Problems with NAT return

Unanswered Question
Oct 27th, 2009

Hi folks,

I'm having a problem when im doing NAT on dual-homing systems. I'll give an example, when i try to connect at some places TCP/25 behind the router, for some locations works (like gmail,etc) but there are some others SMTP servers that doesn't work. When i telnet from the router that same place that doesn't work behind the router, it works. I did a tcpdump in one of the servers that doesn't work, and the packet arrives and is returned by the server, but doesn't arrive in the machine behind the router. I dont know where im missing in the router configuration. The IP address that im trying to reach from inside to outside is Here it goes the running config.

In show ip nat translations it appears the dynamic nat that it builds.

Sorry for my poor english :).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
thotsaphon Tue, 10/27/2009 - 13:09


After reading your configuration. Please correct me if I'm wrong.

- I'm not sure that why PBR is applied on the outside interface. You're tracking the IP address of the internet. I don't see any reason to apply it on the outside interface.

- Your mail server is

- Packets from are supposed to be NATed with when being sent out of the FastEthernet1 interface.

- What PBR has to do is to forward those packets out of the FastEthernet1 interface. Yes,it's doing this way.

- NAT statements are read line by line as you may know.

- As far as I see is that it's falling in ip nat inside source route-map NAT-BRT-201 interface FastEthernet1 overload. In turn, Mail packets are sent with the source ip address of the FastEthernet1 interface. It shouldn't be like that. Am I correct?

- Time to modify things as follows:


ip access-list extended NAT

deny ip host any

permit ip any

permit ip any

permit ip any


- Not sure what is your design,though. In case of the FastEthernet1 went down, Packets of has to be dropped by ISP because of being sent with the public ip address of the other ISP. ahh, you're using 2 ISPs. Right? (grin)

Hopes I help you some.


chuckzim420 Tue, 10/27/2009 - 13:18

That ACL is there just to make sure that the packets won't leave the router by the other ISP, for testing purposes. Its not permanent

thotsaphon Tue, 10/27/2009 - 13:26


Did you try it? I have 2 parts of your configuration that I'm concerned about your problem. The first part is PBR. The second part is NAT. PBR seems to work correctly by sending Mail packets to the correct interface. You have to pay specail attention to NAT statements. It's very likely using the dynamic NAT on the FastEthernet1 interface for Mail packets. What you can do is to deny it. To let it go out with the static NAT.

P.S. Your english is better than me.(grin)



chuckzim420 Wed, 10/28/2009 - 04:12

I tryed both ways and didn't work by both of them... Im starting to get confused why it builds the nat inside->out but dont build out->in

thotsaphon Wed, 10/28/2009 - 04:35


Please post the lastest configuration you modified.



This Discussion