Solved: Thank you.

Damir Reic · ‎07-11-2014

So i have following situation:

ISP gave me /28 public IP subnet and now i have multiple public IPs. I configured NAT overload with 1st IP from that subnet for LAN clients to gain internet access and that works. I forwarded ports 25,80 and 443 from 2nd IP to the mail server and that works also OK, but if i got to www.whatismyip.com from mail server it shows 1st IP. How can i tell router to send all traffic from mail server to internet with source of 2nd IP?

nkarthikeyan · ‎07-16-2014

Hi Damir,

I understood your requirement. We should create a specific static NAT for the host 192.168.1.10 to take 1.1.1.2 as it public IP. Rest of the hosts in subnets will have the public IP as 1.1.1.1. All we need here is to create a non-overlapping rules. All static rules for NAT should be on priority then it comes for the general PAT.

can you create a static NAT rule sin priority like this

Static nat for 25,80,443

Static NAT for 192.168.1.10 to have 1.1.1.2

then configure with the generic PAT as you have it now.

Regards

Karthik

View solution in original post

deshtikypshaq · ‎07-11-2014

Insufficient of data, but in general:

You must NAT second IP, and assign it to mail server. Also allow route to Internet form mail server.

Damir Reic · ‎07-12-2014

When you say i need to NAT second IP, you mean 1:1 NAT? In that case i need ACL to allow only some ports to that public IP right and i need to apply it on outside interface?

nkarthikeyan · ‎07-13-2014

for your reqruirement for whatsmyip.com.... it is an outbound connection..... so it has to be allowed in the acl interface where the server is connected.... either dmz/inside whereever you have..... the return traffic from internet will be handled by the stateful inspection......

Regards

Karthik

Damir Reic · ‎07-15-2014

Hi, i think you missed the point here.

So i have 1.1.1.1 and 1.1.1.2 on WAN interface. Which set of commands i need to execute so that all outgoig traffic from server on 192.168.1.10 has 1.1.1.2 as a public source IP and rest of the machines have 1.1.1.1 (last one is easy - overload on whole private subnet)?

nkarthikeyan · ‎07-16-2014

Hi Damir,

I understood your requirement. We should create a specific static NAT for the host 192.168.1.10 to take 1.1.1.2 as it public IP. Rest of the hosts in subnets will have the public IP as 1.1.1.1. All we need here is to create a non-overlapping rules. All static rules for NAT should be on priority then it comes for the general PAT.

can you create a static NAT rule sin priority like this

Static nat for 25,80,443

Static NAT for 192.168.1.10 to have 1.1.1.2

then configure with the generic PAT as you have it now.

Regards

Karthik

Damir Reic · ‎07-16-2014

Thank you.

nkarthikeyan · ‎07-11-2014

Hi Damir,

Here in your scenario the port enabled for the incoming traffic towards mail server.... but when you give whatismyip.com it takes the general PAT path and gives you 1st IP. I hope you got the hint to modify the NAT priority and statements as per your requirement to get that done.

your port-forwarding rule is specific to port 25/80/443 towards specifc server IP (say mapped ip 1.1.1.1(public) real ip 172.16.0.100(private)). So when you access from inside to outside your port-forward nat rule will not match hence it takes the general path...

But you don need to worry about the situation here for you.....

if you need that to show the NAted IP address used for port forwarding. But make sure that it should nt get clash

object network server

host 172.16.1.100

nat (inside, outside) static <IP address>

Regards

Karthik

Change source IP on public interface