Application Delivery (ADX)

Reply
Contributor
steve14
Posts: 22
Registered: ‎07-06-2012

port based ACL NAT pool

Hello community,

I am trying to set up two nat pools for my internal network behind serveriron adx - one pool (called "mail") with three public IPs that would be used for all smtp traffic generated by internal mail server and one "default" nat pool with just single public IP for all the rest of the traffic generated in the internal network. The goal is to use the mail nat pool really only for smtp traffic and not for any other traffic even from the mailserver itself.

the problem I have is it is working only on IP level - I can use "mail" pool for ALL traffic from the mailserver and "default" pool from any other hosts - but it doesn't work on the port level - even non-smtp traffic from the mailserver is NATted using "mail" pool.

I am using following config:

access-list 101 deny tcp 192.168.129.144 any eq smtp

access-list 101 permit ip 192.168.128.0/23 any

access-list 199 permit tcp host 192.168.129.144 any eq smtp

-> acl 199 should permit only smtp traffic from mailserver and anything else and acl 101 should permit anything but the smtp from mailserver

ip nat pool mail X.X.X.144 X.X.X.146 prefix-length 24

ip nat pool default X.X.X.8 X.X.X.8 prefix-length 24

ip nat inside source list 101 pool default overload

ip nat inside source list 199 pool mail overload

any idea why this doesn't work on the port level (it works only on IP level - all traffic from mailserver is natted using "mail" pool)?

thanks,

Steve.

Contributor
Kono
Posts: 47
Registered: ‎07-14-2010

Re: port based ACL NAT pool

you need to configure following command for port level nat to work.

ip nat disable-sticky

It may happen when your serveriron does not have above command. please tell me your version and also switch code or route code.

Thanks.

//Kono

Contributor
steve14
Posts: 22
Registered: ‎07-06-2012

Re: port based ACL NAT pool

Hi Kono,

I am running following:

  SW: Version 10.2.00eTD4 Copyright (c) 1996-2007 Foundry Networks, Inc.

      Compiled on Jul 11 2008 at 19:21:56 labeled as WXR10200e

  HW: ServerIronGT C-Series Router, SYSIF version 21, Serial #: Non-exist

the "ip nat disable-sticky" is not available. is there any other way around?

thx,

Steve.

Contributor
Kono
Posts: 47
Registered: ‎07-14-2010

Re: port based ACL NAT pool

Steve,

Only way is to upgrade. 10.2.01i patch intruduced "ip nat disable-sticky" command. Our latest patch release is 10.2.02a. Please use 10.2.02a.

you originally mentioned "my internal network behind serveriron adx", but  version "10.2.00e" is not adx since adx version start from 12.1.00, and we just released 12.5.00 as of today! 12.5 supports Multi-Tenancy and this is great enhancement.

Thanks.

//Kono

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.