The rest of the config works perfect. i only made an entry for the smtp server for NAT.

the other Ports (ssh,www....) are working without any problem. Only smtp did not work. so the server cannot send any mail.

Hello

Possibly incorrect dns?
Do you have MX records in DNS for SMTP?

res
Paul

It was working fine since i changed the nat entry from

ip nat inside source static tcp 10.0.0.7  188.21.1.XXX

to this

ip nat inside source static tcp 10.0.0.7 25 188.21.1.XXX 25 extendable

Because i have to NAT other Ports to an other server.

Why is there a difference between the configs for the smtp? The Access List is the same on both configs

Thanks

To me it seems like you can receive mails but not send any.

The other nat worked because it is an outgoing nat as well.

And the one you made is only ingoing on port 25, and when the ESA relays mails, it uses random high-number ports as the source. They are not matched by the static NAT you created.

Could you please share the entire configuration?

Yes this is exactly what we have. I cannot send any mails. The incoming on port 25 is ok but then the outgoing will not match any NAT.

We want to split the server into Smtp and webserver but on the same WAN address because of the DNS. So i changed the config from

ip nat inside source static 10.0.0.7 188.21.1.XXX

ip nat inside source static tcp 10.0.0.7 22 188.21.1.XXX 22 extendable
ip nat inside source static tcp 10.0.0.7 25 188.21.1.XXX 25 extendable
ip nat inside source static tcp 10.0.0.7 53 188.21.1.XXX 53 extendable
ip nat inside source static udp 10.0.0.7 53 188.21.1.XXX 53 extendable
ip nat inside source static tcp 10.0.0.8 80 188.21.1.XXX 80 extendable
ip nat inside source static tcp 10.0.0.8 443 188.21.1.XXX 443 extendable

and the 10.0.0.8 gets only the www and https.

But now DNS, ssh, www and https works but smtp not.

What have i done wrong?

Best regards

If I am not wrong I got your issue here.

You did static port translation that is 188.21.1.XXX 25  translated to 10.0.0.7 25 and untranslated viceversa

1) For incoming traffic from outside world to server 188.21.1.XXX 25  translated to 10.0.0.7 25 and it should work correctly

2)For outgoing traffic from server to outside world server may not be select port 25 as source port so it can select any random port like 1025 so in this case 10.0.0.7 1025 is not untranslated to 188.21.1.XXX 1025 as t will untranslate when server 10.0.0.7 will use source port as 25 so this is creating issue for outgoing traffic.

Solution is that you can create one dynamic PAT with ISP connecting interface  so that 10.0.0.7 1025 will untranslated with Public IP of interface and random port

Is it possible to use dynamic and static NAT on the same WAN address?

I cannot change to an other IP because of the DNS entry.

How can i change this?

Thanks

Here you go. You can modify ACL as per your requirement.

Add these additional nat commands

access-list 10 permit any

ip nat pool ABC 188.21.1.XXX 188.21.1.XXX netmask 255.255.255.0

ip nat inside source list 10 pool ABC overload

i cannot change the Wan ip because of the dns entry. so i have only 1 wan address for dns,www,mail and https.

Now i split the mail and www server to 2 different server on the inside but the wan ip is the same. i made the static nat on different ports and everything work but not Mail.

So can i make a dynamic NAT to the same WAN from inside to outside? The outside to inside works perfect.

Can i use

ip nat outside source static 188.21.1.XXX 10.0.0.7 extendable

Thanks

That would be the most common thing to do. Do a Source NAT from inside->outside, and a Destination nat from outside:port->inside:port

access-list 10 permit any

ip nat inside source list 10 interface fa0/0 overload ! inside->out nat/PAT

ip nat inside source static tcp 10.0.0.7 25 interface fa0/0 25 extendable ! outside-> in NAT/PAT

Then your Mail server will be able to send outgoing mails.

And receive incomming on port 25.

Hmmm i have the problem that i can only use the 188.21.1.XXX Address but the interface has a different IP.

So if i make

ip nat inside source static tcp 10.0.0.7 25 188.21.1.XXX 25 extendable

and

ip nat inside source list 10 interface fa0/0 overload

the answer from the mail server would be sent by the Ip adress of the interface.

Is this a problem? Should this work?

Thanks

Ahh, Then you desides. From an email perspective i would send the mail from the same address as the MX record is registered on.

So on your case it would be the config Pawan wrote:

ip nat inside source static tcp 10.0.0.7 25 188.21.1.XXX 25 extendable

ip nat pool ABC 188.21.1.XXX 188.21.1.XXX netmask 255.255.255.0

ip nat inside source list 10 pool ABC overload

If 188.21.1.XXX is 188.21.1.111 it would be:

ip nat pool ABC 188.21.1.111 188.21.1.111 netmask 255.255.255.0