NAT for Postini on Cisco IOS

So I'm not finding a whole lot of help on setting up NAT on my Cisco 2811 to allow Postini access to our Exchange 2007 server. Anyone know where I can find some info on this, (maybe even a howto, if one exists).

I'm guessing that I need to allow access from the Postini IP block, (64.18.0.0/20) to the mail server. Of course, I was always terrible with NAT, so that could be part of the issue.

Seriously, though, if anyone has any insights into this, has done it before, or can point me somewhere useful, I'd really appreciate.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Bl8ckr0uter

Slowhand wrote: »

So I'm not finding a whole lot of help on setting up NAT on my Cisco 2811 to allow Postini access to our Exchange 2007 server. Anyone know where I can find some info on this, (maybe even a howto, if one exists).

I'm guessing that I need to allow access from the Postini IP block, (64.18.0.0/20) to the mail server. Of course, I was always terrible with NAT, so that could be part of the issue.

Seriously, though, if anyone has any insights into this, has done it before, or can point me somewhere useful, I'd really appreciate.

I have used this for basic nat configuration
Configuring Network Address Translation: Getting Started - Cisco Systems

Sorry if this is to basic or if it does not help at all. I just thought I would throw this out there.

Slowhand

knwminus wrote: »

I have used this for basic nat configuration
Configuring Network Address Translation: Getting Started - Cisco Systems

Sorry if this is to basic or if it does not help at all. I just thought I would throw this out there.

Oh, I've seen that old page plenty of times, but this is a bit more specific to Postini and what's required for getting our mail flowing. Seems like a lot of people ask this question, but there's rarely a reasonable answer. According to the answers in that thread, it was a matter of adding a static route from 64.18.0.0/20, but everything I did seemed to leave me borked. So, I figured I'd start from scratch and see if anyone's had to configure Postini access on a Cisco router before.

Slowhand

I'm thinking that I might have the answer, but I won't know for sure until later tonight when I can mess around with the network and no users are around. (Again, keep in mind that I'm stupid when it comes to NAT, for some reason, and this is my own meandering based on the discussion on Experts-Exchange).

ip nat inside source static tcp 192.168.80.31 25 interface FastEthernet0/0 25

Where 192.168.80.31 is the mail server and FastEthernet0/0 is the outside interface, I believe that this will pass any traffic that hits fa0/0 on port 25 to the mail server. Can anyone confirm this?

Gee, I love hitting brick-walls on my hot-button topics, like NAT. They make my gray hairs come in faster.

dynamik

Doesn't Postini just accept email for your domain and then forward it to your mail server?

Is there anything else unique that has to be taken into account when setting this up?

rsutton

dynamik wrote: »

Doesn't Postini just accept email for your domain and then forward it to your mail server?

Is there anything else unique that has to be taken into account when setting this up?

It's best to configure your firewall to only accept incoming mail traffic from the Postini block. Even though your MX records will point to Postini, it's still possible to send spam directly to your mail server unless you block it.

dynamik

rsutton wrote: »

It's best to configure your firewall to only accept incoming mail traffic from the Postini block. Even though your MX records will point to Postini, it's still possible to send spam directly to your mail server unless you block it.

Yea, but isn't that straight-forward? Maybe I'm just giving Slowhand more credit than he deserves

rsutton

dynamik wrote: »

Yea, but isn't that straight-forward? Maybe I'm just giving Slowhand more credit than he deserves

I have not found many things to be straight forward in IT.

Slowhand

I'm basically just concerned with the NAT setup right now. I can block out all traffic not from Postini with ZBF, but I need to know that the traffic to my mail server is crossing the router to begin with.

Slowhand

dynamik wrote: »

Doesn't Postini just accept email for your domain and then forward it to your mail server?

Is there anything else unique that has to be taken into account when setting this up?

Oh, I'm sure it's straightforward. It's just that I'm "special" when it comes to NAT, it's one of those topics that just keeps driving me crazy. I'm thinking that the command I put up earlier is the right one, but I won't know until Mike or one of the other Cisco Uber-Gurus gives me some feedback and I can stop feeling like I should have my mittens pinned to my sweater. I need an adult!

mikej412

Sounds like you need an acl on your outside interface that allows inbound SMTP traffic only from a specific source (or block of addresses).

And something like the opposite of an ip nat inside source static command -- an ip nat outside source static tcp.... command -- that could map an outside global ip addess/port to an inside private ip address/port.....

Slowhand

mikej412 wrote: »

Sounds like you need an acl on your outside interface that allows inbound SMTP traffic only from a specific source (or block of addresses).

And something like the opposite of an ip nat inside source static command -- an ip nat outside source static tcp.... command -- that could map an outside global ip addess/port to an inside private ip address/port.....

Heh, looks like I've got some tinkering to do when I get back to the office. . . and maybe it'll actually work this time. Thanks, Mike!

AllenFalcon

Slowhand wrote: »

So I'm not finding a whole lot of help on setting up NAT on my Cisco 2811 to allow Postini access to our Exchange 2007 server. Anyone know where I can find some info on this, (maybe even a howto, if one exists).

I'm guessing that I need to allow access from the Postini IP block, (64.18.0.0/20) to the mail server. Of course, I was always terrible with NAT, so that could be part of the issue.

Seriously, though, if anyone has any insights into this, has done it before, or can point me somewhere useful, I'd really appreciate.

Slowhand,

Don't confuse NAT with the security policy you need in place. To get Postini working inbound in a way that does NOT allow spammers to bypass the filters, you need the following:

1) You need to NAT (network address translate) the internal IP address of your email server to a single, public IP.
2) Configure Postini to forward email to this public IP as your email server
3) Configure your DNS MX records to have all email routed to Postini, and NOT your email server by name or by public IP
4) Setup a security rule on your firewall to only allow inbound SMTP (port 25) traffic from the Postini address range.

In all of the replies so far, the advice is not separating out these four steps.

Regards,
Allen
www.horizoninfoservices.com
A Google Enterprise Partner
Google Postini Services Authorized Reseller

Slowhand

AllenFalcon wrote: »

Slowhand,

Don't confuse NAT with the security policy you need in place. To get Postini working inbound in a way that does NOT allow spammers to bypass the filters, you need the following:

1) You need to NAT (network address translate) the internal IP address of your email server to a single, public IP.
2) Configure Postini to forward email to this public IP as your email server
3) Configure your DNS MX records to have all email routed to Postini, and NOT your email server by name or by public IP
4) Setup a security rule on your firewall to only allow inbound SMTP (port 25) traffic from the Postini address range.

In all of the replies so far, the advice is not separating out these four steps.

Regards,
Allen
www.horizoninfoservices.com
A Google Enterprise Partner
Google Postini Services Authorized Reseller

I appreciate the feedback. Steps 2 and 3 are already completed, (we have an old SonicWall just itching to be retired that already forwards Postini traffic, set up by someone else). I'm mainly concerned with the proper syntax for step one, I mentioned what you said in step 4 as an either-or for allowing all traffic on port 25 or just traffic from Postini through NAT.

AllenFalcon

Slowhand wrote: »

I appreciate the feedback. Steps 2 and 3 are already completed, (we have an old SonicWall just itching to be retired that already forwards Postini traffic, set up by someone else). I'm mainly concerned with the proper syntax for step one, I mentioned what you said in step 4 as an either-or for allowing all traffic on port 25 or just traffic from Postini through NAT.

The following two commands will set up a single IP address NAT, mapping a public IP address from your ISP to a specific IP address inside your network.

First you need to establish that you want to NAT from the inside interface (assuming you have named that Ethernet port "inside")

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Then you can setup a static NAT as follows:

static (inside,outside) <public ip address> <internal ip address> netmask 255.255.255.255 0 0

Slowhand

AllenFalcon wrote: »

The following two commands will set up a single IP address NAT, mapping a public IP address from your ISP to a specific IP address inside your network.

First you need to establish that you want to NAT from the inside interface (assuming you have named that Ethernet port "inside")

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Then you can setup a static NAT as follows:

static (inside,outside) <public ip address> <internal ip address> netmask 255.255.255.255 0 0

Again, thanks for the response. I'm going to be doing the graveyard-shift tonight, banging my head against the router-deployment project again. (While reading up on NAT, in general, until then.) Between your answers and the one from Mike, above, I shouldn't cause too much damage.

Slowhand

dynamik wrote: »

Maybe I'm just giving Slowhand more credit than he deserves

Way too much credit.

For some odd reason, NAT just seems to be one of those subjects for me that doesn't sink in easily, (I have the same problem with trigonometry, which is kind of bad now that I'm studying calculus,) so it's time to hit the books again once I'm done getting this router-deployment off my plate. That's right: I figured out how to work with ZBF, I got SSL VPN working properly, but NAT escapes me. I'm just going to go over here and cry. . .

On a more serious note, this is one of those cases where I had to bite the bullet and start asking questions. Sure, I passed the CCNA with flying colors and I had NAT down in theory way back then, but you know how those reality-checks go: sometimes you don't know as much as you think when it's time to play ball. I can't be too proud to ask some noob-questions every once in a while when I'm stuck, or I won't learn a damn thing, (despite any teasing from dynamik

dynamik

If it's any consolation, I'm better at calc than trig as well

Slowhand

Yarg! If it's not one damn thing, it's another. So, I stopped being a dumbass and finally got my head on straight with my NAT for mail-delivery. I stopped trying to draw a straight line between Postini and my mail server, realizing I just needed to pass port 25 traffic from the outside interface (FastEthernet 0/0) to the inside mail server (192.168.80.31 in this case). So mail flows just fine, as does every other type of traffic. . . except on ports 80 and 443. Grrrr. (Looks like NAT issues are my new pet peeve.)

So, here's what I've got on my 2811 router:

Current NAT statements (with the public IP scrubbed for this demonstration):

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.80.31 25 1.2.3.4 25 extendable
ip nat inside source static tcp 192.168.80.13 80 1.2.3.4 80 extendable
ip nat inside source static tcp 192.168.80.13 443 1.2.3.4 443 extendable

ACL 1 looks like this:

access-list 1 permit 192.168.80.0 0.0.0.255

Things to note here are that I've tried hitting multiple machines running web servers, neither port 80 or 443 will translate properly. I've tried turning off the router's internal HTTP server - no ip http server and no ip http secure-server - in order to make sure it's not the router answering the web-requests, and still nothing. (When the router's web server is active, it answers on and asks for username/password; when the router doesn't have a web server active, I just get an error that the address is unreachable.) Mail traffic flows just fine, other ports seem to be working just fine when I do things like experiment with RDP or SSH access to various machines from the outside, and all machines on the inside of the network can reach the outside. All ACLs and the ZBF firewall are disabled so traffic can flow freely. It's just ports 80 and 443 that won't translate through NAT, and I've done everything I could think of to make sure that there wasn't something else interfering with those translations. Anyone have any thoughts, anything I'm not thinking of?

If I need to post the whole running-config, I can do that. Right now, however, I'm too worn out from dealing with this stuff all night, (from 11pm until 6am,) to go back in the server room to hook the router back up so I can remote in and print the config.

Slowhand

Alright, so I'm not as lazy as we thought.

Here's the running-config (sanitized to protect the, err. . . "innocent"):

Giygas(config)#do show run
Building configuration...

Current configuration : 7341 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Giygas
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ADUSERS group radius
aaa authorization exec default local 
!
!
aaa session-id common
!         
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip domain list domain.priv
ip domain list domain.com
ip domain list domain2.com
ip domain name domain.priv
ip name-server 192.168.80.16
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-2915001151
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2915001151
 revocation-check none
 rsakeypair TP-self-signed-2915001151
!         
!
crypto pki certificate chain TP-self-signed-2915001151
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 32393135 30303131 3531301E 170D3039 30373233 31323032 
  33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39313530 
  30313135 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100D27F 44702970 242892DA 35B58DDA FBC70744 9A4B1939 6B3E299D 4723AAFD 
  63D50977 A8F51F26 B17531A9 FF8F02CA CDD99EC3 AE54CBC9 32392881 8A37DA27 
  A580CB14 22FD0AEF 2F64742C 71885AE6 B9CD9915 7546BCF3 9224DE53 6955D537 
  9E4E6503 C98295C8 87221230 B79F23BD 3B53F342 EEFB6BB9 0EADAF9C 554FE841 
  C0EB0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 
  551D1104 1B301982 17476979 6761732E 6D696E64 636F6E74 726F6C2E 70726976 
  301F0603 551D2304 18301680 148E9F14 4CF5F65C 6B83EFB8 9401ADD8 C70508A9 
  09301D06 03551D0E 04160414 8E9F144C F5F65C6B 83EFB894 01ADD8C7 0508A909 
  300D0609 2A864886 F70D0101 04050003 8181005D 2B42FB1C CA2D4F94 5CBB282A 
  6A8E2353 42F9A2BE 6AB7579E 32664CCD 01C8FDE3 35E64294 58F6B3BD 29976D28 
  A6AEE3F0 76667C67 D4DC4ACC EDDCA9E2 FF78B0AF 20190B63 DB96935B 804F73C9 
  0C96F2D4 45B1A2F8 7FA1C8DC CF42C4E2 030B7C10 A5B31A5B 02D42AEC 6CF8D1E4 
  7EE13662 94797C80 79EA728E 803AA098 378DF1
        quit
!
!
username admin privilege 15 secret 5 $1$7DcD$e/zVT2BB9tsgAcmBmqA2K/
archive
 log config
  hidekeys
! 
!
!
!
!
!
class-map type inspect match-any WAN-to-LAN
 match access-group 101
class-map type inspect match-any WAN-to-DMZ
 match access-group 102
class-map type inspect match-any ALL_TRAFFIC
 match access-group 100
!
!
policy-map type inspect WAN-to-LAN
 class type inspect WAN-to-LAN
  inspect 
 class class-default
  drop
policy-map type inspect WAN-to-DMZ
 class type inspect WAN-to-DMZ
  inspect 
 class class-default
  drop
policy-map type inspect ALL_TRAFFIC
 class type inspect ALL_TRAFFIC
  inspect 
 class class-default
  drop
!
zone security LAN
zone security WAN
zone security DMZ
zone-pair security LAN-to-WAN source LAN destination WAN
 service-policy type inspect ALL_TRAFFIC
zone-pair security LAN-to-DMZ source LAN destination DMZ
 service-policy type inspect ALL_TRAFFIC
zone-pair security WAN-to-LAN source WAN destination LAN
 service-policy type inspect WAN-to-LAN
zone-pair security WAN-to-DMZ source WAN destination DMZ
 service-policy type inspect WAN-to-DMZ
zone-pair security DMZ-to-WAN source DMZ destination WAN
 service-policy type inspect ALL_TRAFFIC
!
!
!
interface Loopback0
 description VPN Addresses
 ip address 192.168.100.1 255.255.255.0
 ip virtual-reassembly
!
interface FastEthernet0/0
 description WAN
 ip address 1.2.3.5 255.255.255.240 secondary
 ip address 1.2.3.4 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 duplex full
 speed 10
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.1
 description LAN
 encapsulation dot1Q 80
 ip address 192.168.80.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/1.2
 description DMZ
 encapsulation dot1Q 90
 ip address 1.2.3.4.6 255.255.255.240
 ip virtual-reassembly
!
interface Dot11Radio0/0/0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0/0/1
 no ip address
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
ip local pool VPN_USERS 192.168.100.2 192.168.100.254
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.2.3.3
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.80.31 25 1.2.3.4 25 extendable
ip nat inside source static tcp 192.168.80.13 80 1.2.3.4 80 extendable
ip nat inside source static tcp 192.168.80.13 443 1.2.3.4 443 extendable
!
ip radius source-interface FastEthernet0/1.1 
access-list 1 permit 192.168.80.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 remark This access-list is used for WAN-to-LAN traffic
access-list 101 permit tcp any host 192.168.80.130 eq 22
access-list 101 permit tcp any eq 8235 host 192.168.80.130 eq 5900
access-list 101 permit tcp any eq 4569 host 192.168.80.6 eq 3889
access-list 101 permit tcp any eq 4570 host 192.168.80.11 eq 3889
access-list 101 permit tcp any host 192.168.80.13 eq www
access-list 101 permit tcp any host 192.168.80.13 eq 990
access-list 101 permit tcp any host 192.168.80.13 eq 999
access-list 101 permit tcp any host 192.168.80.13 eq 5721
access-list 101 permit tcp any host 192.168.80.13 eq 5679
access-list 101 permit tcp any host 192.168.80.13 eq 26675
access-list 101 permit tcp any host 192.168.80.31 eq smtp
access-list 101 permit tcp any host 192.168.80.13 eq 6001
access-list 101 permit udp any host 192.168.80.13 eq 6001
access-list 101 deny   ip any any
access-list 102 remark This access-list is used for WAN-to-DMZ traffic
!
!
!
!
radius-server host 192.168.80.22 auth-port 1645 acct-port 1646 key 

#############################################################
!         
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
webvpn gateway MCS_SSL
 ip address 1.2.3.5 port 443  
 http-redirect port 80
 ssl trustpoint TP-self-signed-2915001151
 inservice
 !
webvpn install svc flash:/webvpn/anyconnect-win-2.3.2016-k9.pkg sequence 1
 !
webvpn install svc flash:/webvpn/anyconnect-macosx-i386-2.3.2016-k9.pkg sequence 2
 !
webvpn context ALLSTAFF
 secondary-color white
 title-color #CCCC66
 text-color black
 ssl authenticate verify all
 !
 !
 policy group MCS_VPN
   functions svc-enabled
   svc address-pool "VPN_USERS"
   svc default-domain "domain.priv"
   svc keep-client-installed
   svc split dns "domain.priv"
   svc split include 192.168.80.0 255.255.255.0
   svc split include 192.168.100.0 255.255.255.0
   svc split include 192.168.70.0 255.255.255.0
   svc dns-server primary 192.168.80.16
   svc dns-server secondary 192.168.80.10
 default-group-policy MCS_VPN
 aaa authentication list ADUSERS
 gateway MCS_SSL
 inservice
!
end

And a show version for good measure:

Giygas(config)#do show version
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 19-Jun-09 15:13 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

Giygas uptime is 2 hours, 59 minutes
System returned to ROM by reload at 10:33:57 UTC Thu Aug 27 2009
System image file is "flash:c2800nm-advsecurityk9-mz.124-24.T1.bin"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 2811 (revision 53.51) with 247808K/14336K bytes of memory.
Processor board ID ##########
2 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
2 802.11 Radios
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

I can configure ZBF, I got SSL VPN with AnyConnect working, and I even managed to get AAA to authenticate VPN users through RADIUS by talking to a Windows 2008 RAS server. . . but I can't get these NAT issues resolved. Yup, still crying.

Slowhand

Looks like it's going to be time for me to break down my config and go through it, step by step, from the beginning, to see where it is NAT on port 80 and 443 breaks. It's going to be a fun weekend.

Slowhand

Just a little update: with NAT finally having been resolved and the configuration of a VPN tunnel, my router-deployment project is finally finished!

As soon as I've completed some post-deployment tasks and I'm back in the land of the living, (I've been working the graveyard shift ever since this project started,) I'm going to post a tutorial (or three) on some of the things I've learned about during my battles with the router. I'd like to post on how to configure SSL VPN, how to make ZBF play nice with other technologies, and pitfalls to watch out for when setting up an IPSec VPN tunnel between a Cisco router and another vendor's device, (in this case, a Juniper firewall).

If this project has taught me anything, it's that you're never too advanced to learn some newbie-things. One piece of advice I can give anyone out there, expert or novice, is this: swallow your pride and ask questions when your'e stuck, regardless of how simple it may seem. You won't get anywhere on pride if you can't figure it out on your own, and you certainly won't learn anything new if you can't get out of the hole you're in. So take your lumps and ask those questions, open up tickets with TAC, as long as the job gets done and you learn from your mistakes it's all worth it.