Hi,
I've just managed a succesfull redirect of outgoing packets (from
10.0.0.0/24), destinating to ANY smtp, to MY smtp server (192.168.0.2).Most of the configuration suggested to use route-map. which didn't work. The succesfull config was with NAT, and i'd like to ask
1) if this is a nice way to do redirects 2) why it didn't work with route-mapSo here are my configs
==================config 1 Interface ATM1/0.1 ip address 10.0.0.1 255.255.255.0 ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside no ip mroute-cache
Interface ATM1/0.2 ip address 192.168.0.1 255.255.255.0 ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat inside no ip mroute-cache
ip nat pool smtp-server 192.168.0.2 192.168.0.2 255.255.255.0 type rotary ip nat inside destination list 111 pool smtp-server
Extended IP access list 111 10 deny tcp host 192.168.0.2 any eq smtp 20 permit tcp 10.0.0.0 0.0.0.255 any eq smtp =======================end config 1
This configuration works as I wanted to. Every outgoing packet from
10.0.0.0/24 to any smtp server gets redirected (like transparent proxy) to my mail server. Is this ok?My previous config was with route-map and I never managed to understand why it didn't work.
==================config 2 Interface ATM1/0.1 ip address 10.0.0.1 255.255.255.0 ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip policy route-map MAIL-REDIRECT no ip mroute-cache
Interface ATM1/0.2 ip address 192.168.0.1 255.255.255.0 ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp no ip mroute-cache
route-map MAIL-REDIRECT permit 10 match ip address 111 set ip next-hop 192.168.0.2
Extended IP access list 111 10 deny tcp host 192.168.0.2 any eq smtp 20 permit tcp 10.0.0.0 0.0.0.255 any eq smtp =======================end config 2
The above config fails to change the destination address. Nevertheless packets are routed through the ATM1/0.2 interface.
I believe that route-map would be a cleaner and maybe a resources better way to do the redirect.
Any suggestions in those problems? thnx
Giannis