ACE 4710 A3 outbound static NAT with Port redirection

Answered Question
Feb 12th, 2009


I have asked this question before, but as I have not get far with it I am going to try to be more specific this time.

I have a server that needs to do an outbound connection to a mail server. The connection has to be initiated to port 26, that then will be NATed to the external IP and port 26 redirected to port 25 for the SMTP connection.

When I try to configure this:

ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask tcp eq 23 vlan 99

I get the error: Error: Invalid real port configured for NAT static

Any ideas what it means anyone?

I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 7 years 8 months ago

What you want to do is not possible.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
VictorAKur Fri, 02/13/2009 - 04:01

Right. Forget about the previous question. I have an update.

I get this output on show nat policies at the moment:

NAT object ID:39 mapped_if:19 policy_id:50 type:STATIC static_xlate_id:64

ID:64 Static port translation

Real addr: Real port:26 Real interface:18

Mapped addr:x.x.x.x Mapped port:25 Mapped interface:19


where x.x.x.x - is the Public, external IP address on the ACE.

I need the traffic FROM the server going anywhere TO port 26 to be remapped to x.x.x.x port 25. At the moment it does not do it. The service policy on the inside doesn't even get a hit when I am telnetting from the server on port 26 to the outside world. It does get hits when I telnet to x.x.x.x external IP address from outside.

Something is telling me I am looking at it from a wrong direction altogether.

This is the config I have at the moment:

access-list 130 line 20 extended permit ip any any

access-list Source_NAT line 10 extended permit tcp host eq 26 any

class-map match-any Class_Port26

2 match access-list Source_NAT

policy-map multi-match Policy_Port26_Static

class Class_Port26

nat static x.x.x.x netmask tcp eq smtp vlan 99

interface vlan 107

ip address

peer ip address

access-group input 130

service-policy input Policy_Port26_Static

no shutdown

No server farms, no load balancing. Just that.

Any ideas?

VictorAKur Tue, 02/17/2009 - 01:57

:) haha Thank you very much.

Could you explain why it is not possible?

Gilles Dufour Tue, 02/17/2009 - 04:14

As you said, the command you're trying to use works the other way around.

The idea is to associate a server with a global ip so it can be reached directly from external users and if necessary perform destination port translation.

You can't modify the destination port of an unknown ip address (I mean unknown at the time of configuration).

If you know the destination, you could configure a static entry for each one of them.


VictorAKur Wed, 02/18/2009 - 01:54

Thank you again. I will have to settle for a static IP translation without port change. Shame, as it would be a rather neat solution otherwise.


This Discussion