02-12-2009 08:56 AM
Hi
I have asked this question before, but as I have not get far with it I am going to try to be more specific this time.
I have a server that needs to do an outbound connection to a mail server. The connection has to be initiated to port 26, that then will be NATed to the external IP and port 26 redirected to port 25 for the SMTP connection.
When I try to configure this:
ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq 23 vlan 99
I get the error: Error: Invalid real port configured for NAT static
Any ideas what it means anyone?
Solved! Go to Solution.
02-13-2009 08:40 AM
02-13-2009 04:01 AM
Right. Forget about the previous question. I have an update.
I get this output on show nat policies at the moment:
NAT object ID:39 mapped_if:19 policy_id:50 type:STATIC static_xlate_id:64
ID:64 Static port translation
Real addr:172.21.7.11 Real port:26 Real interface:18
Mapped addr:x.x.x.x Mapped port:25 Mapped interface:19
Netmask:255.255.255.255
where x.x.x.x - is the Public, external IP address on the ACE.
I need the traffic FROM the 172.21.7.11 server going anywhere TO port 26 to be remapped to x.x.x.x port 25. At the moment it does not do it. The service policy on the inside doesn't even get a hit when I am telnetting from the 172.21.7.11 server on port 26 to the outside world. It does get hits when I telnet to x.x.x.x external IP address from outside.
Something is telling me I am looking at it from a wrong direction altogether.
This is the config I have at the moment:
access-list 130 line 20 extended permit ip any any
access-list Source_NAT line 10 extended permit tcp host 172.21.7.11 eq 26 any
class-map match-any Class_Port26
2 match access-list Source_NAT
policy-map multi-match Policy_Port26_Static
class Class_Port26
nat static x.x.x.x netmask 255.255.255.255 tcp eq smtp vlan 99
interface vlan 107
ip address 172.21.7.2 255.255.255.240
peer ip address 172.21.7.1 255.255.255.240
access-group input 130
service-policy input Policy_Port26_Static
no shutdown
No server farms, no load balancing. Just that.
Any ideas?
02-13-2009 08:40 AM
What you want to do is not possible.
Gilles.
02-17-2009 01:57 AM
:) haha Thank you very much.
Could you explain why it is not possible?
02-17-2009 04:14 AM
As you said, the command you're trying to use works the other way around.
The idea is to associate a server with a global ip so it can be reached directly from external users and if necessary perform destination port translation.
You can't modify the destination port of an unknown ip address (I mean unknown at the time of configuration).
If you know the destination, you could configure a static entry for each one of them.
Gilles.
02-18-2009 01:54 AM
Thank you again. I will have to settle for a static IP translation without port change. Shame, as it would be a rather neat solution otherwise.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: