I'm stuck with some NAT issues. I've got an 800-series router wich connects to the internet via a PPP connection (dialer0).
On the inside the router has 192.168.0.253/24 as IP address, the outside is negotiated with the ISP
My mailserver has the ip address of 192.168.0.1 but with default gateway of 192.168.0.254 (primary internet connection).
If I use plain NAT (ip nat inside source static tcp 192.168.0.1 25 interface Dialer0 80) the packets arriving on the mailserver do have a public IP address as source address.
Would it be possible to rewrite those packets (source address) so they have 192.168.0.253 as source address. This way the mailserver won't send the replies to it's default gateway but back to the cisco router
Thanks in advance,
Wilk van der Sande
This is a very easy thing to do on an ASA/pix but IOS is different. The trouble is there is no interface overload option on the "ip nat outside source" option. It gets worse. You can use a pool of addresses to translate the outside addresses to but there is no overload option with this pool so you need to have an IP per outside IP connecting.
In addition presumably your negotiated address is the same each time, otherwise how would the mail server be reachable ?
So you can either -
1) use PBR on the 192.168.0.254 device to send it back out to 192.168.0.253. This depends on whether your 192.168.0.254 device supports PBR ?
2) Use a big enough network in your pool to account for all possible simultaneous connections to your mail server. Note this pool does not have to have a physical interface on the router by configuring the pool the router will respond to it. So on the 192.168.0.253 device -
access-list 101 permit tcp any host
ip nat pool MAIL 192.168.5.1 192.168.5.254 netmask 255.255.255.0 <-- note this will only allow 254 simultaneous connections to your mail server. If you need more use a bigger subnet.
ip nat outside source list 101 pool MAIL add-route
There may be another way to do it with NAT but i don't know of it.
Sadly the 192.168.0.254/24 isn't a cisco but juniper . However PBR should be possible with that device.
I see there's no simple 1-to-1 solution for IOS unfortunateley. I will digg deeper into this and will let you know.
I really need a 'simple' solution for it without using things like PBR on the default gateway.
Thank you very much for your reply on this!
The ip nat you have will not translate the source address from the internet it will translate the mail server ip to the Internet interface ip
Also connection to port 80 will be translated into your mail server as 25
Why you want to translate ip coming from the Internet ? It's better to leave it with original source ip (public ) and the mail server will already send the reply to it's default gateway !!
Sent from Cisco Technical Support iPhone App
@marwanshawi: sorry, the port 80 was a typo, that should be 25 ofcourse
The reason I would like to translate the source addres is because of this:
The 192.168.0.253/24 is used as secondary internet connection (192.168.0.254/24 is the primary). If my primary internet connection goed down (wan error or router failure) I can use my secondary connection to receive mail. But, when the source address of a packet is public, my mailserver would send the reply to the default gateway (0.254) instead of the cisco (0.253). But when I to a rewrite of the source address the reply would be send to the cisco.
Im sure this should be possible, but im not sure IOS (advanced security) supports it.
It is possible with the config i gave and it will work. But i can understand why you want a "simpler" 1 to 1 method. Like i say with a firewall like the ASA/pix it is easy to do.
I wouldn't have thought there were that many simultaneous connections your mail server ?
I do understand your frustration that something so simple should not be possible. I am not a fan of NAT on IOS because it always seems that every time i want to do something there is a limitation and you have to use a workaround.
I know it is not elegant no simple but if the 800 router is only used for sending email, the Ethernet interface can be defined outside and by pbr traffic incoming from the internet cen be sent to a loopback classified as inside. Do an initial rounf of NAT and then sent out to the mail server with a further round of nat and this time oveload would be available ....
Just watch the size of the NAT table and the CPU overhead I believe that the 800 can only process route PBR and cannot use fast switchin of CEF for it.
If you use that router for additional tasks it becomes more difficult.