Solved: Dynamic NAT ???

sulan1234 · ‎11-29-2004

Hi

Our mailserver is using different IP addresses upon transferring emails to other domains.

It is supposed to be statically mapped in the router.

How do I configure the router to force the mailserver only to use 1 IP address.

Now it seems like it uses any free IP adress from our public pool of IP numbers.

In other words, I want to create a static route using only 1 public IP through the router.

Thanks

sachinraja · ‎11-29-2004

hello sulan,

why do you want to configure static PAT in this case.. the problem is, if the destination port is anything apart from 25,21,80 etc, it will go out with a PAT IP , as defined on the pool.. for example, if this server queries a DNS server outside, it will go out with the PAT IP and can use 115 or 116... You can better configure a static NAT instead of static PAT...

ip nat inside source static 192.168.100.101 xxx.xx.41.113

you can control the traffic inside the router using access-lists on the serial interface connecting to internet...

change this and let me know if the email server still uses any other dynamic IP..

all the best...

View solution in original post

sachinraja · ‎11-29-2004

Hi sulan

use the following command. In this example I have taken the inside IP of the mail server as 192.168.1.10 and the outside ip as 202.1.1.1

ip nat inside source static 192.168.1.10 202.1.1.1

make sure you apply the ip nat inside/outside on correct interfaces..

All the best.. rate replies if found useful..

sulan1234 · ‎11-29-2004

Here is a sample of the configuration.

ip nat pool sam xxx.xx.41.115 xxx.xx.41.126 netmask 255.255.255.240

ip nat inside source list 1 pool sam overload

ip nat inside source static tcp 192.168.100.101 1352 xxx.xx.41.113 1352 extendab

le

ip nat inside source static tcp 192.168.100.101 25 xxx.xx.41.113 25 extendable

ip nat inside source static tcp 192.168.100.101 21 xxx.xx.41.113 21 extendable

ip nat inside source static tcp 192.168.100.101 80 xxx.xx.41.113 80 extendable

ip nat inside source static tcp 192.168.100.103 1723 xxx.xx.41.114 1723 extendab

le

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0

ip route 0.0.0.0 0.0.0.0 xxx.xx.36.137

no ip http server

the emailserver is having IP 113 but sometimes it uses 115 and 116 and also 118.

sachinraja · ‎11-29-2004

hello sulan,

why do you want to configure static PAT in this case.. the problem is, if the destination port is anything apart from 25,21,80 etc, it will go out with a PAT IP , as defined on the pool.. for example, if this server queries a DNS server outside, it will go out with the PAT IP and can use 115 or 116... You can better configure a static NAT instead of static PAT...

ip nat inside source static 192.168.100.101 xxx.xx.41.113

you can control the traffic inside the router using access-lists on the serial interface connecting to internet...

change this and let me know if the email server still uses any other dynamic IP..

all the best...

sulan1234 · ‎11-29-2004

Hi Sachin

Should I not use the "Extendable" argument ?

Will that force the server to use only the defined IP for in and out traffic and not use any other from the NAT pool.?

Thanks in advance for all your help.

sachinraja · ‎11-29-2004

extendable argument is not required in your case.. just do a one to one static and allow the ports through access-lists.. this will force the server to use only one IP and not from the NAT pool..

this document has all about NAT configurations:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091cb9.shtml

All the best.. rate replies if found useful..

sulan1234 · ‎11-30-2004

Hi again.

As you could see in the NAT list there is a VPN server mapped also.

ip nat inside source static tcp 192.168.100.103 1723 xxx.xxx.124.114 1723 extendab

le

I need to allow following in the extended access control list.

1. Any outside host to access 192.168.100.103 over port 1723

2. Any inside host to reach any outside host over port 1723

Any help greatly appreciated\

Thanks

sachinraja · ‎11-30-2004

Hi Sulan,

i think you have a PPTP VPN server inside the network (behind PIX) to which the users will dial in from internet.. In this case, you need open port 1723 from outside to inside. i hope you have an access-list on the outside.. just add this statement in that ACL..

access-list outside permit tcp any host xxx.xxx.124.114 (nated IP) eq 1723

note: you need to give access to the NATed IP and not the private IP..

do the inside users connect to any other VPN server on outside ? if so, in case you have an access-list on the inside, enter this command,

access-list inside permit tcp 192.168.100.0 255.255.255.0 host x.x.x.x (VPN server IP) eq 1723

hope this helps.. let me know if you need anything else...

sulan1234 · ‎12-14-2004

Hi

This is my current access list and it doesn`t allow Microsoft vpn over port 1723

Please note that it works if I remove 104

access-list 104 permit tcp any xxx.xxx.xxx.112 0.0.0.15 established

access-list 104 permit tcp any 192.168.100.0 0.0.0.255 established

access-list 104 permit tcp any host xxx.xxx.xxx.113 eq smtp

access-list 104 permit tcp any host xxx.xxx.xxx.113 eq 8080

access-list 104 permit tcp any host xxx.xxx.xxx.113 eq www

access-list 104 permit tcp any host xxx.xxx.xxx.113 eq 443

access-list 104 permit tcp any host xxx.xxx.xxx.113 eq ftp

access-list 104 permit tcp any host xxx.xxx.xxx.113 eq ftp-data

access-list 104 permit udp any host xxx.xxx.xxx.113 eq domain

access-list 104 permit tcp any host xxx.xxx.xxx.113 eq domain

access-list 104 permit udp any eq 500 xxx.xxx.xxx.112 0.0.0.15

access-list 104 permit udp any eq 10000 xxx.xxx.xxx.112 0.0.0.15

access-list 104 permit tcp any eq smtp xxx.xxx.xxx.112 0.0.0.15

access-list 104 permit tcp any eq 8080 xxx.xxx.xxx.112 0.0.0.15

access-list 104 permit tcp any eq www xxx.xxx.xxx.112 0.0.0.15

access-list 104 permit tcp any eq 443 xxx.xxx.xxx.112 0.0.0.15

access-list 104 permit udp any eq domain xxx.xxx.xxx.112 0.0.0.15

access-list 104 permit tcp any eq domain xxx.xxx.xxx.112 0.0.0.15

access-list 104 permit tcp any eq 1352 xxx.xxx.xxx.112 0.0.0.15

access-list 104 deny ip 127.0.0.0 0.255.255.255 any log

access-list 104 deny ip 255.0.0.0 0.255.255.255 any log

access-list 104 deny ip 224.0.0.0 0.255.255.255 any log

access-list 104 deny ip host 0.0.0.0 any log

access-list 104 deny udp any any eq snmp

access-list 104 deny ip xxx.xxx.xxx.112 0.0.0.15 any log

access-list 104 deny ip 192.168.100.0 0.0.0.255 any log

access-list 104 deny ip any host 213.42.41.213

access-list 104 deny icmp any any

access-list 104 deny tcp any host xxx.xxx.xxx.138 eq telnet log

access-list 104 deny tcp any host 192.168.100.100 eq telnet log

access-list 104 deny ip any xxx.xxx.xxx.112 0.0.0.15

access-list 105 permit ip host 192.168.100.101 any

access-list 105 permit ip host 192.168.100.107 any

access-list 105 permit ip host 192.168.100.108 any

access-list 105 permit ip host 192.168.100.110 any

access-list 105 permit ip host 192.168.100.132 any

access-list 105 permit ip host 192.168.100.133 any

access-list 105 permit ip host 192.168.100.181 any

access-list 105 permit tcp 192.168.100.0 0.0.0.255 any eq 8080

access-list 105 permit tcp 192.168.100.0 0.0.0.255 any eq www

access-list 105 permit tcp 192.168.100.0 0.0.0.255 any eq 443

access-list 105 permit tcp 192.168.100.0 0.0.0.255 any eq domain

access-list 105 permit udp 192.168.100.0 0.0.0.255 any eq domain

access-list 105 permit tcp 192.168.100.0 0.0.0.255 any eq 1723

access-list 105 deny icmp any any

sulan1234 · ‎11-30-2004

Hi Sachin

Yes I removed all port related arguments and now it is working fine.

Spot on.

Thanks and best regards