SMTP su ip aggiuntivo

Mettete al sicuro la vostra rete!

Moderatore: Federico.Lagni

Rispondi
Chick75
n00b
Messaggi: 21
Iscritto il: gio 25 gen , 2007 5:32 pm

Ciao a tutti,
sul mio cisco 1841 ho nattato il server mail aziendale con indirizzo ip esterno xxx.xx.xx.227 e tutto funziona bene, riceve e manda email.
Premetto che a disposizione ho 16 indirizzi ip.
Il problema è che il traffico in uscita per quanto riguarda la posta (quindi la porta 25) arriva al destinatario con l'indirizzo ip del gateway (cisco 1841) che è il xxx.xx.xx.225. Come posso fare in modo che invece del .255 venga utilizzato l'indirizzo .227 per l'instradamento del flusso posta?

Grazie a tutti
francesco_savona
Cisco enlightened user
Messaggi: 129
Iscritto il: mer 01 apr , 2009 9:58 am

Che server di posta utilizzi???
Di solito la porta di comunicazione in in e out è sempre la 25 e quindi dovresti aver risolto il problema.
E' come se il tuo server di posta mandasse la mail come un semplice client di posta al proprio smtp.

Se utilizza una porta diversa logicamente per uscire prende l'ip dal pool nat che probabilmente coicide con il 225.
-------------------------------------------------------
SAVONA FRANCESCO
CCNA
-------------------------------------------------------
Chick75
n00b
Messaggi: 21
Iscritto il: gio 25 gen , 2007 5:32 pm

Utilizzo Exchange 2007. (il suo indirizzo ip locale è 192.168.69.15)
Forse non ho detto che la classe che utilizza i 16 ip tra questi .225 e .227 è pubblica

Ricapitolando:
Gateway (cisco 1841) è 151.13.xxx.225
Mail server indirizzo lan 192.168.69.15 il quale riceve mail dall'indirizzo ip pubblico 151.13.xxx.227 ma le spedisce dal 151.13.xxx.225

Dovrei per forza farlo uscire dal 227 (ip pubblico)

:wink:
Ultima modifica di Chick75 il ven 29 mag , 2009 9:55 am, modificato 2 volte in totale.
francesco_savona
Cisco enlightened user
Messaggi: 129
Iscritto il: mer 01 apr , 2009 9:58 am

Utilizzi SmartHost o invio diretto?
-------------------------------------------------------
SAVONA FRANCESCO
CCNA
-------------------------------------------------------
Chick75
n00b
Messaggi: 21
Iscritto il: gio 25 gen , 2007 5:32 pm

invio diretto
francesco_savona
Cisco enlightened user
Messaggi: 129
Iscritto il: mer 01 apr , 2009 9:58 am

Mi posti la conf del router?
-------------------------------------------------------
SAVONA FRANCESCO
CCNA
-------------------------------------------------------
Chick75
n00b
Messaggi: 21
Iscritto il: gio 25 gen , 2007 5:32 pm

Ecco qui


Building configuration...

Current configuration : 7585 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 1841
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$lXp6$lN3XIK2P9scGSHiun4gN2.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
!
!
no ip bootp server
ip name-server 192.106.1.1
ip name-server 192.106.1.9
!
isdn switch-type basic-net3
isdn tei-negotiation first-call
!
!
username XXXXXX privilege 15 secret 5 $1$ARbo$36XRhAw/i9hhpLCQLRQ1x/
username windbasic privilege 15 password 7 120A0A1B131905177B7A71
username ZZZZZZ secret 5 $1$1c3d$0g8.huSCYrhopN7pROSQm/
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn
key vpn
pool SDM_POOL_1
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0/0
description Connessione LAN LAN$ETH-LAN$
ip address 192.168.69.250 255.255.255.0 secondary
ip address 151.13.XXX.225 255.255.255.240
ip access-group 101 in
ip accounting output-packets
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
load-interval 30
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
shutdown
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
description CVP HDSL 742023/78
no ip address
encapsulation frame-relay IETF
no ip route-cache cef
no ip route-cache
no ip mroute-cache
load-interval 30
no fair-queue
frame-relay traffic-shaping
!
interface Serial0/0/0.1 point-to-point
description "Accesso Internet"
backup delay 1 30
backup interface Dialer1
ip address 151.5.XXX.XXX 255.255.255.192
ip access-group 110 in
ip nat outside
ip virtual-reassembly
no ip route-cache
no ip mroute-cache
no cdp enable
frame-relay class 512
frame-relay interface-dlci 140
crypto map SDM_CMAP_1
!
interface Serial0/0/0.2 point-to-point
description "PVC di Management"
ip address 192.106.XXX.XXX 255.255.255.0
no ip route-cache
no ip mroute-cache
no cdp enable
frame-relay interface-dlci 500
!
interface BRI0/1/0
description linea ISDN di Back Up <N.ISDN DEDICATA>
no ip address
encapsulation ppp
ip route-cache flow
load-interval 30
dialer pool-member 1
isdn switch-type basic-net3
isdn point-to-point-setup
isdn send-alerting
no cdp enable
!
interface Dialer1
ip unnumbered Serial0/0/0.1
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer string 800990218
dialer-group 1
no cdp enable
ppp pap sent-username XXXXXXX@XXXXXXXXX password 7 00084101095205000033414F1D100616
!
router rip
version 2
passive-interface FastEthernet0/0
passive-interface Serial0/0/0.1
network 151.8.0.0
no auto-summary
!
ip local pool SDM_POOL_1 192.168.10.1 192.168.10.10
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 161.27.15.0 255.255.255.0 Serial0/0/0.2
!
ip http server
no ip http secure-server
ip nat inside source route-map sdm_rmap_1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.69.191 21 151.13.XXX.225 21 extendable
ip nat inside source static udp 192.168.6.100 500 151.13.XXX.225 500 extendable
ip nat inside source static udp 192.168.69.100 1701 151.13.XXX.225 1701 extendable
ip nat inside source static tcp 192.168.69.180 5500 151.13.XXX.225 5500 extendable
ip nat inside source static tcp 192.168.69.10 21 151.13.XXX.226 21 extendable
ip nat inside source static tcp 192.168.69.10 80 151.13.XXX.226 80 extendable
ip nat inside source static tcp 192.168.69.10 443 151.13.XXX.226 443 extendable
ip nat inside source static tcp 192.168.69.10 8088 151.13.XXX.226 8088 extendable
ip nat inside source static tcp 192.168.69.10 9090 151.13.XXX.226 9090 extendable
ip nat inside source static tcp 192.168.69.15 25 151.13.XXX.227 25 extendable
ip nat inside source static tcp 192.168.69.15 80 151.13.XXX.227 80 extendable
ip nat inside source static tcp 192.168.69.15 443 151.13.XXX.227 443 extendable
ip nat inside source static tcp 192.168.69.21 1723 151.13.XXX.229 1723 extendable
!
!
map-class frame-relay 512
frame-relay cir 1984000
frame-relay bc 62000
frame-relay be 0
frame-relay mincir 512000
frame-relay adaptive-shaping becn
logging trap notifications
access-list 4 permit 192.168.69.0 0.0.0.255
access-list 4 permit 161.27.XXX.0 0.0.0.255
access-list 4 permit 151.13.XXX.224 0.0.0.15
access-list 4 deny any log
access-list 90 permit 192.106.XXX.XXX
access-list 90 permit 161.XX.XX.0 0.0.0.255
access-list 90 permit 193.70.XXX.240 0.0.0.15
access-list 90 permit 151.17.XXX.128 0.0.0.63
access-list 90 deny any log
access-list 100 deny icmp any any
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=17
access-list 101 permit tcp host 192.168.69.254 any eq www
access-list 101 permit tcp host 192.168.69.254 any eq 443
access-list 101 deny tcp any any eq www
access-list 101 deny tcp any any eq 443
access-list 101 permit ip any any
access-list 103 deny tcp any host 69.63.184.143 eq www
access-list 103 permit ip any any
access-list 110 deny ip host 151.13.XXX.228 any
access-list 110 permit ip any any
access-list 110 permit tcp any any eq 1723
access-list 110 permit gre any any
dialer-list 1 protocol ip permit
snmp-server engineID local 00000009020000B0C2880073
snmp-server community cominfo RO 90
snmp-server community netcontrol RW 90
snmp-server trap-source Serial0/0/0.2
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server host 161.27.15.34 cominfo
no cdp run
route-map sdm_rmap_1 permit 1
match ip address 110
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
control-plane
!
banner motd ^C

***********************************
@@ ACCESS DENIED TO THE PERSONAL @@
@@@@@ NOT AUTHORIZED @@@@@
***********************************
Vietato l'accesso alle persone non autorizzate


^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 4 in
exec-timeout 60 0
logging synchronous
transport input telnet
line vty 5 15
transport input telnet
!
scheduler allocate 4000 1000
end
francesco_savona
Cisco enlightened user
Messaggi: 129
Iscritto il: mer 01 apr , 2009 9:58 am

prova ad abbassare prima la acl sulla eth e poi sulla seriale e fai una prova.
-------------------------------------------------------
SAVONA FRANCESCO
CCNA
-------------------------------------------------------
Chick75
n00b
Messaggi: 21
Iscritto il: gio 25 gen , 2007 5:32 pm

francesco_savona ha scritto:prova ad abbassare prima la acl sulla eth e poi sulla seriale e fai una prova.
Non ho capito scusami..
francesco_savona
Cisco enlightened user
Messaggi: 129
Iscritto il: mer 01 apr , 2009 9:58 am

Ti colleghi in telnet:

interface FastEthernet0/0
no ip access-group 101 in

interface Serial0/0/0.1 point-to-point
no ip access-group 110 in
-------------------------------------------------------
SAVONA FRANCESCO
CCNA
-------------------------------------------------------
Chick75
n00b
Messaggi: 21
Iscritto il: gio 25 gen , 2007 5:32 pm

francesco_savona ha scritto:Ti colleghi in telnet:

interface FastEthernet0/0
no ip access-group 101 in

interface Serial0/0/0.1 point-to-point
no ip access-group 110 in
Ah ok provo....
Chick75
n00b
Messaggi: 21
Iscritto il: gio 25 gen , 2007 5:32 pm

Niente purtroppo.... nell'hearder dell'email mi esce ancora l'ip del router:

Received: from exch2007.mydom.local (unknown [151.13.xxx.225])
francesco_savona
Cisco enlightened user
Messaggi: 129
Iscritto il: mer 01 apr , 2009 9:58 am

lancia un sh ip nat tra quando il server manda una mail e controlla che porta tcp utilizza.
Verifica se è sempre la stessa.
-------------------------------------------------------
SAVONA FRANCESCO
CCNA
-------------------------------------------------------
francesco_savona
Cisco enlightened user
Messaggi: 129
Iscritto il: mer 01 apr , 2009 9:58 am

-------------------------------------------------------
SAVONA FRANCESCO
CCNA
-------------------------------------------------------
Rispondi