05-04-2012 08:50 AM - edited 03-04-2019 04:15 PM
Hello,
I have two IPs on my Wan interface : x.x.x.89 and y.y.y.98. I have 2 SMTP server in my LAN, one on 192.168.2.130, the other on 192.168.2.136. I want the .130 SMTP server to use .89 and .136 to use .98.
Here is what I think is relevant in my config :
interface Dialer0
ip address y.y.y.98 255.255.255.252 secondary
ip address x.x.x.89 255.255.255.252
ip access-group 120 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip policy route-map VPN-Client
dialer pool 1
dialer-group 1
no cdp enable
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.10.0 255.255.255.0 192.168.2.150
ip route 192.168.11.0 255.255.255.0 192.168.2.3
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 192.168.2.136 25 y.y.y.98 25 route-map smtp-136 exten
dable
!
logging trap debugging
access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 deny ip host 192.168.2.136 any
access-list 101 permit ip any any
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 103 permit tcp host 192.168.2.136 any eq smtp
access-list 103 deny ip any any
access-list 113 remark ... VTY access restriction ...
access-list 113 remark SDM_ACL Category=17
access-list 113 permit ip 192.168.1.0 0.0.0.255 any
access-list 113 permit ip 192.168.2.0 0.0.0.255 any
access-list 113 permit ip 192.168.5.0 0.0.0.255 any
access-list 113 permit ip 192.168.3.0 0.0.0.255 any
access-list 113 permit ip 192.168.20.0 0.0.0.255 any
access-list 113 deny ip any any
access-list 113 remark ... VTY access restriction ...
access-list 113 remark SDM_ACL Category=17
access-list 120 permit tcp host z.z.z.z any eq 8022
access-list 120 deny tcp any any eq 8022
access-list 120 permit tcp host z.z.z.z any eq 1433
access-list 120 deny tcp any any eq 1433
access-list 120 permit ip any any
access-list 121 deny tcp 192.168.21.0 0.0.0.255 host z.z.z.z eq 3389
access-list 121 deny tcp 192.168.200.0 0.0.0.255 host z.z.z.z eq 3389
access-list 121 permit ip any any
access-list 144 permit ip 192.168.20.0 0.0.0.255 any
access-list 144 permit ip 192.168.200.0 0.0.0.255 any
access-list 144 permit ip 192.168.21.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map smtp-136 permit 10
match ip address 103
!
route-map nonatvpn permit 10
match ip address 102
!
route-map VPN-Client permit 10
match ip address 144
set interface Loopback0
With this config, my first SMTP server works perfectly. My second (.136) is reachable from outside, but can not send mail.
My test:
1) if I remove ""access-list 101 deny ip host 192.168.2.136 any" .136 works but send mails through the bad IP (.89)
2)initially, I had "ip nat inside source static tcp 192.168.2.136 25 y.y.y.98 25 route-map nonatvpn extendable" in place of "
ip nat inside source static tcp 192.168.2.136 25 y.y.y.98 25 route-map smtp-136 exten". It doesn't work neither, except if I had "ip nat inside source static 192.168.2.136 y.y.y.98 extendable" => everything works but all my ports are open...
Any help would be greatly appreciated.
Regards.
05-04-2012 09:08 AM
Hi,
You can try using static PAT :
ip nat inside source static tcp 192.168.2.136 25 x.x.x.98 25 extendable
This maps only one port to the outside IP.
Dan
05-04-2012 01:38 PM
Thanks for you help. I also tried this, with no luck. With this rule, Smtp packet can come from outside, but I can't connect to the outside.
05-04-2012 01:42 PM
You also have a issue with the input acl on the Dialer0
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
add :
access-list 102 permit permit tcp any x.x.x.98 eq 25
You deny everything on Dial0 in
Dan
05-05-2012 02:46 PM
Thanks for your answer but I don't think it is a problem. I can reach the port 25 from outside, and I can exit from the same interface but with the other IP. Maybe you made a confusion between ACL 102 and 120.
Regards.
05-12-2012 03:02 PM
Hello,
Problem is solved. What I had to do:
ip nat pool deuxiemeip
y.y.y.98
y.y.y.98
netmask 255.255.255.252ip access-list extended 104
10 permit ip host 192.168.2.136 any
ip nat inside source list 104 pool deuxiemeip overload
Thanks for taking time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide