11-29-2004 05:27 AM - edited 03-02-2019 08:15 PM
Hi
Our mailserver is using different IP addresses upon transferring emails to other domains.
It is supposed to be statically mapped in the router.
How do I configure the router to force the mailserver only to use 1 IP address.
Now it seems like it uses any free IP adress from our public pool of IP numbers.
In other words, I want to create a static route using only 1 public IP through the router.
Thanks
Solved! Go to Solution.
11-29-2004 10:26 PM
hello sulan,
why do you want to configure static PAT in this case.. the problem is, if the destination port is anything apart from 25,21,80 etc, it will go out with a PAT IP , as defined on the pool.. for example, if this server queries a DNS server outside, it will go out with the PAT IP and can use 115 or 116... You can better configure a static NAT instead of static PAT...
ip nat inside source static 192.168.100.101 xxx.xx.41.113
you can control the traffic inside the router using access-lists on the serial interface connecting to internet...
change this and let me know if the email server still uses any other dynamic IP..
all the best...
11-29-2004 05:33 AM
Hi sulan
use the following command. In this example I have taken the inside IP of the mail server as 192.168.1.10 and the outside ip as 202.1.1.1
ip nat inside source static 192.168.1.10 202.1.1.1
make sure you apply the ip nat inside/outside on correct interfaces..
All the best.. rate replies if found useful..
11-29-2004 10:01 PM
Here is a sample of the configuration.
ip nat pool sam xxx.xx.41.115 xxx.xx.41.126 netmask 255.255.255.240
ip nat inside source list 1 pool sam overload
ip nat inside source static tcp 192.168.100.101 1352 xxx.xx.41.113 1352 extendab
le
ip nat inside source static tcp 192.168.100.101 25 xxx.xx.41.113 25 extendable
ip nat inside source static tcp 192.168.100.101 21 xxx.xx.41.113 21 extendable
ip nat inside source static tcp 192.168.100.101 80 xxx.xx.41.113 80 extendable
ip nat inside source static tcp 192.168.100.103 1723 xxx.xx.41.114 1723 extendab
le
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 0.0.0.0 0.0.0.0 xxx.xx.36.137
no ip http server
the emailserver is having IP 113 but sometimes it uses 115 and 116 and also 118.
11-29-2004 10:26 PM
hello sulan,
why do you want to configure static PAT in this case.. the problem is, if the destination port is anything apart from 25,21,80 etc, it will go out with a PAT IP , as defined on the pool.. for example, if this server queries a DNS server outside, it will go out with the PAT IP and can use 115 or 116... You can better configure a static NAT instead of static PAT...
ip nat inside source static 192.168.100.101 xxx.xx.41.113
you can control the traffic inside the router using access-lists on the serial interface connecting to internet...
change this and let me know if the email server still uses any other dynamic IP..
all the best...
11-29-2004 11:07 PM
Hi Sachin
Should I not use the "Extendable" argument ?
Will that force the server to use only the defined IP for in and out traffic and not use any other from the NAT pool.?
Thanks in advance for all your help.
11-29-2004 11:34 PM
extendable argument is not required in your case.. just do a one to one static and allow the ports through access-lists.. this will force the server to use only one IP and not from the NAT pool..
this document has all about NAT configurations:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091cb9.shtml
All the best.. rate replies if found useful..
11-30-2004 10:40 PM
Hi again.
As you could see in the NAT list there is a VPN server mapped also.
ip nat inside source static tcp 192.168.100.103 1723 xxx.xxx.124.114 1723 extendab
le
I need to allow following in the extended access control list.
1. Any outside host to access 192.168.100.103 over port 1723
2. Any inside host to reach any outside host over port 1723
Any help greatly appreciated\
Thanks
11-30-2004 11:20 PM
Hi Sulan,
i think you have a PPTP VPN server inside the network (behind PIX) to which the users will dial in from internet.. In this case, you need open port 1723 from outside to inside. i hope you have an access-list on the outside.. just add this statement in that ACL..
access-list outside permit tcp any host xxx.xxx.124.114 (nated IP) eq 1723
note: you need to give access to the NATed IP and not the private IP..
do the inside users connect to any other VPN server on outside ? if so, in case you have an access-list on the inside, enter this command,
access-list inside permit tcp 192.168.100.0 255.255.255.0 host x.x.x.x (VPN server IP) eq 1723
hope this helps.. let me know if you need anything else...
12-14-2004 04:49 AM
Hi
This is my current access list and it doesn`t allow Microsoft vpn over port 1723
Please note that it works if I remove 104
access-list 104 permit tcp any xxx.xxx.xxx.112 0.0.0.15 established
access-list 104 permit tcp any 192.168.100.0 0.0.0.255 established
access-list 104 permit tcp any host xxx.xxx.xxx.113 eq smtp
access-list 104 permit tcp any host xxx.xxx.xxx.113 eq 8080
access-list 104 permit tcp any host xxx.xxx.xxx.113 eq www
access-list 104 permit tcp any host xxx.xxx.xxx.113 eq 443
access-list 104 permit tcp any host xxx.xxx.xxx.113 eq ftp
access-list 104 permit tcp any host xxx.xxx.xxx.113 eq ftp-data
access-list 104 permit udp any host xxx.xxx.xxx.113 eq domain
access-list 104 permit tcp any host xxx.xxx.xxx.113 eq domain
access-list 104 permit udp any eq 500 xxx.xxx.xxx.112 0.0.0.15
access-list 104 permit udp any eq 10000 xxx.xxx.xxx.112 0.0.0.15
access-list 104 permit tcp any eq smtp xxx.xxx.xxx.112 0.0.0.15
access-list 104 permit tcp any eq 8080 xxx.xxx.xxx.112 0.0.0.15
access-list 104 permit tcp any eq www xxx.xxx.xxx.112 0.0.0.15
access-list 104 permit tcp any eq 443 xxx.xxx.xxx.112 0.0.0.15
access-list 104 permit udp any eq domain xxx.xxx.xxx.112 0.0.0.15
access-list 104 permit tcp any eq domain xxx.xxx.xxx.112 0.0.0.15
access-list 104 permit tcp any eq 1352 xxx.xxx.xxx.112 0.0.0.15
access-list 104 deny ip 127.0.0.0 0.255.255.255 any log
access-list 104 deny ip 255.0.0.0 0.255.255.255 any log
access-list 104 deny ip 224.0.0.0 0.255.255.255 any log
access-list 104 deny ip host 0.0.0.0 any log
access-list 104 deny udp any any eq snmp
access-list 104 deny ip xxx.xxx.xxx.112 0.0.0.15 any log
access-list 104 deny ip 192.168.100.0 0.0.0.255 any log
access-list 104 deny ip any host 213.42.41.213
access-list 104 deny icmp any any
access-list 104 deny tcp any host xxx.xxx.xxx.138 eq telnet log
access-list 104 deny tcp any host 192.168.100.100 eq telnet log
access-list 104 deny ip any xxx.xxx.xxx.112 0.0.0.15
access-list 105 permit ip host 192.168.100.101 any
access-list 105 permit ip host 192.168.100.107 any
access-list 105 permit ip host 192.168.100.108 any
access-list 105 permit ip host 192.168.100.110 any
access-list 105 permit ip host 192.168.100.132 any
access-list 105 permit ip host 192.168.100.133 any
access-list 105 permit ip host 192.168.100.181 any
access-list 105 permit tcp 192.168.100.0 0.0.0.255 any eq 8080
access-list 105 permit tcp 192.168.100.0 0.0.0.255 any eq www
access-list 105 permit tcp 192.168.100.0 0.0.0.255 any eq 443
access-list 105 permit tcp 192.168.100.0 0.0.0.255 any eq domain
access-list 105 permit udp 192.168.100.0 0.0.0.255 any eq domain
access-list 105 permit tcp 192.168.100.0 0.0.0.255 any eq 1723
access-list 105 deny icmp any any
11-30-2004 12:37 AM
Hi Sachin
Yes I removed all port related arguments and now it is working fine.
Spot on.
Thanks and best regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide