Michael, I think that part of your problem might be that if you are using an Exchange Client (like Outlook) it is going to be trying to use UDP to connect to the server. At least it is going to be trying to interrogate the server using UDP before connecting. There is a small app called RPCping32 which Microsoft supplies on the Exchange Server CDs which you can use to test connectivity. Put this onto the server and run the client from the local network. If it works, then the problem is with the router which is what I suspect that you will find. Having UDP allowed -- especially in the port range that you will have to allow to make this work (unless you can use an adaptive filtering strategy), is not such a great idea but you have to decide how important this is to you. Just my opinion Drew -----Original Message----- From: owner-firewall-wizardsat_private [mailto:owner-firewall-wizardsat_private]On Behalf Of Michael Bitow Sent: Monday, February 07, 2000 5:57 PM To: 'firewall-wizardsat_private' Subject: Cisco configuration question Hi, I am currently working out a small problem that I can't seem to get past. I'm trying to get our mail server, an Exchange box, out of the DMZ, and behind a Cisco 3640. Right now, it looks like this: 1.2.3.5 |----------| |`````````````````| |``````````````````````| -------------| DSL |-----|----| Exchange |---------------------| | |----------| | |-----------------| 10.1.1.2 | | 10.1.1.x | | hub to network |----- | | | | |```````````|10.1.1.1 | | |--------------| 3640 | | | |w/NAT |-----------------| | 1.2.3.4 |-----------| |-----------------------| | | 10.1.3.x etc To other networks One interface the Exchange and one on the 3640 have public addresses, the rest of the network is private. The problem I am having is mail connections were getting rejected . I had the router doing NAT, allowing all connections. I figured I would tighten it up one I got it working. The DSL is a bridge only, no routing. Is there a way to have the mail server behind the router when doing NAT? I believe there is, but have been unable to get it to work. Currently, I only have basic knowledge in router configuration. The configuration I tried was: interface FastEthernet0/0 description connected LAN ip address 10.1.1.1 255.255.255.0 no ip directed-broadcast ip nat inside interface FastEthernet2/0 description connected to Internet ip address 1.2.3.4 255.255.255.0 no ip directed-broadcast ip nat outside ip nat inside source list 1 interface FastEthernet2/0 overload ip classless ip route 0.0.0.0 0.0.0.0 FastEthernet2/0 ip route 10.1.1.0 255.255.255.0 10.1.1.1 access-list 1 permit 10.1.1.0 0.0.0.255 access-list 101 permit tcp any 1.2.3.0 0.0.0.255 established access-list 101 permit tcp any host 10.1.1.2 eq smtp I thought it should work, it didn't. Ultimately, I would like to use one outside address, have all the traffic go through the router, with the Exchange box behind the router. Any ideas on how I was mucking it up? Thanks Michael Bitow
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:11 PDT