Problems with NAT return

chuckzim420 · ‎10-27-2009

Hi folks,

I'm having a problem when im doing NAT on dual-homing systems. I'll give an example, when i try to connect at some places TCP/25 behind the router, for some locations works (like gmail,etc) but there are some others SMTP servers that doesn't work. When i telnet from the router that same place that doesn't work behind the router, it works. I did a tcpdump in one of the servers that doesn't work, and the packet arrives and is returned by the server, but doesn't arrive in the machine behind the router. I dont know where im missing in the router configuration. The IP address that im trying to reach from inside to outside is 192.168.0.1. Here it goes the running config.

In show ip nat translations it appears the dynamic nat that it builds.

Sorry for my poor english :).

Thotsaphon Lueangwattanaphong · ‎10-27-2009

Chuck,

After reading your configuration. Please correct me if I'm wrong.

- I'm not sure that why PBR is applied on the outside interface. You're tracking the IP address of the internet. I don't see any reason to apply it on the outside interface.

- Your mail server is 192.168.0.1.

- Packets from 192.168.0.1 are supposed to be NATed with 201.66.235.2 when being sent out of the FastEthernet1 interface.

- What PBR has to do is to forward those packets out of the FastEthernet1 interface. Yes,it's doing this way.

- NAT statements are read line by line as you may know.

- As far as I see is that it's falling in ip nat inside source route-map NAT-BRT-201 interface FastEthernet1 overload. In turn, Mail packets are sent with the source ip address of the FastEthernet1 interface. It shouldn't be like that. Am I correct?

- Time to modify things as follows:

!

ip access-list extended NAT

deny ip host 192.168.0.1 any

permit ip 172.27.1.0 0.0.0.255 any

permit ip 192.168.0.0 0.0.0.255 any

permit ip 192.168.2.0 0.0.0.255 any

!

- Not sure what is your design,though. In case of the FastEthernet1 went down, Packets of 192.168.0.1 has to be dropped by ISP because of being sent with the public ip address of the other ISP. ahh, you're using 2 ISPs. Right? (grin)

Hopes I help you some.

Toshi

chuckzim420 · ‎10-27-2009

That ACL is there just to make sure that the packets won't leave the router by the other ISP, for testing purposes. Its not permanent

Thotsaphon Lueangwattanaphong · ‎10-27-2009

Chuck,

Did you try it? I have 2 parts of your configuration that I'm concerned about your problem. The first part is PBR. The second part is NAT. PBR seems to work correctly by sending Mail packets to the correct interface. You have to pay specail attention to NAT statements. It's very likely using the dynamic NAT on the FastEthernet1 interface for Mail packets. What you can do is to deny it. To let it go out with the static NAT.

P.S. Your english is better than me.(grin)

HTH,

Toshi

chuckzim420 · ‎10-28-2009

I tryed both ways and didn't work by both of them... Im starting to get confused why it builds the nat inside->out but dont build out->in

Thotsaphon Lueangwattanaphong · ‎10-28-2009

Chuck,

Please post the lastest configuration you modified.

Toshi