No exactly. I have 3 VPN connections with 3 clients (site-to-site). That is working. Now for the new client who wants to access the server located on the inside network (private addresses) I have to include nat statement:

ip nat inside static 192.168.100.9 82.200.68.164

Ok, now I want to limit access to a particular network (I do not want that everyone use ssh to access my server 192.168.100.9:

let say: 87.89.23.12 255.255.255.0.

I do not have any access input list from the outside, and the question is whether I have to include or not in my access list the following command :

access-list xxx deny ip any any.

I do not know whether that might have impact on my VPN communication, because It comes after IPsec with input access list (that access list is not the same with the above list which I am going to instantiate in the output interface set up like:

router(config-if)#ip access-group xxx in)

My IPsec access list are included in

crypto map CRYPTO 30 ipsec-isakmp

...

match address yyy

I have attempted another way, instead of puttting simple nat static command for the case of smtp (port 25) and include input access list, I have tried with (this time for port 25 - SMTP):

ip nat inside source static tcp 192.168.100.9 25 82.200.68.165 25 extendable

That works fine when I send mail from the outside, and in local, but when I try to send mail to outside world I am not capable to send it. The reason might be as it is stated on cisco site:

"Once that is working, they might also want to define static mappings for a particular host using each provider's address space. The software does not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these static translations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as "extendable". For a new outside-to-inside flow, the appropriate static entry will act as a template for a full translation. For a new inside-to-outside flow, the dynamic route-map rules will be used to create a full translation "

The problem is that I have problem from inside-to-outside to send SMTP-out, consequently I do not know about which dynamic route-map rules it is reffereing to?

Hi

What do you mean by

"try to send mail to outside world I am not capable to send it"

Are you getting an SMTP error or something else.

Most Service providers will bounce connections from Mail servers without a valid reverse lookup via a PTR record.

http://aplawrence.com/Blog/B961.html

http://aplawrence.com/Blog/B961.html

I have included:

ip nat inside static 192.168.100.9 82.200.68.164

I could send and receive mail from yahoo.com etc.

Then I tried to limit access to the server, and I have included port 25 for smtp:

ip nat inside static 192.168.100.9 25 82.200.68.164 25

As a result I could receive mail from yahoo.com, but I could not send mail to let say my yahoo mail account.

I wish to stress that I do not have commands in my router running config file such as:

Ip nat inside route-map rmnameit pool nameit

Is that problem ?

“Wed 2009-03-11 19:08:42: Session 1877; child 2

Wed 2009-03-11 19:06:15: [1877:2] Parsing Message <>

Wed 2009-03-11 19:06:15: [1877:2] From: al.c@futurt.rs

Wed 2009-03-11 19:06:15: [1877:2] To: alex.c@yahoo.com

Wed 2009-03-11 19:06:15: [1877:2] Subject: test ako je uspeh

Wed 2009-03-11 19:06:15: [1877:2] Message-ID: <009901c9a273$f7bf06c0$a300a8c0@fplus.local>

Wed 2009-03-11 19:06:15: [1877:2] MX-record resolution of [yahoo.com] in progress (DNS Server: 192.168.0.2)...

Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[g.mx.mail.yahoo.com] {209.191.118.103}

Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[f.mx.mail.yahoo.com] {209.191.88.247}

Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[e.mx.mail.yahoo.com] {216.39.53.1}

Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[d.mx.mail.yahoo.com] {66.196.82.7}

Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[c.mx.mail.yahoo.com]

Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[b.mx.mail.yahoo.com] {66.196.97.250}

Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[a.mx.mail.yahoo.com] {67.195.168.31}

Wed 2009-03-11 19:06:15: [1877:2] Attempting MX: P=001 D=yahoo.com TTL=(108) MX=[a.mx.mail.yahoo.com] {67.195.168.31}

Wed 2009-03-11 19:06:15: [1877:2] Attempting SMTP connection to [67.195.168.31 : 25]

Wed 2009-03-11 19:06:15: [1877:2] Waiting for socket connection...

Wed 2009-03-11 19:06:36: [1877:2] Winsock Error 10060 The connection timed out.

Wed 2009-03-11 19:06:36: [1877:2] Attempting MX: P=001 D=yahoo.com TTL=(108) MX=[b.mx.mail.yahoo.com] {66.196.97.250}

Wed 2009-03-11 19:06:36: [1877:2] Attempting SMTP connection to [66.196.97.250 : 25]

Wed 2009-03-11 19:06:36: [1877:2] Waiting for socket connection...

Wed 2009-03-11 19:06:57: [1877:2] Winsock Error 10060 The connection timed out.

Wed 2009-03-11 19:06:57: [1877:2] Attempting MX: P=001 D=yahoo.com TTL=(108) MX=[c.mx.mail.yahoo.com]

MX=[c.mx.mail.yahoo.com]

Wed 2009-03-11 19:06:57: [1877:2] Attempting SMTP connection to [c.mx.mail.yahoo.com : 25]

Wed 2009-03-11 19:06:57: [1877:2] A-record resolution of [c.mx.mail.yahoo.com] in progress (DNS Server: 192.168.0.2)...

Wed 2009-03-11 19:06:57: [1877:2] D=c.mx.mail.yahoo.com TTL=(17) A=[216.39.53.2]

Wed 2009-03-11 19:06:57: [1877:2] Attempting SMTP connection to [216.39.53.2 : 25]

Wed 2009-03-11 19:06:57: [1877:2] Waiting for socket connection...

Wed 2009-03-11 19:07:18: [1877:2] Winsock Error 10060 The connection timed out.

Wed 2009-03-11 19:07:18: [1877:2] Attempting MX: P=001 D=yahoo.com TTL=(108) MX=[d.mx.mail.yahoo.com] {66.196.82.7}

Wed 2009-03-11 19:07:18: [1877:2] Attempting SMTP connection to [66.196.82.7 : 25]

Wed 2009-03-11 19:07:18: [1877:2] Waiting for socket connection...

Wed 2009-03-11 19:07:39: [1877:2] Winsock Error 10060 The connection timed out.

Wed 2009-03-11 19:07:39: [1877:2] Attempting MX: P=001 D=yahoo.com TTL=(108) MX=[e.mx.mail.yahoo.com] {216.39.53.1}

...

Waiting for socket connection...

Wed 2009-03-11 19:08:42: [1877:2] Winsock Error 10060 The connection timed out.

Wed 2009-03-11 19:08:42: [1877:2] This message is 2 minutes old; it has 118 minutes left in this queue

Wed 2009-03-11 19:08:42: [1877:2] SMTP session terminated (Bytes in/out: 0/0)

Wed 2009-03-11 19:08:42: ----------""

Well I could not figure out what was the reason, the mail server rejected my connection.

I have tested with several accounts, and it failed as yahoo one.

Then I have decided to take first approach:

ip nat inside static 192.168.100.9 82.200.68.164

with designing acl on that output interface to limit only smtp port opened:

access-list 123 permit tcp any host 82.200.68.164 eq 25

access-list 123 deny ip any any

I am still not 100% on what you need so will make more assumptions.

The "new" client is not connecting to the public address 82.200.68.164 via an IPSec tunnel.

If this is the case, and you want to restrict access to this server, then you have a few options.

1. Amend the ACL attached inbound to the outside interface to restrict access to the host address 82.200.68.164 on TCP port 22.

If you want everyone to have access to this server "expect" certain customers, then add explicit deny's to the top of your ACL, then below the last deny, add a permit any to the host on TCP port 22 as ACL's are processed top down, this will be more efficient.

( Your post says 'let say: 87.89.23.12 255.255.255.0.', I am not sure if you mean the host 87.89.23.12 or network 87.89.23.0/24 so I have included both in the example below )

access-list xxx deny tcp host 87.89.23.12 host 82.200.68.164 eq 22

access-list xxx deny tcp 87.89.23.0 0.0.0.255 host 82.200.68.164 eq 22

access-list 111 permit tcp any host 82.200.68.164 eq 22

If you want no access to this address except certain customers, then remove any generic access to this host address that may be in the ACL and add individual permits to the host on port TCP leaving the explicit deny at the end to catch all other connections.

access-list xxx permit tcp 87.89.23.0 0.0.0.255 host 82.200.68.164 eq 22

access-list xxx permit tcp any host 82.200.68.164 eq 22

2. If you can move the NAT to an ASA/PX, you can control the static NAT with an ACL

static (inside,outside) 82.200.68.164 access-list host-nat

access-list eres-nat extended permit tcp host 192.168.100.9

3. Leave access open on TCP port 22 on your router to the host address 82.200.68.164 and control the access from the server itself. If your server is a *NIX based OS, normally you can control access from there via the hosts.allolw file for instance on FreeBSD. AS you have locked down TCP access

"The "new" client is not connecting to the public address 82.200.68.164 via an IPSec tunnel"

No, it is not. VPN connections (3 of them) are only on the same interface. They do not have anything to do with nat, but I have concern that access list from crypto map have to be included in my acl which limits access to my mail server behind my router-firewall.

In fact, can I completely ignore acls (consisting of only private addresses) from crypto-map when I write acl on the output interface to limit access to the server behind router-firewall (Cisco 2801)?