majl server natovan ne radi

Pokusao sam da premestim mail server iz firewall-a ili u sustini rutera (2801), i uneo sam dve komande:

ip nat inside source static tcp 192.168.100.119 25 62.100.68.164 25
ip nat inside source static tcp 192.168.100.119 7 62.100.68.164 7
…

Znaci prva daresa je privatna adresa majl servara a druga javna.

Na ruteru postiji jos jedna slicna komanada za port forwarding ssh, koji radi.

ip nat inside source static tcp 192.168.0.112 22 200.100.68.166 19561 extendable

Moj majl server ne radi, istina moze da salje majlove napolje ali ne moze da ih prima.

Ping i tracert stizu do javne adrese majl severa, i to izgleda u redu.

2 <1 ms <1 ms <1 ms 216.98.153.73
3 <1 ms <1 ms <1 ms 65.77.90.41
…
20 178 ms 177 ms 177 ms 62.100.200.65
21 175 ms 175 ms 174 ms 62.100.68.164

Sada uzeo sam i da vidim d ali nat radi i on radi:

myrouter#sh ip nat trans

Pro Inside global Inside local Outside local Outside global
..
tcp 62.100.68.164 7 192.168.100.119 7 --- ---
tcp 62.100.68.164:25 192.168.100.119:25 212.227.126.188:52133 212.227.126.188:
52133
tcp 62.100.68.164:25 192.168.100.119:25 212.227.126.188:52388 212.227.126.188:
52388

Tj mogu d avidim da se neko prikacio za nat. Mislim neko hoce da mi posalje majl.

Sada testirao sam sa http://www.dnsright.com portscanom:

62.100.68.164:21 --> Open
62.100.68.164:23 --> Closed
62.100.68.164:25 --> Closed
62.100.68.164:53 --> Closed
62.100.68.164:79 --> Closed
62.100.68.164:80 --> Closed
62.100.68.164:110 --> Closed
62.100.68.164:135 --> Closed
62.100.68.164:139 --> Closed
62.100.68.164:143 --> Closed


Na moj majl server sam testirao:

C:\Documents and Settings\adminco>netstat -an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
TCP 0.0.0.0:110 0.0.0.0:0 LISTENING
TCP 0.0.0.0:111 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:143 0.0.0.0:0 LISTENING
TCP 0.0.0.0:366 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:587 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1000 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1044 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3172 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7937 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7938 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8510 0.0.0.0:0 LISTENING
TCP 0.0.0.0:9004 0.0.0.0:0 LISTENING


Kada ukinem te na instrukcije ja imam sledece:


62.100.68.164:21 --> Open
62.100.68.164:23 --> Closed
62.100.68.164:25 --> Open
62.100.68.164:53 --> Closed
62.100.68.164:79 --> Closed
62.100.68.164:80 --> Closed
62.100.68.164:110 --> Open
62.100.68.164:135 --> Closed
62.100.68.164:139 --> Closed
62.100.68.164:143 --> Open
62.100.68.164:161 --> Closed
62.100.68.164162 --> Closed
62.100.68.164:389 --> Closed
62.100.68.164:443 --> Closed
62.100.68.164:445 --> Open
62.100.68.164:548 --> Closed
62.100.68.164:1433 --> Closed

Vidim da mi je ulaz i izlaz sa mjal servera preko iste putanje. Ne znam u cemu je greska? Sta bih trebao da radim?




_{[Ovu poruku je menjao pereubu dana 09.03.2009. u 13:03 GMT+1]}

Ako si gore upisao ispravan IP, na njemu uopste nema otvorenog 25 porta

---

Pazi postavio sam fiktivnu adresu. U tome i jeste moje pitanje. Kada postavim server iza rutera i stavim te nat komande server ne moze da se telnetuje recimo sa 25, jer je port 25 zatvoren. Na serveru da ima ga otvorenim sto se vidi sa netsat -an, ali ako sa nekog spoljneg sajta pustim portscan ja ga nemam otvorenim.

Medjutim na show ip nat trans ja imam da je taj port otvoren pa cak i da se neko prikacio da mi salje SMTP poruke. Znaci kao da nat ne govori sa majl serverom.

Imas li neke access liste (koje eventualno blokiraju port 25) ?

---

Nemam access liste. Ono cega se plasim jer sto imam Mdaemon mail server. Gledajuci konfiguracija ja ne vidim da se to desava ali ko zna?

Ne vidis da se desava sta?

---

Recimo ovako,

u lokalu majlovi idu, i salju se i primaju. Jedino kada treba da dobijem iz spoljasnjeg sveta. Sada imam na:

show ip nat translation i neke child nat translacije, tj neko spolja hoce da se prikaci. Ja nemam access liste. Sada taj Mdaemon mail server kaze ima adresu za listen na portu 25,

"This is the Primary Domain’s IP address.
Bind listening sockets to this IP only
Selecting this switch causes MDaemon to bind its listening network sockets using the specific IP address
found in the Domain IP text box. Ordinarily, this control will only need to be used in certain circumstances
when hosting multiple domains."

Ja sam tu IP postavio kao privatnu adresu Mdaemon majl servera.
Cini mi se da je postavljanje nat-a ok, povratne i ulazne putanje su iste a ipak potscan na tom sajtu ne moze da vidi otvoren port 25. Onda mozda nesto u majl serveru ne daje natovanoj adresi da otvori taj port? U lokalu ja mogu da pristupim sa telnet mojaprivatana adresa 25.

Zar nije dovoljno:

Pro Inside global Inside local Outside local Outside global
..
tcp 62.100.68.164 7 192.168.100.119 7 --- ---
tcp 62.100.68.164:25 192.168.100.119:25 212.227.126.188:52133 212.227.126.188:
52133

i to drugi red koji kaze da kada adresiras telenet 62.100.68.164 25 ti treba izadjes na adresu 192.168.100.119 i port 25 u lokalu. Znaci li da je onda problem mozda u nekoj sigurnosnoj funkciji na samom majl serveru?

A sada opet sa druge strane za mene su svi portovi zatvoreni kada ucinim taj port scan osim ftp (21)? Znaci nije samo u pitanju port 25.

NAT izgleda da je uredu. Jedino ako nisi omasio javnu IP adresu, ili tako nesto... :)

Moguce da Mdeamon odbija sve konekcije osim sa lokalne mreze, ili da na toj masini postoji neki firewall koji radi isto.

Sto se rutera tice, ako hoces okaci celu konfiguraciju pa cemo ti reci sigurno.

---

myrut#sh run
Building configuration...

Current configuration : 8897 bytes
!
! Last configuration change at 09:47:35 SER Mon Mar 9 2009 by mary
! NVRAM config last updated at 12:21:24 SER Tue Feb 24 2009 by mary
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Myrut
!
boot-start-marker
boot-end-marker
!
logging buffered 65535 warnings
!
username clip
username clip
username clip
clock timezone SER 1
clock summer-time Letnje-Vreme recurring last Sun Mar 2:00 last Sun Oct 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login admins local
aaa authorization console
aaa authorization exec admins local if-authenticated
aaa session-id common
ip subnet-zero
no ip source-route
ip icmp rate-limit unreachable 2000
ip cef
!
!
!
!
ip ips po max-events 100
no ftp-server write-enable
!
!
! !
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto iskamp clip
crypto isakmp clip
crypto isakmp clip
crypto isakmp clip
crypto isakmp clip
!
!
crypto ipsec transform-set MOBTEL esp-3des esp-md5-hmac
crypto ipsec transform-set TELCOM esp-3des esp-sha-hmac
!
crypto map CRYPTO 10 ipsec-isakmp
set peer clip
set transform-set MOBTEL
match address 101
crypto map CRYPTO 20 ipsec-isakmp
set peer clip
set transform-set TELCOM
set pfs group2
match address 102
crypto map CRYPTO 30 ipsec-isakmp
set peer clip
set transform-set TELCOM
match address 103
!
!
!
!
interface Tunnel0
description GRE ka Dcompany
ip address 172.19.50.4 255.255.255.248 secondary
ip address 172.19.50.2 255.255.255.248
ip nat outside
ip virtual-reassembly
tunnel source clip
tunnel destination clip
!
interface Loopback1
no ip address
!
interface Loopback10201
ip address 10.201.150.17 255.255.255.255
ip virtual-reassembly
!
interface FastEthernet0/0
description Unutrasnja mreza
ip address 172.19.49.1 255.255.255.0 secondary
ip address 192.168.4.1 255.255.255.0 secondary
ip address 192.168.200.1 255.255.255.0 secondary
ip address 192.168.0.10 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache same-interface
no ip route-cache cef
duplex auto
speed auto

interface FastEthernet0/1
description Javne IP adrese
ip address 62.100.68.170 255.255.255.224
ip nat outside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
crypto map CRYPTO
!
interface BRI0/1/0
no ip address
shutdown
!
interface Serial0/3/0
description Link prema Telekomu FR-Bridge-Eth
no ip address
ip nbar protocol-discovery
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1 name Internet_Telekom
ip route 10.15.4.112 255.255.255.255 212.200.68.161 name MOBTEL
ip route 10.15.4.144 255.255.255.255 212.200.68.161 name MOBTEL
ip route 10.100.100.0 255.255.255.0 212.200.68.161
ip route 93.86.88.0 255.255.255.0 212.200.68.161
ip route 172.17.80.0 255.255.255.0 212.200.68.161 name MOBTEL
ip route 172.19.50.0 255.255.255.248 Tunnel0 name DCOM
ip route 172.27.26.0 255.255.254.0 212.200.68.161 name MOBTEL
ip route 172.30.113.64 255.255.255.224 212.200.68.161 name MOBTEL
ip route 172.30.118.0 255.255.254.0 212.200.68.161 name MOBTEL
ip route 192.168.0.0 255.255.0.0 192.168.4.230 name Internal
ip route 192.168.1.0 255.255.255.0 192.168.0.1 name Gr1344
ip route 192.168.3.0 255.255.255.0 192.168.0.1 name Krnj1232
ip route 192.168.4.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.5.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.6.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.7.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.8.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.9.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.10.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.11.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.12.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.13.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.14.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.15.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.16.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.17.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.18.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.19.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.20.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.21.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.50.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.60.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.65.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.70.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.85.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.100.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route 192.168.101.0 255.255.255.0 192.168.0.1 name Kr22
ip route 192.168.102.0 255.255.255.0 192.168.0.1 name N123
ip route 192.168.103.0 255.255.255.0 192.168.0.1 name Z123
ip route 192.168.104.0 255.255.255.0 192.168.0.1 name S123
ip route 192.168.105.0 255.255.255.0 192.168.0.1 name N23
ip route 192.168.106.0 255.255.255.0 192.168.0.1 name Kr123
ip route 192.168.107.0 255.255.255.0 192.168.0.1 name Kr123
ip route 192.168.108.0 255.255.255.0 192.168.0.1 name Pozega
ip route 192.168.109.0 255.255.255.0 192.168.0.1 name P12
ip route 192.168.110.0 255.255.255.0 192.168.0.1 name S12
ip route 192.168.111.0 255.255.255.0 192.168.0.1 name N12
ip route 192.168.112.0 255.255.255.0 192.168.0.1 name Z123
ip route 192.168.200.0 255.255.255.0 192.168.4.230 name zaVLAN
ip route clip name TELCOM
ip route clip name TELCOM
ip route clip name MTc
ip route clip
clip
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source static 192.168.200.110 172.19.50.4
ip nat inside source static tcp 192.168.0.12 22 62.100.68.166 19561 extendable
!
ip access-list extended permit-all
permit ip 172.30.118.0 0.0.1.255 any
permit ip any any
!
access-list 101 permit tcp host 172.19.49.10 host 172.17.80.100 eq 3700
access-list 101 permit tcp host 172.19.49.10 host 10.15.4.112 eq www
access-list 101 permit tcp host 172.19.49.10 host 10.15.4.112 eq 443
access-list 101 permit ip host 172.19.49.10 host 10.15.4.144
access-list 101 permit ip host 172.19.49.10 172.30.118.0 0.0.1.255
access-list 101 permit tcp host 172.19.49.11 host 172.17.80.100 eq 3700
access-list 101 permit tcp host je 172.19.49.11 host 10.15.4.112 eq www
access-list 101 permit tcp host 172.19.49.11 host 10.15.4.112 eq 443
access-list 101 permit ip host 172.19.49.11 host 10.15.4.144
access-list 101 permit ip host 172.19.49.11 172.30.118.0 0.0.1.255
access-list 101 permit ip host 172.19.49.11 172.27.26.0 0.0.1.255
access-list 101 permit ip host 172.19.49.10 172.27.26.0 0.0.1.255
access-list 102 permit ip host 62.100.68.171 194.48.129.192 0.0.0.63
access-list 103 permit ip 192.168.200.0 0.0.0.255 10.100.100.0 0.0.0.255
snmp-server community fyu4 RO
snmp-server enable traps tty
snmp-server enable traps tty
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
alias exec c configure terminal
alias exec s show ip interface brief
alias exec sr show run
privilege exec level 0 show startup-config
privilege exec level 0 show
!
line con 0
exec-timeout 0 0
clip
line aux 0
line vty 0 4
exec-timeout 15 0
clip
line vty 5 15
exec-timeout 15 0
clip
!
ntp clock-period 17180134
ntp server 193.67.79.202
ntp server 195.13.23.5
end





_{[Ovu poruku je menjao pereubu dana 11.03.2009. u 08:00 GMT+1]}

koji je firewall u pitanju?pokusaj da ga resetujes....

---

Nije firewall, vec je ruter Cisco 2801. On ima neke funkcije firewall-a, kao na primer nat i ip virtual-reassembly sto ga ima u conf fajlu za interface Farstethernet 0/0 i Fastethernet 0/1, gde se stavljanjem nat automatski ukljucuje ip virtual-reassembly. Da uradio sam reload na samom ruteru, i to nije razresilo da dobijem ono sto ono ovekujem.

Naravno sumnjam na ruter, samo ne znam sta.

Ne stigoh malo bolje da pogledam configuraciju... ali ono sto sam video je da nigde nema pomenutog NAT-a. :-)

konfiguracija koja je data radi ali kada stavim ovo:

no ip nat inside source static tcp 192.168.100.19 25 62.100.68.164 25

no ip nat inside source static tcp 192.168.100.19 7 62.100.68.164 7

Onda majl serve ne radi. Ima tamo i nat za ssh koji radi za drugi lokalni kompjuter. No majl server iza nata kada stavim posle conf term ne radi.

Opseg u kome se nalazi mail server 192.168.100.0 /24 rutiras preko 192.168.4.230. Sta i gde je 192.168.4.230 ?

---

Pogresio sam podrezu i ona je 200.

ip nat inside source static tcp 192.168.200.19 (umesto 192.168.100.19) 25 62.100.68.164 25

ip nat inside source static tcp 192.168.200.19 (umesto 192.168.100.19) 7 62.100.68.164 7

192.168.4.230 je u stvari Catalyst 192.168.4.230, i on ne ulazi bas u mom samom podesavanju nata.

A da ti zakacis i neku sliku da vidimo sta zelis da odradis... Nakon sveg ovog objasnjenja i nekih fiktivnih i pogresnih IP adresa.... nije mi bas jasno sta zelis da postignes.

Ako malo bolje pogledam conf. mogu videti da ti je default route 192.168.0.1, pri cemu imas i na unutrasnjem interface-u isti subnet (192.168.0.10/24) !?!

Ono sto mi pada na pamet nakon svega ovoga je da imas problema sa default gateway-em (pogresna vrednost) na samom mail serveru: mailovi mogu da idu napolje zato sto idu preko drugog def. gateway-a, ali kada ti neko pristupa spolja na "novu" IP adresu, paketi se vracaju preko pogresnog gateway-a.
Ali opet... da bi bilo jasnije sta zelis nacrtaj trenutnu situaciju i situaciju koju zelis da imas.

Sve ovo sto Igor kaze, plus ono sto mene dodatno buni je sto nema ip nat inside source *** overload , nat-pool, ili slicne komande... ?
Kazes da nat radi za sve klijente?

---

pokusaj ovako i trebalo bi da radi

ip nat inside source static tcp 192.168.100.19 25 62.100.68.164 25 extendable

ip nat inside source static tcp 192.168.100.19 7 62.100.68.164 7 extendable

---

Da pokusao sam to i to radi ali morao sam kako ste rekli da fiksiram neke probleme a to su da se isprave neke nejasnoce sa default gateway i da stavim neke izmene. Sve izgleda manje vise uredu. Ono sto sam postavio je sledece:

ip nat inside source static tcp 192.168.100.19 25 62.100.68.164 25 extendable
...

Sistem radi delimicno. Moze da salje i prima u lokalu. Moze i da prima majlove spolja. Ali ne moze iz unutrsnje mreze da salje napolju. Sada je pitanje zasto?

Kao jedan od eksperimenata ja sam postavio:

ip nat inside source static 192.168.100.19 62.100.68.164

Sada sistem radi, salje i prima majlove iz spoljnjeg sveta, ali ako vratim na prvu komandu, jer ne zelim tu drugu komandu, vec zelim propustam samo na jednom portu 25, a ne na svim.
Ono sto mi je privuklo paznju bila je komanda extendable koja je generisana automatski. Sada ja mislim da je tu problem. Ne znam sta ja tu treba da radim?
Potrazio sam na net-u i dobio sledecu definiciju za extendable.

"Once that is working, they might also want to define static mappings for a particular host using each provider's address space. The software does not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these static translations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as "extendable". For a new outside-to-inside flow, the appropriate static entry will act as a template for a full translation. For a new inside-to-outside flow, the dynamic route-map rules will be used to create a full translation "

Optix me pitao:

"Sve ovo sto Igor kaze, plus ono sto mene dodatno buni je sto nema ip nat inside source *** overload , nat-pool, ili slicne komande... ?
Kazes da nat radi za sve klijente?"

Moje shvatanje je da ja sa tim komandama menjam source adrese, tj umesto privtanih stavljam javne.

Moja konfiguracija je malo cudna, iz razloga sto radi na MPLS i ja imam na neki nacin pomesane jave i privatne adrese. Sada natovanje privatnih adresa se vrsi na provajderovim ruterima (imam i jedan lociran kod mene), ali ja nema nikakvog uvida u to. Hocu reci ne znam sta oni rade, ali mogu da komuniciram sa njima.

Sada iz definicije extendable mi je sledece privuklo paznju:"For a new inside-to-outside flow, the dynamic route-map rules will be used to create a full translation "

Ili znaci jedno:

ip nat inside source static tcp 192.168.100.19 25 62.100.68.164 25 extendable

radi za slucajeve SMTP-in ali za SMTP-out ja moram da koristim nesto kao:

"ip nat pool pool... prefix-length 24

...
ip nat inside source route-map MAP-108 pool pool-108:

Da li je to kao sto kaze "dynamic route-map rules "?

Jasno je da tvoj ruter radi NAT, i da mu nedostaje globalno pravilo koje sam ti spomenuo. Mozes definisati staticku translaciju 1:1 (kao sto si isprobao), mozes definisati NAT pool, ili najobicniji PAT - ip nat inside source list 1 interface FastEthernet0/0 overload. Pod uslovom da si sredio sve nepravilnosti oko rutiranja :)

---