04-02-2008 10:52 AM - edited 03-05-2019 10:08 PM
I have a mail server internal to my network. The config below allows mail from the outside world to reach my mail server on 21, but when my server sends mail the destination mail server receives the mail from 20. The packets seem to be NATed by the rule that NATs the network and not the static NAT rule on the outbound traffic. Is there a way to have the outbound traffic from my mail server to be NATed to 21?
ip nat pool ovrld x.x.x.20 x.x.x.20 prefix-length x
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.0.0.10 25 x.x.x.21 25 route-map SDM_RMAP_8 extendable
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 109 permit ip host 10.0.0.10 any
route-map SDM_RMAP_2 permit 1
match ip address 102
!
route-map SDM_RMAP_8 permit 1
match ip address 108
Solved! Go to Solution.
04-02-2008 10:51 PM
At least it has excluded it from the general network NAT. Now we can concentrate on why the static NAT does not work.
The problem may be because the static NAT entry. The problem may be that you have specified the port. As it is a source NAT, it is expecting the source port to be 25. I'm not 100% sure, but I think SMTP connections may be from a dynamic port, to port 25.
I suggest you try removing the port 25 part of the static NAT. That at least will tell you if the staic NAT can be made to work. Then put the port 25 as the destination in the NAT filter ... access-list 109.
While you are about it, you could modify your exclusion clause so that only traffic destined for port 25 is excluded. That way your mail server could use the general network NAT for non-SMTP traffic.
So, let's see, that makes something like:
ip nat pool ovrld x.x.x.20 x.x.x.20 prefix-length x
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0/1 overload
ip nat inside source static 10.0.0.10 x.x.x.21 route-map SDM_RMAP_8 extendable
access-list 102 deny tcp host 10.0.0.10 any eq 25
access-list 102 deny tcp host 10.0.0.10 eq 25 any
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 108 permit tcp host 10.0.0.10 any eq 25
access-list 108 permit tcp host 10.0.0.10 eq 25 any
route-map SDM_RMAP_2 permit 1
match ip address 102
!
route-map SDM_RMAP_8 permit 1
match ip address 108
Kevin Dorrell
Luxembourg
04-02-2008 10:58 AM
Jimmy
Is this a typo
access-list 109 permit ip host 10.0.0.10 any
route-map SDM_RMAP_8 permit 1
match ip address 108
ie. access-list 109 but match ip address 108 ?
Jon
04-02-2008 11:14 AM
yes, that is a typo, sorry
04-02-2008 11:35 AM
Can you post the output of
"sh ip nat translations"
Jon
04-02-2008 12:38 PM
Pro Inside global Inside local Outside local Outside global
tcp x.x.x.21:25 10.0.0.10:25 --- ---
tcp x.x.x..21:443 10.0.0.10:443 --- ---
I also have this line in there :
Pro Inside global Inside local Outside local Outside global
tcp x.x.x.20:25 10.0.0.10:25 82.34.117.82:3167 82.34.117.82:3167
04-02-2008 01:57 PM
Jimmy
Just spent about 1/2 hour playing around with this and no matter what i did couldn't get it working with route-maps. However looking at your config i'm not sure you need route-maps
This is the config i got working
ip nat inside source list 101 interface FastEthernet0/1 overload
ip nat inside source static 10.100.1.6 192.168.32.1
!
access-list 101 permit ip 10.100.1.0 0.0.0.255 any
access-list 102 permit ip host 10.100.1.6 any
No route-maps but it works.
Will this work for you or are your requirements more complex than your example ?
Jon
04-02-2008 02:01 PM
So this will NAT 10.100.1.6 outbound to 192.168.32.1 and the rest of 10.100.1.x to whatever the natpool is?
I also just want port 25 to be NATed to this address. I have some other ports comming in for a different server.
If this is correct, then yes that will work.
Thanks for your help
04-02-2008 02:04 PM
Jimmy
No problem but please test carefully in production as i working in a lab.
Also because we have translated 10.100.1.6 to 192.168.32.1 for all ports and not just 25 you need to be careful with access. You could try using ports as you did in your example.
I'll try it out in lab tomorrow if i get the time.
Jon
04-02-2008 03:43 PM
Well, that did work, but now I have another problem.
I have users using VPN and when they ping 10.0.0.10 they get the external address of x.x.x.21. Using the route map to disallow the VPN pool fixes the problem but then I'm back to the mail server sending out on .20 again.
04-02-2008 12:00 PM
Couldn't you just exclude the mail server from the network NAT like this:
access-list 102 deny ip host 10.0.0.10 any
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
Kevin Dorrell
Luxembourg
04-02-2008 12:37 PM
I did try that and then I was unable to send out at all from the mail server.
04-02-2008 10:51 PM
At least it has excluded it from the general network NAT. Now we can concentrate on why the static NAT does not work.
The problem may be because the static NAT entry. The problem may be that you have specified the port. As it is a source NAT, it is expecting the source port to be 25. I'm not 100% sure, but I think SMTP connections may be from a dynamic port, to port 25.
I suggest you try removing the port 25 part of the static NAT. That at least will tell you if the staic NAT can be made to work. Then put the port 25 as the destination in the NAT filter ... access-list 109.
While you are about it, you could modify your exclusion clause so that only traffic destined for port 25 is excluded. That way your mail server could use the general network NAT for non-SMTP traffic.
So, let's see, that makes something like:
ip nat pool ovrld x.x.x.20 x.x.x.20 prefix-length x
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0/1 overload
ip nat inside source static 10.0.0.10 x.x.x.21 route-map SDM_RMAP_8 extendable
access-list 102 deny tcp host 10.0.0.10 any eq 25
access-list 102 deny tcp host 10.0.0.10 eq 25 any
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 108 permit tcp host 10.0.0.10 any eq 25
access-list 108 permit tcp host 10.0.0.10 eq 25 any
route-map SDM_RMAP_2 permit 1
match ip address 102
!
route-map SDM_RMAP_8 permit 1
match ip address 108
Kevin Dorrell
Luxembourg
04-03-2008 09:51 AM
Thanks Kevin and Jon for your help. This did work.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: