Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How Do Static NAT exemption

I have a branch office VPN configured:

Site A 192.168.0.0/24

Site B 192.168.2.0/24

Site A also host my mail server so I have this static NAT rule.

ip nat inside source static tcp 192.168.1.99 25 interface GigabitEthernet0/0 25

This all works fin for the ourside world.

How ever I think this NAT rule is stopping device at 192.168.2.0/24 from being able to connect to the SMTP service

Can I convert this to a route map that denys the NAT for connection from 192.168.2.0/24 but allows for a source of "any"

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: How Do Static NAT exemption

Hello,

I am slightly confused by the fact that your SiteA uses 192.168.0.0/24 while the static PAT is configured for 192.168.1.99 - is there perhaps a typo?

Anyway, is the GigabitEthernet0/0 using a static IP address? If yes, you can use its IP address in the ip nat inside source command which will allow you to refer to a route-map afterwards.

ip access-list extended NAT

  deny ip any 192.168.2.0 0.0.0.255

  permit ip any any

!

route-map NAT permit 10

  match ip address NAT

!

ip nat inside source static tcp 192.168.1.99 25 X.X.X.X 25 route-map NAT

Here, replace X.X.X.X with the IP address of the GigabitEthernet0/0 interface.

This configuration makes sure that when responses from your SMTP server are received by your NAT box, it will first check whether they are addressed to SiteB 192.168.2.0/24. If they are, the NAT won't be performed.

Best regards,

Peter

EDIT: Added a missing tcp keyword to the ip nat inside command.

3 REPLIES
Cisco Employee

Re: How Do Static NAT exemption

Hello,

I am slightly confused by the fact that your SiteA uses 192.168.0.0/24 while the static PAT is configured for 192.168.1.99 - is there perhaps a typo?

Anyway, is the GigabitEthernet0/0 using a static IP address? If yes, you can use its IP address in the ip nat inside source command which will allow you to refer to a route-map afterwards.

ip access-list extended NAT

  deny ip any 192.168.2.0 0.0.0.255

  permit ip any any

!

route-map NAT permit 10

  match ip address NAT

!

ip nat inside source static tcp 192.168.1.99 25 X.X.X.X 25 route-map NAT

Here, replace X.X.X.X with the IP address of the GigabitEthernet0/0 interface.

This configuration makes sure that when responses from your SMTP server are received by your NAT box, it will first check whether they are addressed to SiteB 192.168.2.0/24. If they are, the NAT won't be performed.

Best regards,

Peter

EDIT: Added a missing tcp keyword to the ip nat inside command.

New Member

How Do Static NAT exemption

Thank you very much for the reply. Sorry for the confusing typo.

That helpped me out greatly.

One little correction I had to add tcp to enable me to specifiy port 25.

ip nat inside source static tcp 192.168.1.99 25 X.X.X.X 25 route-map NAT

Have implemented and tested and it works a treat.

Thanks again

Cisco Employee

How Do Static NAT exemption

Hello,

Oh, yes, thank you! You're completely right. Sorry for the typo - adding it to my answer now.

Best regards,

Peter

125
Views
0
Helpful
3
Replies