12-07-2010 10:49 AM - edited 03-04-2019 10:42 AM
Hello.
I have a nat and vpn setup on my Cisco 2801 router.
Everything is working as expected except the NAT. I have a single static nat translation but it only works for inbound and not outbound. Going outbound, it uses the default overload nat address of the outside interface.
Here is the relevant part of the config.
ip nat inside source list 110 interface FastEthernet0/0 overload
ip nat inside source static 192.168.2.45 74.218.119.220 route-map static-nat
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit tcp any host 74.218.119.220 eq 3389
access-list 101 permit ip 207.166.204.0 0.0.0.255 any
access-list 101 permit ahp host 207.166.204.2 host 74.218.119.211
access-list 101 permit esp host 207.166.204.2 host 74.218.119.211
access-list 101 permit udp host 207.166.204.2 host 74.218.119.211 eq isakmp
access-list 101 permit udp host 207.166.204.2 host 74.218.119.211 eq non500-isakmp
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 105 permit udp any any eq 4569
access-list 105 permit udp any any eq 5060
access-list 105 permit tcp any any eq 5060
access-list 105 permit ip any any tos min-delay
access-list 110 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 any
access-list 120 deny ip host 192.168.2.45 192.168.1.0 0.0.0.255
access-list 120 permit ip host 192.168.2.45 any
snmp-server community public RO
!
route-map static-nat permit 10
match ip address 120
Basically the problem is this.
I want to add another mailserver. But I fear if one mailserver were to get black-listed, they would both be reporting there ip address as the same address (the one on the ethernet interface) which would blacklist both mail servers.
Again, inbound nat works ok, but outbound is just using the IP of the ethernet0/0 address.
Please help!
Solved! Go to Solution.
12-07-2010 11:14 AM
You must at least change acl 110:
access-list 110 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny ip host 192.168.2.45 any
access-list 110 permit ip 192.168.2.0 0.0.0.255 any
I also think the line denying nat for 192.168.1.0 to 192.168.2.0 may not be necessary anywhere, noticed you using it on several places.
This is for your vpn eh? When the traffic is matched by a crypto map, the outside nat is bypassed.
And last but not least: Never list public ip addresses in the clear!
regards,
Leo
12-07-2010 11:14 AM
You must at least change acl 110:
access-list 110 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny ip host 192.168.2.45 any
access-list 110 permit ip 192.168.2.0 0.0.0.255 any
I also think the line denying nat for 192.168.1.0 to 192.168.2.0 may not be necessary anywhere, noticed you using it on several places.
This is for your vpn eh? When the traffic is matched by a crypto map, the outside nat is bypassed.
And last but not least: Never list public ip addresses in the clear!
regards,
Leo
12-07-2010 11:19 AM
Thank you! That was it!
You are correct, the other stuff is for the vpn.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide