07-16-2012 02:04 AM
I am trying to set up two nat pools for my internal network behind serveriron adx - one pool (called "mail") with three public IPs that would be used for all smtp traffic generated by internal mail server and one "default" nat pool with just single public IP for all the rest of the traffic generated in the internal network. The goal is to use the mail nat pool really only for smtp traffic and not for any other traffic even from the mailserver itself.
the problem I have is it is working only on IP level - I can use "mail" pool for ALL traffic from the mailserver and "default" pool from any other hosts - but it doesn't work on the port level - even non-smtp traffic from the mailserver is NATted using "mail" pool.
I am using following config:
access-list 101 deny tcp 192.168.129.144 any eq smtp
access-list 101 permit ip 192.168.128.0/23 any
access-list 199 permit tcp host 192.168.129.144 any eq smtp
-> acl 199 should permit only smtp traffic from mailserver and anything else and acl 101 should permit anything but the smtp from mailserver
ip nat pool mail X.X.X.144 X.X.X.146 prefix-length 24
ip nat pool default X.X.X.8 X.X.X.8 prefix-length 24
ip nat inside source list 101 pool default overload
ip nat inside source list 199 pool mail overload
any idea why this doesn't work on the port level (it works only on IP level - all traffic from mailserver is natted using "mail" pool)?
08-01-2012 12:25 AM
you need to configure following command for port level nat to work.
ip nat disable-sticky
It may happen when your serveriron does not have above command. please tell me your version and also switch code or route code.
12-05-2012 07:18 AM
I am running following:
SW: Version 10.2.00eTD4 Copyright (c) 1996-2007 Foundry Networks, Inc.
Compiled on Jul 11 2008 at 19:21:56 labeled as WXR10200e
HW: ServerIronGT C-Series Router, SYSIF version 21, Serial #: Non-exist
the "ip nat disable-sticky" is not available. is there any other way around?
12-17-2012 07:51 PM
Only way is to upgrade. 10.2.01i patch intruduced "ip nat disable-sticky" command. Our latest patch release is 10.2.02a. Please use 10.2.02a.
you originally mentioned "my internal network behind serveriron adx", but version "10.2.00e" is not adx since adx version start from 12.1.00, and we just released 12.5.00 as of today! 12.5 supports Multi-Tenancy and this is great enhancement.