Different NAT translations on incoming and outgoing direction

ivohristov · ‎11-01-2010

Hello Dears,

I have the following situation on a router. I have a mail relay agent(10.0.0.5) and I have to translate port 25 of my global address x.x.x.x:25 to it. The mail relay agent sends the received mail to the mail server which has the address 10.0.0.6. Then the mail server sends messages directly to the internet and I have to translate its address to the global x.x.x.x:25. It looks like this:

Message arrives at x.x.x.x:25 translates to -> 10.0.0.5:25. Then 10.0.0.5 sends mails to 10.0.0.6(mail server).

When 10.0.0.6(mail server) sends mail to the internet translates to -> x.x.x.x:25

Basically I have to translate the public x.x.x.x:25 to 10.0.0.5 when it enters the outside interface and translate 10.0.0.6 to x.x.x.x:25 when it goes out the interface.

I will be very garetful if somebody can help with that configuration issue.
Regards,

Ivaylo

Federico Coto Fajardo · ‎11-01-2010

Hi,

Is this an ASA?

If so you can do the following...

static (in,out) tcp x.x.x.x 25 10.0.0.5 25

nat (inside) 1 10.0.0.6 255.255.255.255

global (outside) 1 x.x.x.x 255.255.255.255

The static NAT above will translate the inbound traffic to the Mail Relay Server when reaching the x.x.x.x address on TCP port 25 and redirect it to 10.0.0.5 on port 25.

The nat/global commands will translate the packets from 10.0.0.6 to the Internet to x.x.x.x for outbound traffic.

Hope it helps.

Federico.

ivohristov · ‎11-02-2010

Hi Federico,
Thank you for the response but the problem is that it is not a ASA. It is a router. I can not figure out how to do the the NAT on a router.

If somo1 can give a hint it'll be great.
Thanks,
Ivaylo

Federico Coto Fajardo · ‎11-02-2010

If it's a router the configuration will be something like this:

ip nat inside source tcp 10.0.0.5 25 x.x.x.x 25

ip access-list extended NAT
permit ip host 10.0.0.6 any

ip nat pool mypool x.x.x.x x.x.x.x

ip nat inside source list NAT pool mypool

In this way, inbound connections to x.x.x.x on port 25 will be redirected to 10.0.0.5 on port 25.

Outbound connections from 10.0.0.6 will get translated to the NAT pool (which is composed of x.x.x.x)

Federico.

ivohristov · ‎11-02-2010

That is a correct configuration but when you have an outbound connection

server's address 10.0.0.6 will get translated with a random port, not port 25, since it is staticaly reserved from the statement ip nat inside source tcp 10.0.0.5 25 x.x.x.x 25. I need to keep port 25 as well.
Ivaylo

Federico Coto Fajardo · ‎11-02-2010

Let's see...

If you have a mail server that you want to access from the outside on port 25 you then have:

ip nat inside source static tcp PRIVATE_IP 25 PUBLIC_IP 25

The traffic that is sent to PUBLIC_IP on port 25 will be redirected to PRIVATE_IP on port 25.

Even with the above configuration, when PRIVATE_IP initiates outbound traffic it will take a random port as its source port to create the connection.

Please clarify...

You don't need host 10.0.0.6 to use source port 25 when initiating outbound connections correct?

You need host 10.0.0.6 to use port 25 when responding to requests from the outside?

If you send a request to host 10.0.0.6 on port 25, the response will come from source port 25.

Federico.