new IOS NAT problem

If I understood well your issue is that you can reach your smtp from Internet by public IP derived from ip nat inside source static tcp 25 address> 25 extendable NAT rule, but when your SMTP is trying to communicate with Internet it's being translated onto an IP different then the one you defined in your static NAT entry? If so, then (if you implemented CBAC - IOS firewall) just make your static NAT entry into a more general one: ip nat inside source static - this will make your SMTP to communicate with Internet by all tcp/udp ports and to protect it only leave opened tcp 25 onto smtp host in inbound ACL on your Internet side router's interface. If you have also some dynamic NAT rules (for your local hosts being able to connect to Internet) make sure to exclude your smtp server from that rules (with deny statement in NAT access-lists).

If you need configuration help just let me know...

B.R. Igor

ok here is the problem if i use

ip nat inside source static tcp 10.0.20.2 25 xxx.xxx.xxx.162 25 extendable

it ends up as .161 when the email server sends and if use

ip nat inside source static 10.0.20.2 xxx.xxx.xxx.162

then i can't see the server at from the other site on the private ip ie can't ping ip from 10.16.0.5 can i do this so that i can still see it from site B 10.16.0.xxx on private range while the getting the smtp to still work.

here is the config...

crypto isakmp policy 20 encr 3des authentication pre-share group 2 crypto isakmp key sharedkey address xxx.xxx.xxx.17 ! ! crypto ipsec transform-set tr-esp-3des esp-3des esp-md5-hmac ! crypto map gateway 10 ipsec-isakmp set peer xxx.xxx.xxx.17 set transform-set tr-esp-3des match address 101 ! ! ! ! interface Ethernet0 ip address 10.0.20.1 255.255.255.0 ip access-group 107 in ip nat inside ip tcp adjust-mss 1452 no ip mroute-cache hold-queue 100 out ! ! interface ATM0 no ip address ip nat outside no ip mroute-cache atm vc-per-vp 64 no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface Dialer1 ip address xxx.xxx.xxx.161 255.255.255.252 ip mtu 1492 ip nat outside encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname ispusername ppp chap password isppassword crypto map gateway ! ip nat inside source route-map nonat interface Dialer1 overload

ip nat inside source static tcp 10.0.20.2 25 xxx.xxx.xxx.162 25 extendable ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ! access-list 101 permit ip 10.0.20.0 0.0.0.255 10.16.0.0 0.0.0.255 access-list 105 deny ip 10.0.20.0 0.0.0.255 10.16.0.0 0.0.0.255 access-list 105 permit ip 10.0.20.0 0.0.0.255 any access-list 107 permit ip any any log dialer-list 1 protocol ip permit route-map nonat permit 10 match ip address 105 ! !

Have you tried playing round with the route-maps some more? I'm no in a position to test this right now, but does something like the following help:

! ip nat inside source route-map RM-NAT interface Dialer1 overload ip nat inside source static tcp 10.0.20.2 25 xxx.xxx.xxx.162 25 extendable ! ! Deny traffic for VPN access-list 101 permit ip 10.0.20.0 0.0.0.255 10.16.0.0 0.0.0.255 ! Deny traffic to/from mail server access-list 102 permit ip host 10.0.20.2 any ! permit rest of traffic going to the Internet access-list 103 permit ip 10.0.20.0 0.0.0.255 any ! route-map RM-NAT deny 5 match ip address 101, 102 route-map RM-NAT permit 10 match ip address 103 !

Or maybe if you can use something like:

ip nat inside source static 10.0.20.2 xxx.xxx.xxx.162 route-map RM-NoNAT route-map RM-NoNAT deny 5 match ip address 101 route-map RM-NoNAT permit 10 match ip address 102

I'd expect something along these lines to do the trick I think, the syntax may not be quite right as I have done it from memory but it should be close enough