# Cisco 2811 static NAT and VPN



## rtr1129 (Jan 5, 2009)

We have a Cisco 2811 router. Recently we had a virus problem which caused our public IP address to be blacklisted. We changed the IP address of the mail server using a static one-to-one NAT.


```
ip nat inside source static 192.168.1.35 1.2.3.4
```
The outside interface's IP address is 1.2.3.2.

When we made this change (along with blocking SMTP for user computers), mail started going out 1.2.3.4 as expected (instead of 1.2.3.2), and we were no longer getting our outbound mail blocked.

The problem, after making this change, the mail server is no longer accessible over VPN. After doing some research, we learned you need to exclude traffic destined for the VPN from the static NAT using a route-map. So we did this:

10.16.20.x is the VPN IP pool.


```
access-list 130 deny   ip 192.168.1.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 130 permit ip 192.168.1.0 0.0.0.255 any

route-map nonat permit 10
 match ip address 130

ip nat inside source static 192.168.1.35 1.2.3.4 route-map nonat
```
That appeared to work, because the mail server was accessible again over VPN. However, mail started going back out 1.2.3.2 (the blacklisted IP). So effectively it appears that adding the route-map to the static NAT nullified the static NAT altogether.

A little further reading, and I see that the Cisco 2800 is not listed under "Supported Platforms" in this document which discusses using route-map with a static NAT:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html

Can anyone confirm that using route-map on a static NAT is not supported on a Cisco 2811?

If it is not supported, are there other ways of accomplishing what we want? Our need is to have outgoing mail appear to destination mail servers that it is coming from 1.2.3.4 instead of 1.2.3.2. Changing the IP of the outside interface is not really an option, as there it is being used for a number of other services.

I'm afraid that the "solution" will be to scrap the router and get an ASA. Any help or insight is appreciated.


----------

