SMTP Between 2 routers

eddysamson · Post by **eddysamson** » Thu Feb 23, 2012 1:35 pm

Hi all, I am relatively new to IOS and could use some help. We have 2 routers, 1 internal, 1 DMZ/external. Internal is a 1921, DMZ is a 891. We have an interesting setup right now where each router has its own public IP and separate connection to the modem. The 1921 handles all normal internet traffic and has our VPN server for remote access to our internals. The 891 handles our Lync Edge server and will soon have an Exchange Edge server. The I am trying to configure the 891 to forward traffic from the DMZ subnet to the internal subnet and exchange server.

I have done everything that I *think* needs to be done to get this work. My boss believes I should be able to telnet from a dmz machine to our internal exchange server over port 25 and vice versa. However, this does not work.

The 891's fastethernet8 interface is connected directly to the 1921's gigabitethernet0/0 interface.

My config is as follows:

1921(INSIDE)-

*took out anything that doesnt pertain to SMTP traffic and these 2 routers

interface GigabitEthernet0/0

description TO-DMZ

ip address 10.10.1.2 255.255.255.0

ip access-group sdm_gigabitethernet0/0_in in

ip nat outside

ip virtual-reassembly in

ip verify unicast reverse-path

ip policy route-map smtprule

duplex auto

speed auto

no cdp enable

ip nat inside source static tcp 192.168.1.186 25 interface GigabitEthernet0/0 25

ip nat inside source route-map smtprule interface GigabitEthernet0/0 overload

ip route 10.10.10.0 255.255.255.0 GigabitEthernet0/0

!

ip access-list extended sdm_gigabitethernet0/0_in

permit tcp any host 10.10.1.2 eq smtp

permit tcp any host 10.10.1.2 eq 50636

permit tcp any host 192.168.1.186 eq smtp

permit tcp any host 192.168.1.186 eq 50636

permit tcp any any eq 1723

permit gre any any

permit ip 192.168.1.0 0.0.0.255 any

permit ip host 10.10.1.2 any

permit icmp any host 10.10.1.2 administratively-prohibited

permit icmp any host 10.10.1.2 time-exceeded

permit icmp any host 10.10.1.2 unreachable

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip host 255.255.255.255 any

deny ip host 0.0.0.0 any

deny ip any any log

access-list 151 permit tcp host 192.168.1.186 eq smtp any

access-list 151 permit tcp host 192.168.1.186 any eq smtp

access-list 151 permit ip host 192.168.1.186 any

!

route-map smtprule permit 5

match ip address 151

set interface GigabitEthernet0/0

!

891(DMZ)-

interface FastEthernet8

ip address 10.10.1.10 255.255.255.0

ip nat outside

ip policy route-map smtprule

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$

ip address 10.10.10.1 255.255.255.0

ip access-group 102 in

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

ip nat inside source route-map smtprule interface FastEthernet8 overload

ip route 192.168.1.0 255.255.255.0 FastEthernet8

access-list 151 permit tcp host 10.10.10.3 eq smtp any

access-list 151 permit tcp host 10.10.10.3 any eq smtp

access-list 151 permit ip host 10.10.10.3 any

route-map smtprule permit 5

match ip address 151

set interface FastEthernet8

A few things to note:

*10.10.10.3 is the exchange edge server

*192.168.1.186 is the exchange server

*in the 1921's ACL I tried both the IP of the fastethernet8(DMZ) interface and what you see currently which is the gigabitethernet0/0(inside) interface

*the route-map is just a test, I am really not sure if it was even necessary. Things are looking exactly the same since I put it in.

My boss is convinced SMTP wont flow between the two routers until I can telnet on port 25 to each respective machine, is this true? From each router I can ping machine IPs off the other router, but machines themselves can not ping machines on the other router (or the router itself). So for instance while in 891 I can ping 192.168.1.186 and while on the 1921 I can ping 10.10.10.3 but I cannot ping 192.168.1.186 from 10.10.10.3 or vice versa.

What am I missing? I was originally under the impression that static routes were the only thing I needed. After I added them it opened up the pinging I was talking about, but still cannot telnet on 25.

Please help!