10-17-2018 02:29 AM - edited 03-10-2019 01:06 AM
Hi,
I have the following problem on an ISR 2911 :
I have a dynamic NAT for all the inside users :
ip nat inside source route-map My_Lans interface GigabitEthernet0/0 overload
Where My_Lans deny all traffic to my VPN connected sites and permit everything else.
Of course, this works fine.
Now I want to add another nat for an outgoing email server (it will only forward to the outside and never receive).
I want this server to use a different IP that I already have.
If I add :
ip nat inside source static 192.168.2.25 A.B.C.D extendable
Then the server is seen on with the right address but anyone can connect to the server from the outside.
How can I easily block all the incoming traffic ?
Thanks,
10-17-2018 03:06 AM
Hi, you can apply an ACL to your outside interface.
Regards.
10-17-2018 03:07 AM
10-17-2018 04:11 AM
This doesn't work,
It effectively block all incoming trafic but it also block all answers to my server.
So I can initiate a connection (I can see it with sh ip nat translation) but the server doesn't get its answer.
10-17-2018 04:48 AM
10-17-2018 04:53 AM
The configuration is already very complex with lots of ACL.
Actually, I already have an ACL on my outside interface.
I sought about a route-map on the nat but I can't figure out how to make it works.
I also tried to use a dynamic nat with a pool of one address but IOS requires a minimum of 4 to define a pool.
That's why I asking for help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide