11-19-2012 03:40 PM - edited 03-04-2019 06:11 PM
Im having a weird issue; I can ping my exchange, connect to it remotely (rdp) through the internet eventhough I am specifying the ports in my static pat. If I add the overload command to my Exchange pool then its blocking all the unspecified ports in my static pat. Am I missing something in the following config?
Exchange public ip: 1.1.1.1 - Internal: 192.168.10.10
Users Public IP: 2.2.2.2 - Internal (192.168.1.0)
ip nat pool Exchange 1.1.1.1 1.1.1.1 prefix-length 30
ip nat pool Client_Access 2.2.2.2 2.2.2.2 prefix-length 30
ip nat inside source list 120 pool Client_Access overload
ip nat inside source list 121 pool Exchange
ip nat inside source static tcp 192.168.10.10 25 1.1.1.1 25 extendable
ip nat inside source static tcp 192.168.10.10 80 1.1.1.1 80 extendable
ip nat inside source static tcp 192.168.10.10 110 1.1.1.1 110 extendable
ip nat inside source static tcp 192.168.10.10 443 1.1.1.1 443 extendable
ip nat inside source static tcp 192.168.10.10 587 1.1.1.1 587 extendable
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 permit ip host 192.168.2.5 any
access-list 120 permit ip host 192.168.2.6 any
access-list 120 permit ip host 192.168.10.3 any
access-list 121 permit ip host 192.168.10.10 any
11-19-2012 08:48 PM
Hi,
Here is very useful info about your situation:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtmlA. Yes. These are the NAT best practices:
When using both dynamic and static NAT, the ACL that sets the rule for dynamic NAT should exclude the static local hosts so there is no overlap.
When deploying ISPs load balancing with NAT interface overload, the best practice is to use route-map with interface match over ACL matching.
When using pool mapping, you should not use two different mapping (ACL or route-map) to share the same NAT pool address.
When deploying the same NAT rules on two different routers in the failover scenario, you should use HSRP redundancy.
Do not define the same inside global address in Static NAT and a Dynamic Pool. This action can lead to undesirable results.
Hope it will help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide