Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

static and route-map + vpn wont work

Hi,

when using a more specific route-map static which includes ports tcp 25 iam not able to nat, no more traffic flows, when using static without tcp restrictions in the static command it works, but i only want to static nat some special ports.

my config is attached, please see the commented static parts.

Big Thx!

9 REPLIES
Silver

Re: static and route-map + vpn wont work

To enable Network Address Translation (NAT) of the inside source address, use the "ip nat inside source" command in global configuration mode. To remove the static translation or remove the dynamic association to a pool, use the no form of this command.

New Member

Re: static and route-map + vpn wont work

????? iam using ip nat inside source

New Member

Re: static and route-map + vpn wont work

Going through smahbub's previous postings, it appears he just likes to cut-and-paste marginally relevant things from Cisco web pages.

This last cut-and-paste was from:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html

Hall of Fame Super Gold

Re: static and route-map + vpn wont work

This happens constantly with "contributions" from said individual and others from the same firm.

Some people realize the deception and rate consequently.

Unfortunately, that doesn't appears to stop the flow of misinformation.

New Member

Re: static and route-map + vpn wont work

thx dude,

i still dont know why it wont work.

why is it working with:

ip nat static inside 10.10.10.2 XXX.XXX.XXX.XXX route-map RMAP_MX

but not with

ip nat static inside tcp 10.10.10.2 25 XXX.XXX.XXX.XXX 25 route-map RMAP_MX

?

iam very confused and need a solution :( :(

thx for your effort so far

Hall of Fame Super Silver

Re: static and route-map + vpn wont work

Hello Peter,

If all you want is to map 10.10.10.2 TCP/25 over a public address xxx TCP/25 you shouldn't need to specify a route-map in the command it is just enough to specify all the parameters for the mappings.

So I will try the command without making any reference to the route-map because it is meaningless in your case.

Actually, if you look at the following link:

http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i2g.html#wp1078863

the command syntax for port static nat is does not provide the route-map option:

ip nat inside source {static {tcp | udp local-ip local-port global-ip global-port} [extendable] [no-alias] [no-payload]

So I would suggest:

ip nat inside source static tcp 10.10.10. 2 25 XXX.XXX.XXX.XXX 25

hope to help

Giuseppe

New Member

Re: static and route-map + vpn wont work

Hi Giuseppe,

i need the route-map because i have to exempt vpn traffic, with just only a static vpn traffic will be natted too, for example user of 172.XXXXXXXX will get a response with the public IP which is wrong.

see this: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Hall of Fame Super Silver

Re: static and route-map + vpn wont work

Hello Peter,

I had given a quick look at the route-map and I hadn't seen the whole picture.

However, as I have shown in the link im my previuos post when you specify a tcp port you cannot then provide a reference to a route-map in the same statement.

And your router is in release 12.3 as my link.

So I'm afraid you need to sacrifice a whole public IP address to your server to get the desired selective NAT behaviour.

best regards

Giuseppe

New Member

Re: static and route-map + vpn wont work

Hi Giu,

thx for ur reply, its bad that the cisco box will accept the command with the tcp restriction and a route-map but wont handle it correct, it should give an error while executing it....

Thats bad, so if i have for example a mailserver and a webserver but only 1 pub ip iam running into problems, due lack of pub ip amount. I still cant believe it that iam not able to do a static port translation with only 1 pub ip to different services on different services and make it available too in a vpn environment with the use of route-maps.

The next problem is when natting the whole pub ip, it seems to work all great (except the fact everything inbound will be forwarded to the mailserver and the access-list 183 seems to be ignored). when accessing via vpn its correctly not natted, but i get strange (non smtp rfc responses) seems like there is a smtp inspection or stuff like that running. why are the helo/ehlo messages different when accessing via vpn then via pub ip?

thx for ur help giu i appreciate that!!

176
Views
0
Helpful
9
Replies
CreatePlease to create content