any host 17.1.1.216 eq ftp
access-list 104 permit tcp any host 17.1.1.216 eq ftp-data
access-list 104 permit tcp any host 17.1.1.216 eq www
access-list 104 permit udp any host 17.1.1.220 eq domain
access-list 104 permit udp any host 17.1.1.219 eq domain
access-list 104 permit udp host 194.30.220.117 eq domain any
access-list 104 permit ahp any any
access-list 104 permit esp any any
access-list 104 permit udp any any eq isakmp
access-list 104 permit udp any any eq non500-isakmp
access-list 104 permit ip host 192.168.1.80 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.79 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.78 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.77 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.76 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.75 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.74 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.73 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.72 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.71 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.70 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.254 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.253 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.252 192.168.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.251 192.168.1.0 0.0.0.255
access-list 104 deny ip 192.168.1.0 0.0.0.255 any
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log
dialer-list 1 protocol ip permit
snmp-server community public RO
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
!
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
ntp clock-period 17179900
ntp server 216.27.190.202 prefer
!
end

Δοκίμασε να αντικαταστήσεις το


ip nat inside source static tcp 192.168.1.17 25 17.1.1.217 25 extendable
ip nat inside source static tcp 192.168.1.17 80 17.1.1.217 80 extendable
ip nat inside source static tcp 192.168.1.17 110 17.1.1.217 110 extendable
ip nat inside source static tcp 192.168.1.17 443 17.1.1.217 443 extendable

με το


ip nat inside source static 192.168.1.17 17.1.1.217

Ευχαριστώ chatasos θα το δοκιμάσω απόψε ....

Είχες απόλυτο δίκιο chatasos δούλεψε ευχαριστώ ....

Πάντως υπάρχει και άλλη λύση αν θες να κρατήσεις τις 4 γραμμές που έχεις ήδη φτιάξει (για περισσότερη ασφάλεια ?), χρησιμοποιώντας κάποιο nat pool με μόνο 1 διεύθυνση (του server) και λίστα με τα πακέτα που θες να "επεξεργαστείς".
Αν ενδιαφέρεσαι, πες μου...

Να σου πω την αλήθεια chatasos θα ήθελα να το δω αν δεν σου κάνει κόπο .... Πάντως και έτσι είναι μια χαρά ... ετσι κι αλλοιώς σε inbound traffic ολα τα υπόλοιπα τα κόβει το firewall

Για δοκίμασε το παρακάτω:



!
ip nat pool exchange-server 17.1.1.217 17.1.1.217 netmask 255.255.255.240
!
ip nat inside source list 105 pool exchange-server
!
access-list 105 permit tcp host 192.168.1.17 any eq 25
!

Με την παραπάνω λίστα ο exchange θα βγαίνει με την ip που υπάρχει στο nat pool (17.1.1.217), μόνο εφόσον θέλει να στείλει mail (dest = tcp 25).

ΥΓ: Φυσικά πρέπει να αφαιρέσεις την γραμμή που είπα προηγουμένως και να προσθέσεις τις 4 (παλιές) δικές σου (για να καλύψεις την εισερχόμενη κίνηση).

Πολύ καλό σ' ευχαριστώ chatasos γαι τον χρόνο και τον κόπο σου ....