Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
497
Views
0
Helpful
2
Replies

VPN and static NAT rules

wgaal1
Level 1
Level 1

‎01-13-2005 03:41 AM - edited ‎02-21-2020 01:32 PM

A branch office connects to the internet via a cisco 837 with 1 static ip address. NAT is being used for client access to the internet. A static NAT rule is created to translate smtp from external to internal.

ip nat inside source static tcp 10.254.0.35 25 "external ip" 25 extendable

A site to site VPN was created between this office and the main office. Traffic runs fine over the VPN except port 25 to the 10.254.0.35.

When the static NAT rule is deleted it all works fine but then ofcourse no more mail is recieved from outside.

How can i get smtp over the VPN and from external both at the same time ?

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎01-13-2005 04:02 PM

In your config you will have a nat statement that maps to an access-list that denies the VPN traffic from being NAT'd, but NAT's all other outbound traffic. The trouble is that your port-specific NAT statement for your mail server overrides this access-list NAT statement, and traffic coming over the VPN to port 25 is NAT'd on the way back and sent to the Internet rather than back over the VPN.

There's a sample config on how to get around this here:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Basically you have to stop this mail server traffic from being NAT'd, you do this by policy-routing it through a loopback interface. Traffic is only NAT'd if it comes in on a "ip nat inside" interface and goes out a "ip nat outside" interface. If you send it to a loopback interface in between, which has no NAT configured on it, then it doesn't get NAT'd.

Look at the DAphne router config, specifically the ACL 123, the loopback0 interface and the policy routing on fa0/1. Note the IP address on the loopback int can be anything (1.1.1.1 is a good choice), it's only used to set the next-hop for the policy routing.

0 Helpful

michael.leblanc
Level 4
Level 4
In response to gfullage

‎04-06-2005 07:39 PM

DAphne router config?

Is this a config found in a Cisco book or via some other source?

I'd like to pursue the policy-routing further.

Thanks for the post.

0 Helpful
Customers Also Viewed These Support Documents