Nat outbound

Discussion in 'Cisco' started by Mikhael47, Oct 21, 2004.

  1. Mikhael47

    Mikhael47 Guest

    I have a 2621 that has NAT enabled and routes packets for our smtp/web/pop3
    servers. When an smtp connection goes out, it uses an address from the
    pool. I have a static extended nat translation setup for the connection so
    that people can access my smtp server from the internet.

    Lately I have been noticing that I've been getting bounces from mail servers
    because my mail server is not resolving for them. I did a little more
    digging and found out that the mail server is being natted to one of a pool
    of addresses I've setup for outbound nat.

    My questions are:

    1) Are static nats used for inbound and outbound translations?
    2) How do I get my smtp outbound connections to appear from the proper
    address

    I have the following setup

    ip nat pool capone-natpool-1 xxx.xxx.41.100 xxx.xxx.41.112 netmask
    255.255.255.0
    ip nat inside source route-map nonat pool capone-natpool-1 overload
    ip nat inside source static tcp yyy.yyy.yyy.64 53 xxx.xxx.41.121 53
    extendable
    ip nat inside source static tcp yyy.yyy.yyy.64 143 xxx.xxx.41.121 143
    extendable
    ip nat inside source static tcp yyy.yyy.yyy.64 110 xxx.xxx.41.121 110
    extendable
    ip nat inside source static tcp yyy.yyy.yyy.64 443 xxx.xxx.41.121 443
    extendable
    ip nat inside source static tcp yyy.yyy.yyy.64 25 xxx.xxx.41.121 25
    extendable


    My route map is setup like this:

    route-map nonat permit 10
    match ip address 110

    Access list 110 denies traffic to/from various vpns.

    My first knee jerk reaction was to setup a static nat for the smtp server
    that wasn't extended, but that did not as I believe the order of operations
    allows the outbound connection to grab an IP from the nat pool. (If I am
    wrong here let me know)

    My second idea is to add the smtp server to the 'nonat' route map to allow
    the unextended translation to work. Unfortunately this is a production
    server that runs 10000 messages in a day. I don't want to make that change
    and not have it work.

    My third idea is to setup some kind of route-map that handles the smtp
    traffic through a dummy interface that isn't natted at all, I am not sure if
    that would work or not.

    Let me know your thoughts

    Mike
     
    Mikhael47, Oct 21, 2004
    #1
    1. Advertisements

  2. Mikhael47

    PES Guest

    Yes based on the source or destination port depending on direction. Static
    always supercedes a dynamic match

    You need to check your access lists to make sure that a one to one
    translation won't create a vulnerability. You must at least be using ack
    bit filters, reflexive acl's or ios fw feature set to create temporary
    holes. I always recommend the latter. Then modify your acl to be a true
    one to one nat.

    change:

    ip nat inside source static tcp yyy.yyy.yyy.64 25 xxx.xxx.41.121 25
    extendable

    to:
    ip nat inside source static yyy.yyy.yyy.64 xxx.xxx.41.121
     
    PES, Oct 21, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.