Tech Support > Computer Hardware > Routers > Nat outbound
Nat outbound
Posted by Mikhael47 on October 21st, 2004


I have a 2621 that has NAT enabled and routes packets for our smtp/web/pop3
servers. When an smtp connection goes out, it uses an address from the
pool. I have a static extended nat translation setup for the connection so
that people can access my smtp server from the internet.

Lately I have been noticing that I've been getting bounces from mail servers
because my mail server is not resolving for them. I did a little more
digging and found out that the mail server is being natted to one of a pool
of addresses I've setup for outbound nat.

My questions are:

1) Are static nats used for inbound and outbound translations?
2) How do I get my smtp outbound connections to appear from the proper
address

I have the following setup

ip nat pool capone-natpool-1 xxx.xxx.41.100 xxx.xxx.41.112 netmask
255.255.255.0
ip nat inside source route-map nonat pool capone-natpool-1 overload
ip nat inside source static tcp yyy.yyy.yyy.64 53 xxx.xxx.41.121 53
extendable
ip nat inside source static tcp yyy.yyy.yyy.64 143 xxx.xxx.41.121 143
extendable
ip nat inside source static tcp yyy.yyy.yyy.64 110 xxx.xxx.41.121 110
extendable
ip nat inside source static tcp yyy.yyy.yyy.64 443 xxx.xxx.41.121 443
extendable
ip nat inside source static tcp yyy.yyy.yyy.64 25 xxx.xxx.41.121 25
extendable


My route map is setup like this:

route-map nonat permit 10
match ip address 110

Access list 110 denies traffic to/from various vpns.

My first knee jerk reaction was to setup a static nat for the smtp server
that wasn't extended, but that did not as I believe the order of operations
allows the outbound connection to grab an IP from the nat pool. (If I am
wrong here let me know)

My second idea is to add the smtp server to the 'nonat' route map to allow
the unextended translation to work. Unfortunately this is a production
server that runs 10000 messages in a day. I don't want to make that change
and not have it work.

My third idea is to setup some kind of route-map that handles the smtp
traffic through a dummy interface that isn't natted at all, I am not sure if
that would work or not.

Let me know your thoughts

Mike




Posted by PES on October 21st, 2004



"Mikhael47" <mikhael47@gmail.com> wrote in message
news:OWOdd.54698$JG5.810953@news20.bellglobal.com. ..
Yes based on the source or destination port depending on direction. Static
always supercedes a dynamic match


You need to check your access lists to make sure that a one to one
translation won't create a vulnerability. You must at least be using ack
bit filters, reflexive acl's or ios fw feature set to create temporary
holes. I always recommend the latter. Then modify your acl to be a true
one to one nat.

change:

ip nat inside source static tcp yyy.yyy.yyy.64 25 xxx.xxx.41.121 25
extendable

to:
ip nat inside source static yyy.yyy.yyy.64 xxx.xxx.41.121




Similar Posts