I'm having a problem when im doing NAT on dual-homing systems. I'll give an example, when i try to connect at some places TCP/25 behind the router, for some locations works (like gmail,etc) but there are some others SMTP servers that doesn't work. When i telnet from the router that same place that doesn't work behind the router, it works. I did a tcpdump in one of the servers that doesn't work, and the packet arrives and is returned by the server, but doesn't arrive in the machine behind the router. I dont know where im missing in the router configuration. The IP address that im trying to reach from inside to outside is 192.168.0.1. Here it goes the running config.
In show ip nat translations it appears the dynamic nat that it builds.
After reading your configuration. Please correct me if I'm wrong.
- I'm not sure that why PBR is applied on the outside interface. You're tracking the IP address of the internet. I don't see any reason to apply it on the outside interface.
- Your mail server is 192.168.0.1.
- Packets from 192.168.0.1 are supposed to be NATed with 188.8.131.52 when being sent out of the FastEthernet1 interface.
- What PBR has to do is to forward those packets out of the FastEthernet1 interface. Yes,it's doing this way.
- NAT statements are read line by line as you may know.
- As far as I see is that it's falling in ip nat inside source route-map NAT-BRT-201 interface FastEthernet1 overload. In turn, Mail packets are sent with the source ip address of the FastEthernet1 interface. It shouldn't be like that. Am I correct?
- Time to modify things as follows:
ip access-list extended NAT
deny ip host 192.168.0.1 any
permit ip 172.27.1.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
- Not sure what is your design,though. In case of the FastEthernet1 went down, Packets of 192.168.0.1 has to be dropped by ISP because of being sent with the public ip address of the other ISP. ahh, you're using 2 ISPs. Right? (grin)
Did you try it? I have 2 parts of your configuration that I'm concerned about your problem. The first part is PBR. The second part is NAT. PBR seems to work correctly by sending Mail packets to the correct interface. You have to pay specail attention to NAT statements. It's very likely using the dynamic NAT on the FastEthernet1 interface for Mail packets. What you can do is to deny it. To let it go out with the static NAT.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...