change nat mapping 1

[pgaliardo]

We currently have our Cisco 2600 mapping smtp traffice from our public address to a mail server at 10.0.0.10. We just added a mail security device and I need mail to go to that address internally instead of the mail server. Do I just delete the old mapping and add the new one? Can someone provide the steps on what needs to be done.

Currently we have:

ip nat inside source static 10.0.0.10 141.x.x.x (where x is our oublic address.

I believe I need:

ip nat inside source static 10.0.0.2 141.x.x.x

Any suggestions would be appreciated.

Thanks.

 

[lambent]

Just want to clarify the traffic path. Is it something like this?

Internal mail-->Internal mail server-->Internal mail security device-->Internet

 

[pgaliardo]

All MX records for our domain goes to one of our public IP addresses directly, so there is no internet mail server, so basically the path is:

Internet mail -> Cisco Router -> Mail Security Device -> Internal Exchange Server. Hope this clarifies it.

Thanks.

 

[plshlpme]

this is a static mapping so all incomming traffic will be directed to this new device.. is this what you wanted? or only the smtp traffic to be redirected?

no ip nat inside source static 10.0.0.10 141.x.x.x
ip nat inside source static 10.0.0.2 141.x.x.x

if the nat translation is in use you wojn't be able to take it out though so youll have to clear the nat table...

clear ip nat translations *

or do a shut on your wan interface...

 

[pgaliardo]

Thanks plshlpme. I only need smtp traffice to the new device. I think the problem I was having is that the no ip nat command was not clearing the current nat mapping.

So I'll have to clear the whole nat table and add them back? If so, it should be easy enough, we only have 5 static maps.

Thanks.

 

[pgaliardo]

The clear ip nat translations command brings up an error that "This is not a dynamic mapping".
It is correct, because we are not using dynamic mappings.
We are only using about 5 static mappings. Using the no ip nat inside source static 10.0.0.10 141.x.x.x brings up a message:
Static map is in use, do you want to clear child entries?

So is a shutdown on the interface the way to go to be able to clear this entry. Would simply removing the ip nat inside setting from the interface do the trick?

Thanks.

 

[plshlpme]

the thing you have to realize here is that with the nat statement you have in place.. if you simply change the internal host then you will be redirecting all traffic that comes in on that world reachable ip to the mail security device.

do you have alot of ports that need to be opened?
if not then you could use port address translation and selectivly send traffic to its internal host based on the port it comes in on...

an example from my setup

ip nat inside source static tcp 10.10.10.11 25 x.x.x.x 25 extendable
ip nat inside source static tcp 10.10.10.11 110 x.x.x.x 110 extendable
ip nat inside source static tcp 10.10.10.10 80 x.x.x.x 80 extendable
ip nat inside source static udp 10.10.10.10 53 x.x.x.x 53 extendable
ip nat inside source static tcp 10.10.10.10 53 x.x.x.x 53 extendable
etc...

so http and dns go to one host while mail goes to another host.

does that help any?

 

[pgaliardo]

Thanks again plshlpme. I got it to work. I tried to just clear the individual mapping from the table, but you need to use the clear ip nat translation * command as you said. I was able to delete the old mapping and add the new.

Just to answer your last post, our nat mapping is similar to yours, except the port numbers are not specified. I did not originally set this up. I assume ours is set that way because each of our public addresses are used for a specific port, in other words, we have 1 public IP address just for SMTP, one for HTTP and one for Citrix. We have an access list that only allows that particular traffic in on each address. Anyway, thanks again for the help.