07-30-2013 03:12 AM - edited 03-04-2019 08:36 PM
I have a branch office VPN configured:
Site A 192.168.0.0/24
Site B 192.168.2.0/24
Site A also host my mail server so I have this static NAT rule.
ip nat inside source static tcp 192.168.1.99 25 interface GigabitEthernet0/0 25
This all works fin for the ourside world.
How ever I think this NAT rule is stopping device at 192.168.2.0/24 from being able to connect to the SMTP service
Can I convert this to a route map that denys the NAT for connection from 192.168.2.0/24 but allows for a source of "any"
Solved! Go to Solution.
07-30-2013 04:46 AM
Hello,
I am slightly confused by the fact that your SiteA uses 192.168.0.0/24 while the static PAT is configured for 192.168.1.99 - is there perhaps a typo?
Anyway, is the GigabitEthernet0/0 using a static IP address? If yes, you can use its IP address in the ip nat inside source command which will allow you to refer to a route-map afterwards.
ip access-list extended NAT
deny ip any 192.168.2.0 0.0.0.255
permit ip any any
!
route-map NAT permit 10
match ip address NAT
!
ip nat inside source static tcp 192.168.1.99 25 X.X.X.X 25 route-map NAT
Here, replace X.X.X.X with the IP address of the GigabitEthernet0/0 interface.
This configuration makes sure that when responses from your SMTP server are received by your NAT box, it will first check whether they are addressed to SiteB 192.168.2.0/24. If they are, the NAT won't be performed.
Best regards,
Peter
EDIT: Added a missing tcp keyword to the ip nat inside command.
07-30-2013 04:46 AM
Hello,
I am slightly confused by the fact that your SiteA uses 192.168.0.0/24 while the static PAT is configured for 192.168.1.99 - is there perhaps a typo?
Anyway, is the GigabitEthernet0/0 using a static IP address? If yes, you can use its IP address in the ip nat inside source command which will allow you to refer to a route-map afterwards.
ip access-list extended NAT
deny ip any 192.168.2.0 0.0.0.255
permit ip any any
!
route-map NAT permit 10
match ip address NAT
!
ip nat inside source static tcp 192.168.1.99 25 X.X.X.X 25 route-map NAT
Here, replace X.X.X.X with the IP address of the GigabitEthernet0/0 interface.
This configuration makes sure that when responses from your SMTP server are received by your NAT box, it will first check whether they are addressed to SiteB 192.168.2.0/24. If they are, the NAT won't be performed.
Best regards,
Peter
EDIT: Added a missing tcp keyword to the ip nat inside command.
07-30-2013 05:01 AM
Thank you very much for the reply. Sorry for the confusing typo.
That helpped me out greatly.
One little correction I had to add tcp to enable me to specifiy port 25.
ip nat inside source static tcp 192.168.1.99 25 X.X.X.X 25 route-map NAT
Have implemented and tested and it works a treat.
Thanks again
07-30-2013 05:16 AM
Hello,
Oh, yes, thank you! You're completely right. Sorry for the typo - adding it to my answer now.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide