Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
0
Helpful
1
Replies

Static PAT for MS Exchange

wissamnad
Level 1
Level 1

‎11-19-2012 03:40 PM - edited ‎03-04-2019 06:11 PM

Im having a weird issue; I can ping my exchange, connect to it remotely (rdp) through the internet eventhough I am specifying the ports in my static pat. If I add the  overload command to my Exchange pool then its blocking all the  unspecified ports in my static pat. Am I missing something in the  following config?

Exchange public ip: 1.1.1.1 - Internal: 192.168.10.10

Users Public IP: 2.2.2.2 - Internal (192.168.1.0)

ip nat pool Exchange 1.1.1.1 1.1.1.1 prefix-length 30

ip nat pool Client_Access 2.2.2.2 2.2.2.2 prefix-length 30

ip nat inside source list 120 pool Client_Access overload

ip nat inside source list 121 pool Exchange

ip nat inside source static tcp 192.168.10.10 25 1.1.1.1 25 extendable

ip nat inside source static tcp 192.168.10.10 80 1.1.1.1 80 extendable

ip nat inside source static tcp 192.168.10.10 110 1.1.1.1 110 extendable

ip nat inside source static tcp 192.168.10.10 443 1.1.1.1 443 extendable

ip nat inside source static tcp 192.168.10.10 587 1.1.1.1 587 extendable

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 120 permit ip 192.168.1.0 0.0.0.255 any

access-list 120 permit ip host 192.168.2.5 any

access-list 120 permit ip host 192.168.2.6 any

access-list 120 permit ip host 192.168.10.3 any

access-list 121 permit ip host 192.168.10.10 any

Labels:
0 Helpful
1 Reply 1

Abzal
Level 7
Level 7

‎11-19-2012 08:48 PM

Hi,

Here is very useful info about your situation:

NAT Best Practices


Q. Are there any NAT best practices?


A. Yes. These are the NAT best practices:

  1. When using both dynamic and static NAT, the ACL that sets the rule  for dynamic NAT should exclude the static local hosts so there is no  overlap.

  2. When deploying ISPs load balancing with NAT interface overload, the  best practice is to use route-map with interface match over ACL  matching.

  3. When using pool mapping, you should not use two different mapping (ACL or route-map) to share the same NAT pool address.

  4. When deploying the same NAT rules on two different routers in the failover scenario, you should use HSRP redundancy.

  5. Do not define the same inside global address in Static NAT and a Dynamic Pool. This action can lead to undesirable results.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml

Hope it will help.

Best regards,
Abzal
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card