Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2134
Views
0
Helpful
3
Replies

How Do Static NAT exemption

Go to solution
martinbuffleo
Level 1
Level 1

‎07-30-2013 03:12 AM - edited ‎03-04-2019 08:36 PM

I have a branch office VPN configured:

Site A 192.168.0.0/24

Site B 192.168.2.0/24

Site A also host my mail server so I have this static NAT rule.

ip nat inside source static tcp 192.168.1.99 25 interface GigabitEthernet0/0 25

This all works fin for the ourside world.

How ever I think this NAT rule is stopping device at 192.168.2.0/24 from being able to connect to the SMTP service

Can I convert this to a route map that denys the NAT for connection from 192.168.2.0/24 but allows for a source of "any"

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎07-30-2013 04:46 AM

Hello,

I am slightly confused by the fact that your SiteA uses 192.168.0.0/24 while the static PAT is configured for 192.168.1.99 - is there perhaps a typo?

Anyway, is the GigabitEthernet0/0 using a static IP address? If yes, you can use its IP address in the ip nat inside source command which will allow you to refer to a route-map afterwards.

ip access-list extended NAT

  deny ip any 192.168.2.0 0.0.0.255

  permit ip any any

!

route-map NAT permit 10

  match ip address NAT

!

ip nat inside source static tcp 192.168.1.99 25 X.X.X.X 25 route-map NAT

Here, replace X.X.X.X with the IP address of the GigabitEthernet0/0 interface.

This configuration makes sure that when responses from your SMTP server are received by your NAT box, it will first check whether they are addressed to SiteB 192.168.2.0/24. If they are, the NAT won't be performed.

Best regards,

Peter

EDIT: Added a missing tcp keyword to the ip nat inside command.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎07-30-2013 04:46 AM

Hello,

I am slightly confused by the fact that your SiteA uses 192.168.0.0/24 while the static PAT is configured for 192.168.1.99 - is there perhaps a typo?

Anyway, is the GigabitEthernet0/0 using a static IP address? If yes, you can use its IP address in the ip nat inside source command which will allow you to refer to a route-map afterwards.

ip access-list extended NAT

  deny ip any 192.168.2.0 0.0.0.255

  permit ip any any

!

route-map NAT permit 10

  match ip address NAT

!

ip nat inside source static tcp 192.168.1.99 25 X.X.X.X 25 route-map NAT

Here, replace X.X.X.X with the IP address of the GigabitEthernet0/0 interface.

This configuration makes sure that when responses from your SMTP server are received by your NAT box, it will first check whether they are addressed to SiteB 192.168.2.0/24. If they are, the NAT won't be performed.

Best regards,

Peter

EDIT: Added a missing tcp keyword to the ip nat inside command.

0 Helpful

Go to solution
martinbuffleo
Level 1
Level 1
In response to Peter Paluch

‎07-30-2013 05:01 AM

Thank you very much for the reply. Sorry for the confusing typo.

That helpped me out greatly.

One little correction I had to add tcp to enable me to specifiy port 25.

ip nat inside source static tcp 192.168.1.99 25 X.X.X.X 25 route-map NAT

Have implemented and tested and it works a treat.

Thanks again

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to martinbuffleo

‎07-30-2013 05:16 AM

Hello,

Oh, yes, thank you! You're completely right. Sorry for the typo - adding it to my answer now.

Best regards,

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card