Kevin,
Maybe you know this already.
There is a trick to fix this problem. If you use static map PAT instead of
port translation...
change your access-list to 101(extend)
ip nat inside source static 192.168.0.10 1.1.1.3
access-list 101 deny ip 192.168.0.0 0.0.0.255 host 1.1.1.3
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
add a static route if the router does not have a default route:
ip route 1.1.1.3 255.255.255.255 (next-hop-address of "ip nat outside"
interface)
yes, set the next-hop to upstream
You can apply a incoming access-list filter to permit port 25 only.
Joe Hsieh
-----Original Message-----
From: kevin graham [mailto:kgraham@dotnetdotcom.org]
Sent: Tuesday, January 15, 2002 11:16 PM
To: cisco-nsp@puck.nether.net
Subject: [nsp] ip nat inside -> inside static
I wrote the list on this back in October and have yet to find a solution,
so I thought I'd give it another shot.
I'm trying to find a way to permit an inside host to connect to an inside
static.. ie:
access-list 10 permit 192.168.0.0 0.0.0.255
ip nat pool GBL 1.1.1.2 1.1.1.2
ip nat inside source static tcp 192.168.0.10 1.1.1.3 25 extendable
ip nat inside source list 10 pool GBL overload
If a host on 192.168.0/24 attempts to connect to 1.1.1.3 25/tcp, the
router will generate a RST, rather than doing what (IMHO) seems intuitive
which is src translating to 1.1.1.2 (pool GBL overload), then dst
translating to 192.168.0.10 (static tcp).
Does anyone know of a decent hack to make this work and/or if Cisco even
considers is a problem to be addressed in a future release?
thanks.
..kg..
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:59 EDT