Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

NAT with simultaneous pool and static with same IP

I've seen a router with the following NAT configuration (this is from "show start"):

ip nat pool SMTP-NAT-pool 63.x.x.34 63.x.x.34 netmask 255.255.255.224

ip nat inside source list SMTP-NAT-out pool SMTP-NAT-pool overload

ip nat inside source list any-NAT-out interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.129.19 25 63.x.x.34 25 extendable

ip nat inside source static tcp 192.168.129.14 80 63.x.x.34 80 extendable

ip nat inside source static tcp 192.168.129.14 443 63.x.x.34 443 extendable

ip access-list extended SMTP-NAT-out

permit ip host 192.168.129.34 any

permit ip host 192.168.129.31 any

permit ip host 192.168.129.19 any

permit ip host 192.168.129.14 any

permit ip host 192.168.129.131 any

permit ip host 192.168.129.149 any

ip access-list extended any-NAT-out

deny ip host 192.168.129.34 any

deny ip host 192.168.129.31 any

deny ip host 192.168.129.19 any

deny ip host 192.168.129.14 any

deny ip host 192.168.129.131 any

deny ip host 192.168.129.149 any

permit ip any any

There are a couple of issues here. First, the "ip nat inside source static tcp 192.168.129.19 25 63.x.x.34 25 extendable" command will simply disappear from the running config anywhere from immediately to a few hours after being entered. Any ideas as to why this would be happening?

Second, I'm seeing some strange entries in the translation table such as:

tcp 63.x.x.40:156 63.x.x.34:26 216.64.173.2:46835 216.64.173.2:46835

tcp 63.x.x.40:95 63.x.x.34:26 216.64.173.2:53577 216.64.173.2:53577

63.x.x.40 is the ip address of the Fa0/0 interface. So, it seems to me that the router is double-translating traffic, i.e. 192.168.129.34 gets translated to 63.x.x.34 which then gets translated to 63.x.x.40. Is this possible? I thought once a packet had been permitted or denied through the NAT process, it was then forwarded out the interface.

The goal here is to send port 80 and 443 to a Web mail server but send port 25 to the SMTP server. Outbound traffic from the hosts in the SMTP-NAT-out ACL needs to show up on the Internet as 63.x.x.34.

I've been looking at NAT features such as extendable, NAT virtual interfaces, and route maps but I have yet to find an article on CCO or NPC that really explains when and why these features would be used and what problems they solve.

If anybody has any ideas as to why we're seeing the disappearing command or any suggestions as to other possible approaches to the goals, they would be much appreciated!

340
Views
0
Helpful
0
Replies
CreatePlease to create content