RE: Cisco configuration question

["Andrew J. Luca" <andrewluca () mediaone net>]

Michael,

        I think that part of your problem might be that if you are using an
Exchange Client (like Outlook) it is going to be trying to use UDP to
connect to the server.  At least it is going to be trying to interrogate the
server using UDP before connecting.  There is a small app called RPCping32
which Microsoft supplies on the Exchange Server CDs which you can use to
test connectivity.  Put this onto the server and run the client from the
local network.  If it works, then the problem is with the router which is
what I suspect that you will find.

        Having UDP allowed -- especially in the port range that you will have to
allow to make this work (unless you can use an adaptive filtering strategy),
is not such a great idea but you have to decide how important this is to
you.

Just my opinion
Drew

-----Original Message-----
From: owner-firewall-wizards () lists nfr net
[mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Michael Bitow
Sent: Monday, February 07, 2000 5:57 PM
To: 'firewall-wizards () nfr net'
Subject: Cisco configuration question


Hi,

  I am currently working out a small problem that I can't seem to get past.
I'm trying to get our mail server, an Exchange box, out of the DMZ, and
behind a Cisco 3640.  Right now, it looks like this:


                                  1.2.3.5
             |----------|          |`````````````````|
|``````````````````````|
-------------| DSL   |-----|----| Exchange |---------------------|
|
             |----------|     |    |-----------------| 10.1.1.2        |
|  10.1.1.x
                              |                                           |
hub to network |-----
                              |                                           |
|
                              |              |```````````|10.1.1.1     |
|
                              |--------------|  3640  |                 |
|
                                             |w/NAT |-----------------|
|
                                  1.2.3.4 |-----------|
|-----------------------|
                                                  |
                                                  | 10.1.3.x etc
                                           To other networks


 One interface the Exchange and one on the 3640 have public addresses, the
rest of the network is private.  The problem I am having is mail connections
were getting rejected .  I had the router doing NAT, allowing all
connections.  I figured I would tighten it up one I got it working.  The DSL
is a bridge only, no routing.

  Is there a way to have the mail server behind the router when doing NAT?
I believe there is, but have been unable to get it to work.  Currently, I
only have basic knowledge in router configuration.  The configuration I
tried was:

interface FastEthernet0/0
 description connected LAN
 ip address 10.1.1.1 255.255.255.0
 no ip directed-broadcast
 ip nat inside

interface FastEthernet2/0
 description connected to Internet
 ip address 1.2.3.4 255.255.255.0
 no ip directed-broadcast
 ip nat outside

ip nat inside source list 1 interface FastEthernet2/0 overload
ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet2/0
ip route 10.1.1.0 255.255.255.0 10.1.1.1

access-list 1 permit 10.1.1.0 0.0.0.255
access-list 101 permit tcp any 1.2.3.0 0.0.0.255 established
access-list 101 permit tcp any host 10.1.1.2 eq smtp

 I thought it should work, it didn't.

  Ultimately, I would like to use one outside address, have all the traffic
go through  the router, with the Exchange box behind the router.

 Any ideas on how I was mucking it up?



Thanks

Michael Bitow