cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
683
Views
0
Helpful
12
Replies

NAT question

jimmycat
Level 1
Level 1

I have a mail server internal to my network. The config below allows mail from the outside world to reach my mail server on 21, but when my server sends mail the destination mail server receives the mail from 20. The packets seem to be NATed by the rule that NATs the network and not the static NAT rule on the outbound traffic. Is there a way to have the outbound traffic from my mail server to be NATed to 21?

ip nat pool ovrld x.x.x.20 x.x.x.20 prefix-length x

ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0/1 overload

ip nat inside source static tcp 10.0.0.10 25 x.x.x.21 25 route-map SDM_RMAP_8 extendable

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

access-list 109 permit ip host 10.0.0.10 any

route-map SDM_RMAP_2 permit 1

match ip address 102

!

route-map SDM_RMAP_8 permit 1

match ip address 108

1 Accepted Solution

Accepted Solutions

At least it has excluded it from the general network NAT. Now we can concentrate on why the static NAT does not work.

The problem may be because the static NAT entry. The problem may be that you have specified the port. As it is a source NAT, it is expecting the source port to be 25. I'm not 100% sure, but I think SMTP connections may be from a dynamic port, to port 25.

I suggest you try removing the port 25 part of the static NAT. That at least will tell you if the staic NAT can be made to work. Then put the port 25 as the destination in the NAT filter ... access-list 109.

While you are about it, you could modify your exclusion clause so that only traffic destined for port 25 is excluded. That way your mail server could use the general network NAT for non-SMTP traffic.

So, let's see, that makes something like:

ip nat pool ovrld x.x.x.20 x.x.x.20 prefix-length x

ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0/1 overload

ip nat inside source static 10.0.0.10 x.x.x.21 route-map SDM_RMAP_8 extendable

access-list 102 deny tcp host 10.0.0.10 any eq 25

access-list 102 deny tcp host 10.0.0.10 eq 25 any

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

access-list 108 permit tcp host 10.0.0.10 any eq 25

access-list 108 permit tcp host 10.0.0.10 eq 25 any

route-map SDM_RMAP_2 permit 1

match ip address 102

!

route-map SDM_RMAP_8 permit 1

match ip address 108

Kevin Dorrell

Luxembourg

View solution in original post

12 Replies 12

Jon Marshall
Hall of Fame
Hall of Fame

Jimmy

Is this a typo

access-list 109 permit ip host 10.0.0.10 any

route-map SDM_RMAP_8 permit 1

match ip address 108

ie. access-list 109 but match ip address 108 ?

Jon

yes, that is a typo, sorry

Can you post the output of

"sh ip nat translations"

Jon

Pro Inside global Inside local Outside local Outside global

tcp x.x.x.21:25 10.0.0.10:25 --- ---

tcp x.x.x..21:443 10.0.0.10:443 --- ---

I also have this line in there :

Pro Inside global Inside local Outside local Outside global

tcp x.x.x.20:25 10.0.0.10:25 82.34.117.82:3167 82.34.117.82:3167

Jimmy

Just spent about 1/2 hour playing around with this and no matter what i did couldn't get it working with route-maps. However looking at your config i'm not sure you need route-maps

This is the config i got working

ip nat inside source list 101 interface FastEthernet0/1 overload

ip nat inside source static 10.100.1.6 192.168.32.1

!

access-list 101 permit ip 10.100.1.0 0.0.0.255 any

access-list 102 permit ip host 10.100.1.6 any

No route-maps but it works.

Will this work for you or are your requirements more complex than your example ?

Jon

So this will NAT 10.100.1.6 outbound to 192.168.32.1 and the rest of 10.100.1.x to whatever the natpool is?

I also just want port 25 to be NATed to this address. I have some other ports comming in for a different server.

If this is correct, then yes that will work.

Thanks for your help

Jimmy

No problem but please test carefully in production as i working in a lab.

Also because we have translated 10.100.1.6 to 192.168.32.1 for all ports and not just 25 you need to be careful with access. You could try using ports as you did in your example.

I'll try it out in lab tomorrow if i get the time.

Jon

Well, that did work, but now I have another problem.

I have users using VPN and when they ping 10.0.0.10 they get the external address of x.x.x.21. Using the route map to disallow the VPN pool fixes the problem but then I'm back to the mail server sending out on .20 again.

Kevin Dorrell
Level 10
Level 10

Couldn't you just exclude the mail server from the network NAT like this:

access-list 102 deny ip host 10.0.0.10 any

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

Kevin Dorrell

Luxembourg

I did try that and then I was unable to send out at all from the mail server.

At least it has excluded it from the general network NAT. Now we can concentrate on why the static NAT does not work.

The problem may be because the static NAT entry. The problem may be that you have specified the port. As it is a source NAT, it is expecting the source port to be 25. I'm not 100% sure, but I think SMTP connections may be from a dynamic port, to port 25.

I suggest you try removing the port 25 part of the static NAT. That at least will tell you if the staic NAT can be made to work. Then put the port 25 as the destination in the NAT filter ... access-list 109.

While you are about it, you could modify your exclusion clause so that only traffic destined for port 25 is excluded. That way your mail server could use the general network NAT for non-SMTP traffic.

So, let's see, that makes something like:

ip nat pool ovrld x.x.x.20 x.x.x.20 prefix-length x

ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0/1 overload

ip nat inside source static 10.0.0.10 x.x.x.21 route-map SDM_RMAP_8 extendable

access-list 102 deny tcp host 10.0.0.10 any eq 25

access-list 102 deny tcp host 10.0.0.10 eq 25 any

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

access-list 108 permit tcp host 10.0.0.10 any eq 25

access-list 108 permit tcp host 10.0.0.10 eq 25 any

route-map SDM_RMAP_2 permit 1

match ip address 102

!

route-map SDM_RMAP_8 permit 1

match ip address 108

Kevin Dorrell

Luxembourg

Thanks Kevin and Jon for your help. This did work.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco