Router – NAT translation thestery

We have an mail server and its private address is translated to public on a Cisco router. We've mapped it one-to-one using this command:

ip nat inside source static 192.168.7.7 198.51.100.7 route-map Deny_on_VPN

Deny_on_VPN route-map has no set clauses, but only blocks traffic from being NAT'ted when being sent to remote locations on VPN, nothing fancy there. Also on outside interface ACL we have permitted incoming traffic to ports needed for mail to function (IMAP,POP3,SMTP,Web Client).

The kind of odd thing is happening during translation. I had a look at show ip nat translations | include 192.168.7.7. The incoming traffic ports translate just fine, like 198.51.100.7:25 to 192.168.7.7:25. But the outgoing traffic with a random source port is being translated something like this: 192.168.7.7:58634 to 198.51.100.7:80, and always the 80th port. It does the same thing with TCP and UDP packets.

I can't understand why would such thing happen. Maybe any of you network guys can help me out. Please tell me if you need any additional info.

Update:

Port address translation config (for users):

ip nat pool ovrld 198.51.100.30 198.51.100.31 prefix-length 27
ip nat inside source list 107 pool ovrld overload

PAT source list ACL (Mail Server is blocked on the first line from being PAT'ted):

router#show access-lists 107
Extended IP access list 107
    10 deny ip host 192.168.7.7 any (2922102 matches)
    --- Omitted as it is irrelevant ---
    9999 permit ip any any

Relevant lines from inbound ACL on outside interface:

router#show access-lists FILTER_IN
Extended IP access list FILTER_IN
    110 permit tcp any host 198.51.100.7 eq pop3 (3197667 matches)
    120 permit tcp any host 198.51.100.7 eq smtp (4812814 matches)
    130 permit tcp any host 198.51.100.7 eq 143 (299804 matches)
    140 permit tcp any eq domain host 198.51.100.7 (9 matches)
    150 permit udp any eq domain host 198.51.100.7 (120634 matches)
    160 permit tcp any eq www host 198.51.100.7 (271241 matches)
    170 permit tcp any eq smtp host 198.51.100.7 (1033371 matches)
    180 permit icmp any host 198.51.100.7 (18075 matches)
    190 permit tcp any host 198.51.100.7 eq www
    200 deny ip any host 198.51.100.7 (17811 matches)
    210 permit ip any any (4259977862 matches)

VPN_Deny route-map blocks traffic from internal network to branch office subnets from being NAT'ted. No set-clauses.

Note: Translation of mail server address on an overloaded pool is denied in an ACL.

Note: 198.51.100.0/24 is from TEST-NET-2 range.

ip access-list extended 109 !!! Restrict NAT for branch office destinations deny ip host 192.168.7.7. 192.168.0.0 0.0.255.255 permit ip host 192.168.7.7 any ip nat pool MAIL 198.51.100.7 198.51.100.7 prefix-length 27 ip nat inside source list 109 pool MAIL

Update:

So now I tried reverting back to:

ip nat source static 192.168.7.7 198.51.100.7 route-map Deny_On_VPN

And it actually started to translate addresses and ports as expected - one to one. I don't really understand what the deal was with it, maybe a bug? Hopefully it will keep running like this from now on. I guess, I'll have a look at IOS release notes

Best Answer

This doesn't really answer my question why did NAT always use the 80th port as source port for outgoing traffic, but at least I figured out how to fix the problem.

I created an access list to match traffic from the mail server and also created a pool of one public address for it.

And...Voilà! It now preserves the source port number as it sends traffic. And our mail is no longer blocked by some external MTA mail servers.

Update:

Best Answer

Update:

Related Solutions

Cisco VPN IPsec – Phase 2 Unable to Come Up

Cisco NAT – Cisco Static NAT with Route-Maps

Related Topic