static and route-map + vpn wont work

Unanswered Question


when using a more specific route-map static which includes ports tcp 25 iam not able to nat, no more traffic flows, when using static without tcp restrictions in the static command it works, but i only want to static nat some special ports.

my config is attached, please see the commented static parts.

Big Thx!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smahbub Thu, 06/05/2008 - 14:22

To enable Network Address Translation (NAT) of the inside source address, use the "ip nat inside source" command in global configuration mode. To remove the static translation or remove the dynamic association to a pool, use the no form of this command.

Paolo Bevilacqua Mon, 06/09/2008 - 10:12

This happens constantly with "contributions" from said individual and others from the same firm.

Some people realize the deception and rate consequently.

Unfortunately, that doesn't appears to stop the flow of misinformation.

Giuseppe Larosa Tue, 06/10/2008 - 05:49

Hello Peter,

If all you want is to map TCP/25 over a public address xxx TCP/25 you shouldn't need to specify a route-map in the command it is just enough to specify all the parameters for the mappings.

So I will try the command without making any reference to the route-map because it is meaningless in your case.

Actually, if you look at the following link:

the command syntax for port static nat is does not provide the route-map option:

ip nat inside source {static {tcp | udp local-ip local-port global-ip global-port} [extendable] [no-alias] [no-payload]

So I would suggest:

ip nat inside source static tcp 10.10.10. 2 25 XXX.XXX.XXX.XXX 25

hope to help


Giuseppe Larosa Wed, 06/11/2008 - 02:33

Hello Peter,

I had given a quick look at the route-map and I hadn't seen the whole picture.

However, as I have shown in the link im my previuos post when you specify a tcp port you cannot then provide a reference to a route-map in the same statement.

And your router is in release 12.3 as my link.

So I'm afraid you need to sacrifice a whole public IP address to your server to get the desired selective NAT behaviour.

best regards


Hi Giu,

thx for ur reply, its bad that the cisco box will accept the command with the tcp restriction and a route-map but wont handle it correct, it should give an error while executing it....

Thats bad, so if i have for example a mailserver and a webserver but only 1 pub ip iam running into problems, due lack of pub ip amount. I still cant believe it that iam not able to do a static port translation with only 1 pub ip to different services on different services and make it available too in a vpn environment with the use of route-maps.

The next problem is when natting the whole pub ip, it seems to work all great (except the fact everything inbound will be forwarded to the mailserver and the access-list 183 seems to be ignored). when accessing via vpn its correctly not natted, but i get strange (non smtp rfc responses) seems like there is a smtp inspection or stuff like that running. why are the helo/ehlo messages different when accessing via vpn then via pub ip?

thx for ur help giu i appreciate that!!


This Discussion