NAT for Postini on Cisco IOS

SlowhandSlowhand Mod Posts: 5,161 Mod
So I'm not finding a whole lot of help on setting up NAT on my Cisco 2811 to allow Postini access to our Exchange 2007 server. Anyone know where I can find some info on this, (maybe even a howto, if one exists).

I'm guessing that I need to allow access from the Postini IP block, (64.18.0.0/20) to the mail server. Of course, I was always terrible with NAT, so that could be part of the issue. icon_lol.gif

Seriously, though, if anyone has any insights into this, has done it before, or can point me somewhere useful, I'd really appreciate.

Free Microsoft Training: Microsoft Learn
Free PowerShell Resources: Top PowerShell Blogs
Free DevOps/Azure Resources: Visual Studio Dev Essentials

Let it never be said that I didn't do the very least I could do.

Comments

  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Slowhand wrote: »
    So I'm not finding a whole lot of help on setting up NAT on my Cisco 2811 to allow Postini access to our Exchange 2007 server. Anyone know where I can find some info on this, (maybe even a howto, if one exists).

    I'm guessing that I need to allow access from the Postini IP block, (64.18.0.0/20) to the mail server. Of course, I was always terrible with NAT, so that could be part of the issue. icon_lol.gif

    Seriously, though, if anyone has any insights into this, has done it before, or can point me somewhere useful, I'd really appreciate.


    I have used this for basic nat configuration
    Configuring Network Address Translation: Getting Started - Cisco Systems

    Sorry if this is to basic or if it does not help at all. I just thought I would throw this out there.
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    knwminus wrote: »
    I have used this for basic nat configuration
    Configuring Network Address Translation: Getting Started - Cisco Systems

    Sorry if this is to basic or if it does not help at all. I just thought I would throw this out there.

    Oh, I've seen that old page plenty of times, but this is a bit more specific to Postini and what's required for getting our mail flowing. Seems like a lot of people ask this question, but there's rarely a reasonable answer. According to the answers in that thread, it was a matter of adding a static route from 64.18.0.0/20, but everything I did seemed to leave me borked. So, I figured I'd start from scratch and see if anyone's had to configure Postini access on a Cisco router before.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    I'm thinking that I might have the answer, but I won't know for sure until later tonight when I can mess around with the network and no users are around. (Again, keep in mind that I'm stupid when it comes to NAT, for some reason, and this is my own meandering based on the discussion on Experts-Exchange).

    ip nat inside source static tcp 192.168.80.31 25 interface FastEthernet0/0 25

    Where 192.168.80.31 is the mail server and FastEthernet0/0 is the outside interface, I believe that this will pass any traffic that hits fa0/0 on port 25 to the mail server. Can anyone confirm this?

    Gee, I love hitting brick-walls on my hot-button topics, like NAT. They make my gray hairs come in faster. icon_lol.gif

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Doesn't Postini just accept email for your domain and then forward it to your mail server?

    Is there anything else unique that has to be taken into account when setting this up?
  • rsuttonrsutton Member Posts: 1,029 ■■■■■□□□□□
    dynamik wrote: »
    Doesn't Postini just accept email for your domain and then forward it to your mail server?

    Is there anything else unique that has to be taken into account when setting this up?

    It's best to configure your firewall to only accept incoming mail traffic from the Postini block. Even though your MX records will point to Postini, it's still possible to send spam directly to your mail server unless you block it.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    rsutton wrote: »
    It's best to configure your firewall to only accept incoming mail traffic from the Postini block. Even though your MX records will point to Postini, it's still possible to send spam directly to your mail server unless you block it.

    Yea, but isn't that straight-forward? Maybe I'm just giving Slowhand more credit than he deserves icon_lol.gif
  • rsuttonrsutton Member Posts: 1,029 ■■■■■□□□□□
    dynamik wrote: »
    Yea, but isn't that straight-forward? Maybe I'm just giving Slowhand more credit than he deserves icon_lol.gif

    I have not found many things to be straight forward in IT.
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    I'm basically just concerned with the NAT setup right now. I can block out all traffic not from Postini with ZBF, but I need to know that the traffic to my mail server is crossing the router to begin with.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    dynamik wrote: »
    Doesn't Postini just accept email for your domain and then forward it to your mail server?

    Is there anything else unique that has to be taken into account when setting this up?

    Oh, I'm sure it's straightforward. It's just that I'm "special" when it comes to NAT, it's one of those topics that just keeps driving me crazy. I'm thinking that the command I put up earlier is the right one, but I won't know until Mike or one of the other Cisco Uber-Gurus gives me some feedback and I can stop feeling like I should have my mittens pinned to my sweater. I need an adult!

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    Sounds like you need an acl on your outside interface that allows inbound SMTP traffic only from a specific source (or block of addresses).

    And something like the opposite of an ip nat inside source static command -- an ip nat outside source static tcp.... command -- that could map an outside global ip addess/port to an inside private ip address/port.....
    :mike: Cisco Certifications -- Collect the Entire Set!
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    mikej412 wrote: »
    Sounds like you need an acl on your outside interface that allows inbound SMTP traffic only from a specific source (or block of addresses).

    And something like the opposite of an ip nat inside source static command -- an ip nat outside source static tcp.... command -- that could map an outside global ip addess/port to an inside private ip address/port.....

    Heh, looks like I've got some tinkering to do when I get back to the office. . . and maybe it'll actually work this time. Thanks, Mike! :D

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • AllenFalconAllenFalcon Member Posts: 2 ■□□□□□□□□□
    Slowhand wrote: »
    So I'm not finding a whole lot of help on setting up NAT on my Cisco 2811 to allow Postini access to our Exchange 2007 server. Anyone know where I can find some info on this, (maybe even a howto, if one exists).

    I'm guessing that I need to allow access from the Postini IP block, (64.18.0.0/20) to the mail server. Of course, I was always terrible with NAT, so that could be part of the issue. icon_lol.gif

    Seriously, though, if anyone has any insights into this, has done it before, or can point me somewhere useful, I'd really appreciate.


    Slowhand,

    Don't confuse NAT with the security policy you need in place. To get Postini working inbound in a way that does NOT allow spammers to bypass the filters, you need the following:

    1) You need to NAT (network address translate) the internal IP address of your email server to a single, public IP.
    2) Configure Postini to forward email to this public IP as your email server
    3) Configure your DNS MX records to have all email routed to Postini, and NOT your email server by name or by public IP
    4) Setup a security rule on your firewall to only allow inbound SMTP (port 25) traffic from the Postini address range.

    In all of the replies so far, the advice is not separating out these four steps.

    Regards,
    Allen
    www.horizoninfoservices.com
    A Google Enterprise Partner
    Google Postini Services Authorized Reseller
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    Slowhand,

    Don't confuse NAT with the security policy you need in place. To get Postini working inbound in a way that does NOT allow spammers to bypass the filters, you need the following:

    1) You need to NAT (network address translate) the internal IP address of your email server to a single, public IP.
    2) Configure Postini to forward email to this public IP as your email server
    3) Configure your DNS MX records to have all email routed to Postini, and NOT your email server by name or by public IP
    4) Setup a security rule on your firewall to only allow inbound SMTP (port 25) traffic from the Postini address range.

    In all of the replies so far, the advice is not separating out these four steps.

    Regards,
    Allen
    www.horizoninfoservices.com
    A Google Enterprise Partner
    Google Postini Services Authorized Reseller
    I appreciate the feedback. Steps 2 and 3 are already completed, (we have an old SonicWall just itching to be retired that already forwards Postini traffic, set up by someone else). I'm mainly concerned with the proper syntax for step one, I mentioned what you said in step 4 as an either-or for allowing all traffic on port 25 or just traffic from Postini through NAT.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • AllenFalconAllenFalcon Member Posts: 2 ■□□□□□□□□□
    Slowhand wrote: »
    I appreciate the feedback. Steps 2 and 3 are already completed, (we have an old SonicWall just itching to be retired that already forwards Postini traffic, set up by someone else). I'm mainly concerned with the proper syntax for step one, I mentioned what you said in step 4 as an either-or for allowing all traffic on port 25 or just traffic from Postini through NAT.
    The following two commands will set up a single IP address NAT, mapping a public IP address from your ISP to a specific IP address inside your network.

    First you need to establish that you want to NAT from the inside interface (assuming you have named that Ethernet port "inside")

    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    Then you can setup a static NAT as follows:

    static (inside,outside) <public ip address> <internal ip address> netmask 255.255.255.255 0 0
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    The following two commands will set up a single IP address NAT, mapping a public IP address from your ISP to a specific IP address inside your network.

    First you need to establish that you want to NAT from the inside interface (assuming you have named that Ethernet port "inside")

    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    Then you can setup a static NAT as follows:

    static (inside,outside) <public ip address> <internal ip address> netmask 255.255.255.255 0 0

    Again, thanks for the response. I'm going to be doing the graveyard-shift tonight, banging my head against the router-deployment project again. (While reading up on NAT, in general, until then.) Between your answers and the one from Mike, above, I shouldn't cause too much damage.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    dynamik wrote: »
    Maybe I'm just giving Slowhand more credit than he deserves icon_lol.gif
    Way too much credit. icon_lol.gif

    For some odd reason, NAT just seems to be one of those subjects for me that doesn't sink in easily, (I have the same problem with trigonometry, which is kind of bad now that I'm studying calculus,) so it's time to hit the books again once I'm done getting this router-deployment off my plate. That's right: I figured out how to work with ZBF, I got SSL VPN working properly, but NAT escapes me. I'm just going to go over here and cry. . .

    On a more serious note, this is one of those cases where I had to bite the bullet and start asking questions. Sure, I passed the CCNA with flying colors and I had NAT down in theory way back then, but you know how those reality-checks go: sometimes you don't know as much as you think when it's time to play ball. I can't be too proud to ask some noob-questions every once in a while when I'm stuck, or I won't learn a damn thing, (despite any teasing from dynamik icon_lol.gif).

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    If it's any consolation, I'm better at calc than trig as well icon_lol.gif
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    Yarg! If it's not one damn thing, it's another. So, I stopped being a dumbass and finally got my head on straight with my NAT for mail-delivery. I stopped trying to draw a straight line between Postini and my mail server, realizing I just needed to pass port 25 traffic from the outside interface (FastEthernet 0/0) to the inside mail server (192.168.80.31 in this case). So mail flows just fine, as does every other type of traffic. . . except on ports 80 and 443. Grrrr. (Looks like NAT issues are my new pet peeve.)

    So, here's what I've got on my 2811 router:

    Current NAT statements (with the public IP scrubbed for this demonstration):
    ip nat inside source list 1 interface FastEthernet0/0 overload
    ip nat inside source static tcp 192.168.80.31 25 1.2.3.4 25 extendable
    ip nat inside source static tcp 192.168.80.13 80 1.2.3.4 80 extendable
    ip nat inside source static tcp 192.168.80.13 443 1.2.3.4 443 extendable
    
    ACL 1 looks like this:
    access-list 1 permit 192.168.80.0 0.0.0.255
    

    Things to note here are that I've tried hitting multiple machines running web servers, neither port 80 or 443 will translate properly. I've tried turning off the router's internal HTTP server - no ip http server and no ip http secure-server - in order to make sure it's not the router answering the web-requests, and still nothing. (When the router's web server is active, it answers on and asks for username/password; when the router doesn't have a web server active, I just get an error that the address is unreachable.) Mail traffic flows just fine, other ports seem to be working just fine when I do things like experiment with RDP or SSH access to various machines from the outside, and all machines on the inside of the network can reach the outside. All ACLs and the ZBF firewall are disabled so traffic can flow freely. It's just ports 80 and 443 that won't translate through NAT, and I've done everything I could think of to make sure that there wasn't something else interfering with those translations. Anyone have any thoughts, anything I'm not thinking of?

    If I need to post the whole running-config, I can do that. Right now, however, I'm too worn out from dealing with this stuff all night, (from 11pm until 6am,) to go back in the server room to hook the router back up so I can remote in and print the config.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    Alright, so I'm not as lazy as we thought. icon_lol.gif

    Here's the running-config (sanitized to protect the, err. . . "innocent"):
    Giygas(config)#do show run
    Building configuration...
    
    Current configuration : 7341 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Giygas
    !
    boot-start-marker
    boot-end-marker
    !
    logging message-counter syslog
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login ADUSERS group radius
    aaa authorization exec default local 
    !
    !
    aaa session-id common
    !         
    dot11 syslog
    ip source-route
    !
    !
    ip cef
    !
    !
    ip domain list domain.priv
    ip domain list domain.com
    ip domain list domain2.com
    ip domain name domain.priv
    ip name-server 192.168.80.16
    !
    multilink bundle-name authenticated
    !
    !
    !
    crypto pki trustpoint TP-self-signed-2915001151
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-2915001151
     revocation-check none
     rsakeypair TP-self-signed-2915001151
    !         
    !
    crypto pki certificate chain TP-self-signed-2915001151
     certificate self-signed 01
      3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
      69666963 6174652D 32393135 30303131 3531301E 170D3039 30373233 31323032 
      33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39313530 
      30313135 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
      8100D27F 44702970 242892DA 35B58DDA FBC70744 9A4B1939 6B3E299D 4723AAFD 
      63D50977 A8F51F26 B17531A9 FF8F02CA CDD99EC3 AE54CBC9 32392881 8A37DA27 
      A580CB14 22FD0AEF 2F64742C 71885AE6 B9CD9915 7546BCF3 9224DE53 6955D537 
      9E4E6503 C98295C8 87221230 B79F23BD 3B53F342 EEFB6BB9 0EADAF9C 554FE841 
      C0EB0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 
      551D1104 1B301982 17476979 6761732E 6D696E64 636F6E74 726F6C2E 70726976 
      301F0603 551D2304 18301680 148E9F14 4CF5F65C 6B83EFB8 9401ADD8 C70508A9 
      09301D06 03551D0E 04160414 8E9F144C F5F65C6B 83EFB894 01ADD8C7 0508A909 
      300D0609 2A864886 F70D0101 04050003 8181005D 2B42FB1C CA2D4F94 5CBB282A 
      6A8E2353 42F9A2BE 6AB7579E 32664CCD 01C8FDE3 35E64294 58F6B3BD 29976D28 
      A6AEE3F0 76667C67 D4DC4ACC EDDCA9E2 FF78B0AF 20190B63 DB96935B 804F73C9 
      0C96F2D4 45B1A2F8 7FA1C8DC CF42C4E2 030B7C10 A5B31A5B 02D42AEC 6CF8D1E4 
      7EE13662 94797C80 79EA728E 803AA098 378DF1
            quit
    !
    !
    username admin privilege 15 secret 5 $1$7DcD$e/zVT2BB9tsgAcmBmqA2K/
    archive
     log config
      hidekeys
    ! 
    !
    !
    !
    !
    !
    class-map type inspect match-any WAN-to-LAN
     match access-group 101
    class-map type inspect match-any WAN-to-DMZ
     match access-group 102
    class-map type inspect match-any ALL_TRAFFIC
     match access-group 100
    !
    !
    policy-map type inspect WAN-to-LAN
     class type inspect WAN-to-LAN
      inspect 
     class class-default
      drop
    policy-map type inspect WAN-to-DMZ
     class type inspect WAN-to-DMZ
      inspect 
     class class-default
      drop
    policy-map type inspect ALL_TRAFFIC
     class type inspect ALL_TRAFFIC
      inspect 
     class class-default
      drop
    !
    zone security LAN
    zone security WAN
    zone security DMZ
    zone-pair security LAN-to-WAN source LAN destination WAN
     service-policy type inspect ALL_TRAFFIC
    zone-pair security LAN-to-DMZ source LAN destination DMZ
     service-policy type inspect ALL_TRAFFIC
    zone-pair security WAN-to-LAN source WAN destination LAN
     service-policy type inspect WAN-to-LAN
    zone-pair security WAN-to-DMZ source WAN destination DMZ
     service-policy type inspect WAN-to-DMZ
    zone-pair security DMZ-to-WAN source DMZ destination WAN
     service-policy type inspect ALL_TRAFFIC
    !
    !
    !
    interface Loopback0
     description VPN Addresses
     ip address 192.168.100.1 255.255.255.0
     ip virtual-reassembly
    !
    interface FastEthernet0/0
     description WAN
     ip address 1.2.3.5 255.255.255.240 secondary
     ip address 1.2.3.4 255.255.255.240
     ip nat outside
     ip virtual-reassembly
     duplex full
     speed 10
    !
    interface FastEthernet0/1
     no ip address
     duplex auto
     speed auto
    !
    interface FastEthernet0/1.1
     description LAN
     encapsulation dot1Q 80
     ip address 192.168.80.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly
    !
    interface FastEthernet0/1.2
     description DMZ
     encapsulation dot1Q 90
     ip address 1.2.3.4.6 255.255.255.240
     ip virtual-reassembly
    !
    interface Dot11Radio0/0/0
     no ip address
     shutdown
     speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
     station-role root
    !
    interface Dot11Radio0/0/1
     no ip address
     shutdown
     speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
     station-role root
    !
    ip local pool VPN_USERS 192.168.100.2 192.168.100.254
    no ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 1.2.3.3
    no ip http server
    no ip http secure-server
    !
    !
    ip nat inside source list 1 interface FastEthernet0/0 overload
    ip nat inside source static tcp 192.168.80.31 25 1.2.3.4 25 extendable
    ip nat inside source static tcp 192.168.80.13 80 1.2.3.4 80 extendable
    ip nat inside source static tcp 192.168.80.13 443 1.2.3.4 443 extendable
    !
    ip radius source-interface FastEthernet0/1.1 
    access-list 1 permit 192.168.80.0 0.0.0.255
    access-list 100 permit ip any any
    access-list 101 remark This access-list is used for WAN-to-LAN traffic
    access-list 101 permit tcp any host 192.168.80.130 eq 22
    access-list 101 permit tcp any eq 8235 host 192.168.80.130 eq 5900
    access-list 101 permit tcp any eq 4569 host 192.168.80.6 eq 3889
    access-list 101 permit tcp any eq 4570 host 192.168.80.11 eq 3889
    access-list 101 permit tcp any host 192.168.80.13 eq www
    access-list 101 permit tcp any host 192.168.80.13 eq 990
    access-list 101 permit tcp any host 192.168.80.13 eq 999
    access-list 101 permit tcp any host 192.168.80.13 eq 5721
    access-list 101 permit tcp any host 192.168.80.13 eq 5679
    access-list 101 permit tcp any host 192.168.80.13 eq 26675
    access-list 101 permit tcp any host 192.168.80.31 eq smtp
    access-list 101 permit tcp any host 192.168.80.13 eq 6001
    access-list 101 permit udp any host 192.168.80.13 eq 6001
    access-list 101 deny   ip any any
    access-list 102 remark This access-list is used for WAN-to-DMZ traffic
    !
    !
    !
    !
    radius-server host 192.168.80.22 auth-port 1645 acct-port 1646 key 
    
    #############################################################
    !         
    control-plane
    !
    !
    line con 0
    line aux 0
    line vty 0 4
     transport input telnet ssh
    !
    scheduler allocate 20000 1000
    !
    webvpn gateway MCS_SSL
     ip address 1.2.3.5 port 443  
     http-redirect port 80
     ssl trustpoint TP-self-signed-2915001151
     inservice
     !
    webvpn install svc flash:/webvpn/anyconnect-win-2.3.2016-k9.pkg sequence 1
     !
    webvpn install svc flash:/webvpn/anyconnect-macosx-i386-2.3.2016-k9.pkg sequence 2
     !
    webvpn context ALLSTAFF
     secondary-color white
     title-color #CCCC66
     text-color black
     ssl authenticate verify all
     !
     !
     policy group MCS_VPN
       functions svc-enabled
       svc address-pool "VPN_USERS"
       svc default-domain "domain.priv"
       svc keep-client-installed
       svc split dns "domain.priv"
       svc split include 192.168.80.0 255.255.255.0
       svc split include 192.168.100.0 255.255.255.0
       svc split include 192.168.70.0 255.255.255.0
       svc dns-server primary 192.168.80.16
       svc dns-server secondary 192.168.80.10
     default-group-policy MCS_VPN
     aaa authentication list ADUSERS
     gateway MCS_SSL
     inservice
    !
    end
    

    And a show version for good measure:
    Giygas(config)#do show version
    Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2009 by Cisco Systems, Inc.
    Compiled Fri 19-Jun-09 15:13 by prod_rel_team
    
    ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
    
    Giygas uptime is 2 hours, 59 minutes
    System returned to ROM by reload at 10:33:57 UTC Thu Aug 27 2009
    System image file is "flash:c2800nm-advsecurityk9-mz.124-24.T1.bin"
    
    
    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.
    
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    
    If you require further assistance please contact us by sending email to
    export@cisco.com.
    
    Cisco 2811 (revision 53.51) with 247808K/14336K bytes of memory.
    Processor board ID ##########
    2 FastEthernet interfaces
    1 Virtual Private Network (VPN) Module
    2 802.11 Radios
    DRAM configuration is 64 bits wide with parity enabled.
    239K bytes of non-volatile configuration memory.
    62720K bytes of ATA CompactFlash (Read/Write)
    
    Configuration register is 0x2102
    

    I can configure ZBF, I got SSL VPN with AnyConnect working, and I even managed to get AAA to authenticate VPN users through RADIUS by talking to a Windows 2008 RAS server. . . but I can't get these NAT issues resolved. Yup, still crying.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    Looks like it's going to be time for me to break down my config and go through it, step by step, from the beginning, to see where it is NAT on port 80 and 443 breaks. It's going to be a fun weekend. icon_cry.gif

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    Just a little update: with NAT finally having been resolved and the configuration of a VPN tunnel, my router-deployment project is finally finished! icon_cheers.gif

    As soon as I've completed some post-deployment tasks and I'm back in the land of the living, (I've been working the graveyard shift ever since this project started,) I'm going to post a tutorial (or three) on some of the things I've learned about during my battles with the router. I'd like to post on how to configure SSL VPN, how to make ZBF play nice with other technologies, and pitfalls to watch out for when setting up an IPSec VPN tunnel between a Cisco router and another vendor's device, (in this case, a Juniper firewall).

    If this project has taught me anything, it's that you're never too advanced to learn some newbie-things. One piece of advice I can give anyone out there, expert or novice, is this: swallow your pride and ask questions when your'e stuck, regardless of how simple it may seem. You won't get anywhere on pride if you can't figure it out on your own, and you certainly won't learn anything new if you can't get out of the hole you're in. So take your lumps and ask those questions, open up tickets with TAC, as long as the job gets done and you learn from your mistakes it's all worth it. icon_blackeye.gif

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
Sign In or Register to comment.