Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

NAT question

I have a mail server internal to my network. The config below allows mail from the outside world to reach my mail server on 21, but when my server sends mail the destination mail server receives the mail from 20. The packets seem to be NATed by the rule that NATs the network and not the static NAT rule on the outbound traffic. Is there a way to have the outbound traffic from my mail server to be NATed to 21?

ip nat pool ovrld x.x.x.20 x.x.x.20 prefix-length x

ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0/1 overload

ip nat inside source static tcp 10.0.0.10 25 x.x.x.21 25 route-map SDM_RMAP_8 extendable

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

access-list 109 permit ip host 10.0.0.10 any

route-map SDM_RMAP_2 permit 1

match ip address 102

!

route-map SDM_RMAP_8 permit 1

match ip address 108

1 ACCEPTED SOLUTION

Accepted Solutions

Re: NAT question

At least it has excluded it from the general network NAT. Now we can concentrate on why the static NAT does not work.

The problem may be because the static NAT entry. The problem may be that you have specified the port. As it is a source NAT, it is expecting the source port to be 25. I'm not 100% sure, but I think SMTP connections may be from a dynamic port, to port 25.

I suggest you try removing the port 25 part of the static NAT. That at least will tell you if the staic NAT can be made to work. Then put the port 25 as the destination in the NAT filter ... access-list 109.

While you are about it, you could modify your exclusion clause so that only traffic destined for port 25 is excluded. That way your mail server could use the general network NAT for non-SMTP traffic.

So, let's see, that makes something like:

ip nat pool ovrld x.x.x.20 x.x.x.20 prefix-length x

ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0/1 overload

ip nat inside source static 10.0.0.10 x.x.x.21 route-map SDM_RMAP_8 extendable

access-list 102 deny tcp host 10.0.0.10 any eq 25

access-list 102 deny tcp host 10.0.0.10 eq 25 any

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

access-list 108 permit tcp host 10.0.0.10 any eq 25

access-list 108 permit tcp host 10.0.0.10 eq 25 any

route-map SDM_RMAP_2 permit 1

match ip address 102

!

route-map SDM_RMAP_8 permit 1

match ip address 108

Kevin Dorrell

Luxembourg

12 REPLIES
Hall of Fame Super Blue

Re: NAT question

Jimmy

Is this a typo

access-list 109 permit ip host 10.0.0.10 any

route-map SDM_RMAP_8 permit 1

match ip address 108

ie. access-list 109 but match ip address 108 ?

Jon

New Member

Re: NAT question

yes, that is a typo, sorry

Hall of Fame Super Blue

Re: NAT question

Can you post the output of

"sh ip nat translations"

Jon

New Member

Re: NAT question

Pro Inside global Inside local Outside local Outside global

tcp x.x.x.21:25 10.0.0.10:25 --- ---

tcp x.x.x..21:443 10.0.0.10:443 --- ---

I also have this line in there :

Pro Inside global Inside local Outside local Outside global

tcp x.x.x.20:25 10.0.0.10:25 82.34.117.82:3167 82.34.117.82:3167

Hall of Fame Super Blue

Re: NAT question

Jimmy

Just spent about 1/2 hour playing around with this and no matter what i did couldn't get it working with route-maps. However looking at your config i'm not sure you need route-maps

This is the config i got working

ip nat inside source list 101 interface FastEthernet0/1 overload

ip nat inside source static 10.100.1.6 192.168.32.1

!

access-list 101 permit ip 10.100.1.0 0.0.0.255 any

access-list 102 permit ip host 10.100.1.6 any

No route-maps but it works.

Will this work for you or are your requirements more complex than your example ?

Jon

New Member

Re: NAT question

So this will NAT 10.100.1.6 outbound to 192.168.32.1 and the rest of 10.100.1.x to whatever the natpool is?

I also just want port 25 to be NATed to this address. I have some other ports comming in for a different server.

If this is correct, then yes that will work.

Thanks for your help

Hall of Fame Super Blue

Re: NAT question

Jimmy

No problem but please test carefully in production as i working in a lab.

Also because we have translated 10.100.1.6 to 192.168.32.1 for all ports and not just 25 you need to be careful with access. You could try using ports as you did in your example.

I'll try it out in lab tomorrow if i get the time.

Jon

New Member

Re: NAT question

Well, that did work, but now I have another problem.

I have users using VPN and when they ping 10.0.0.10 they get the external address of x.x.x.21. Using the route map to disallow the VPN pool fixes the problem but then I'm back to the mail server sending out on .20 again.

Re: NAT question

Couldn't you just exclude the mail server from the network NAT like this:

access-list 102 deny ip host 10.0.0.10 any

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

Kevin Dorrell

Luxembourg

New Member

Re: NAT question

I did try that and then I was unable to send out at all from the mail server.

Re: NAT question

At least it has excluded it from the general network NAT. Now we can concentrate on why the static NAT does not work.

The problem may be because the static NAT entry. The problem may be that you have specified the port. As it is a source NAT, it is expecting the source port to be 25. I'm not 100% sure, but I think SMTP connections may be from a dynamic port, to port 25.

I suggest you try removing the port 25 part of the static NAT. That at least will tell you if the staic NAT can be made to work. Then put the port 25 as the destination in the NAT filter ... access-list 109.

While you are about it, you could modify your exclusion clause so that only traffic destined for port 25 is excluded. That way your mail server could use the general network NAT for non-SMTP traffic.

So, let's see, that makes something like:

ip nat pool ovrld x.x.x.20 x.x.x.20 prefix-length x

ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0/1 overload

ip nat inside source static 10.0.0.10 x.x.x.21 route-map SDM_RMAP_8 extendable

access-list 102 deny tcp host 10.0.0.10 any eq 25

access-list 102 deny tcp host 10.0.0.10 eq 25 any

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

access-list 108 permit tcp host 10.0.0.10 any eq 25

access-list 108 permit tcp host 10.0.0.10 eq 25 any

route-map SDM_RMAP_2 permit 1

match ip address 102

!

route-map SDM_RMAP_8 permit 1

match ip address 108

Kevin Dorrell

Luxembourg

New Member

Re: NAT question

Thanks Kevin and Jon for your help. This did work.

260
Views
0
Helpful
12
Replies
CreatePlease to create content