07-30-2013 03:12 AM - edited 03-04-2019 08:36 PM
I have a branch office VPN configured:
Site A 192.168.0.0/24
Site B 192.168.2.0/24
Site A also host my mail server so I have this static NAT rule.
ip nat inside source static tcp 192.168.1.99 25 interface GigabitEthernet0/0 25
This all works fin for the ourside world.
How ever I think this NAT rule is stopping device at 192.168.2.0/24 from being able to connect to the SMTP service
Can I convert this to a route map that denys the NAT for connection from 192.168.2.0/24 but allows for a source of "any"
Solved! Go to Solution.
07-30-2013 04:46 AM
Hello,
I am slightly confused by the fact that your SiteA uses 192.168.0.0/24 while the static PAT is configured for 192.168.1.99 - is there perhaps a typo?
Anyway, is the GigabitEthernet0/0 using a static IP address? If yes, you can use its IP address in the ip nat inside source command which will allow you to refer to a route-map afterwards.
ip access-list extended NAT
deny ip any 192.168.2.0 0.0.0.255
permit ip any any
!
route-map NAT permit 10
match ip address NAT
!
ip nat inside source static tcp 192.168.1.99 25 X.X.X.X 25 route-map NAT
Here, replace X.X.X.X with the IP address of the GigabitEthernet0/0 interface.
This configuration makes sure that when responses from your SMTP server are received by your NAT box, it will first check whether they are addressed to SiteB 192.168.2.0/24. If they are, the NAT won't be performed.
Best regards,
Peter
EDIT: Added a missing tcp keyword to the ip nat inside command.
07-30-2013 04:46 AM
Hello,
I am slightly confused by the fact that your SiteA uses 192.168.0.0/24 while the static PAT is configured for 192.168.1.99 - is there perhaps a typo?
Anyway, is the GigabitEthernet0/0 using a static IP address? If yes, you can use its IP address in the ip nat inside source command which will allow you to refer to a route-map afterwards.
ip access-list extended NAT
deny ip any 192.168.2.0 0.0.0.255
permit ip any any
!
route-map NAT permit 10
match ip address NAT
!
ip nat inside source static tcp 192.168.1.99 25 X.X.X.X 25 route-map NAT
Here, replace X.X.X.X with the IP address of the GigabitEthernet0/0 interface.
This configuration makes sure that when responses from your SMTP server are received by your NAT box, it will first check whether they are addressed to SiteB 192.168.2.0/24. If they are, the NAT won't be performed.
Best regards,
Peter
EDIT: Added a missing tcp keyword to the ip nat inside command.
07-30-2013 05:01 AM
Thank you very much for the reply. Sorry for the confusing typo.
That helpped me out greatly.
One little correction I had to add tcp to enable me to specifiy port 25.
ip nat inside source static tcp 192.168.1.99 25 X.X.X.X 25 route-map NAT
Have implemented and tested and it works a treat.
Thanks again
07-30-2013 05:16 AM
Hello,
Oh, yes, thank you! You're completely right. Sorry for the typo - adding it to my answer now.
Best regards,
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: