Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
324
Views
0
Helpful
3
Replies

Forcing Mail to use a static mapping on 2621 Router with IP Plus

insightexpress
Level 1
Level 1

‎09-23-2002 08:19 AM - edited ‎03-09-2019 12:25 AM

Right now we're configured to use both Overloaded NAT (PAT Pool) and a few extendable static mappings. My question is concerning the Static Mapping where we have mail servers which can send any various ports which are not statically mapped. What's the best way to force the mail server to use the static mapping instead of defaulting to the PAT pool when it sends on the available application ports. I don't want to expose any other ports from teh outside in other than 25 and 110 but, by mapping the IP alone, it opens everything. Should I configure access lists at this point? Is there a way to set this up to act like a pix mapping with conduits to specified ports?

Thanks for your input -

Labels:
0 Helpful
3 Replies 3

steve.barlow
Level 7
Level 7

‎09-23-2002 09:59 AM

Use static map with access-list to filter access. Access-lists are processed before NAT (http://www.cisco.com/warp/public/556/5.html).

eg. ip nat inside source static 10.10.10.1 x.x.x.x (public IP)

access-list 101 permit tcp any host x.x.x.x eq 25

access-list 101 permit tcp any host x.x.x.x eq 110

access-list 101 deny ip any any log

int s0

ip nat outside

ip access-group 101 in

Hope that helps

Steve

0 Helpful

insightexpress
Level 1
Level 1
In response to steve.barlow

‎09-23-2002 11:30 AM

Steve, thanks for getting back to me. I'm sure this would work if we had a simple configuration on the 2621. We're using a few ACLs with route-maps for IPSec and load balancing which are cancelled out by the ACL above. I was wondering if you had any suggestions about where I could place the ACL on this config to allow IPSec and balancing to continue as well as protect these certain (mail server) IPs. I think this should be sufficient (there are more mappings, a PAT pool, and IPsec info. I've already tried adding it to both the beginning and end of the ACL list and all traffic halts. Let me know if you can help.

ip nat inside source static 10.0.x.x 65.219.x.x

ip prefix-list 1 seq 5 permit 65.219.x.0/24

ip prefix-list 1 seq 10 deny 0.0.0.0/0 le 32

!

ip prefix-list 2 seq 5 permit 65.219.x.0/25

ip prefix-list 2 seq 10 deny 0.0.0.0/0 le 32

!

ip prefix-list 3 seq 5 permit 65.219.x..x/25

ip prefix-list 3 seq 10 deny 0.0.0.0/0 le 32

access-list 1 permit 10.0.10.0 0.0.0.255

access-list 101 permit ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 101 permit ip 10.0.50.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 102 permit ip 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255

access-list 103 permit ip 10.0.10.0 0.0.0.255 10.0.30.0 0.0.0.255

access-list 120 permit ip 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255

access-list 120 permit ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 120 permit ip 10.0.10.0 0.0.0.255 10.0.30.0 0.0.0.255

access-list 130 deny ip 10.0.10.0 0.0.0.255 10.0.30.0 0.0.0.255

access-list 130 deny ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 130 deny ip 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255

access-list 130 permit ip 10.0.10.0 0.0.0.255 any

access-list 130 permit ip 10.0.50.0 0.0.0.255 any

route-map to-wcomw0h31720 permit 10

match ip address prefix-list 1

set metric 10

!

route-map to-wcomw0h31720 permit 20

match ip address prefix-list 2

set community no-export

!

route-map to-wcomw0h31720 deny 30

!

route-map to-wcomw0h31724 permit 10

match ip address prefix-list 1

set metric 10

!

route-map to-wcomw0h31724 permit 20

match ip address prefix-list 3

set community no-export

!

route-map to-wcomw0h31724 deny 30

!

route-map NONAT permit 10

match ip address 130

!

route-map NONAT1 permit 10

match ip address 130

!

route-map ipsec permit 10

match ip address 120

set ip next-hop 1.2.1.2

0 Helpful

steve.barlow
Level 7
Level 7
In response to insightexpress

‎09-24-2002 04:26 AM

Okay, you have the static NAT and the access-list to prevent the mail servers from being NATed/IPSECed to the public. So, I would try to place the acl to restrict access to the mail servers outbound on the LAN facing interface. As per: http://www.cisco.com/warp/public/556/5.html , outbound acl is processed after NAT and IPSec.

eg. access-list 101 permit tcp any host 10.0.x.x eq 25

access-list 101 permit tcp any host 10.0.x.x eq 110

access-list 101 permit ip 10.0.30.0 0.0.0.255 host 10.0.x.x (optional if you want your vpn peer's to access your mail servers fully)

access-list 101 deny ip any host 10.0.x.x log

access-list 101 permit ip any any

int e0/0

ip access-group 101 out

Hope it helps

Steve

0 Helpful
Customers Also Viewed These Support Documents