I enter the commands like u said and everything seemed fine but then an hour later the 1841 stopped working. Any ideas?

It's got an Internet T1 connected to it and I can ping the public interface but not the private interface.

This is the commands I put in:

ip nat inside source static 192.168.6.200 interface serial0/0/0

ip nat inside source static 192.168.6.200 212.10.12.1 (used my public ip)

int fa0/1

ip nat inside

int serial0/0/0

ip nat outside

You only need one of those commands not both, i was just giving you options. Is 212.10.12.1 the address on s0/0/0 ?. If so just one of the entries.

Not sure if that would have caused your connectivity problem. Make the change and see how it goes.

Jon

Sorry I only used one of those commands, it looks like this:

ip nat inside source static 192.168.6.200 interface serial0/0/0

int fa0/1

ip nat inside

int serial0/0/0

ip nat outside

I don't know if this helps but this is a remote site that connects back to another network (corporate) to do all it's work and access our servers. Once those commands went in they were not able to connect back to our corporate network and I wasn't able to see them.

Hi,

I would disagree that ip nat inside source static is the equivalent of nat (inside) .... command

In this scenario, I would use dynamic NAT/PAT instead of static NAT

This would allow for more flexibility as you could easily add/remove other hosts to the access list

so,

ip access-list ext INSIDE_HOSTS

permit ip h 192.168.6.200 any

ip nat inside source list INSIDE_HOSTS interface serial0/0/0 overload

int fa0/1

ip nat inside

int serial0/0/0

ip nat outside

You normally do static nat if you want to allow acces TO the server from the internet (although functionally they are simmilar in this case)

I have seen issues though with static nat on the routers using interfaces.

for static nat to allow access to inside servers it usually better to uses static PAT

ip nat inside source static tcp 192.168.0.200 25 1.1.1.1 25

By the way, can you explain the setup?

I'm not sure about

"It's got an Internet T1 connected to it and I can ping the public interface but not the private interface."

Are you pinging from the inside of the remote network?

Rafal

Basically the way it is setup is:

The 1841 is configured so that the devices at the remote sie can't access the internet (it's blocked). The only thing they can access is the servers back at corp. The 1841 is setup basically to serve as a vpn connection back to corp. (We have VPN Concentrators at corp that link corp network with all the remote sites).

The commands you provided me will they serve what i'm looking to do? Reason I am asking is because I had:

int serial0/0/0

ip nat outside

I had to take that command out because with that command in place it broke the connection between corp and remote site.

Also the command:

ip nat inside source static tcp 192.168.0.200 25 1.1.1.1 25

do I put that in with the other commands you told me to?

That's what I suspected :)

What you need to do you need to exempt VPN traffic from being translated but you still want to allow one host while being able to access it from your central site. This is a bit more complicated but this should work

here is the full config (put in only these commands)

assume 172.16.0.0/16 is your central site

ip access-list ext NAT

deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255

permit ip h 192.168.0.200 any

ip nat inside source list NAT interface serial0/0/0 overload

int serial0/0/0

ip nat outside

nt fa0/0

ip nat inside

hope this helps

I have a question, you said:

deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255

Will that effect corp not being able to acces the remote site and the remote site being able to access corp?

All the corp servers are on the 192.168.0.0 network.

No, it only means that traffic from subnet 192.168.0.0 will not be translated when going to 172.16.0.0 subnet. other traffic specified with permit will be translated

rkalia1, how about access from the central site over the VPN tunnel?

readymixed1, have you tried applying the config I gave you (with deny in the NAT access list)? Any progress?

Rafal

The commands worked, except it caused one problem.

The device can get to the internet, although I can no longer see (ping) the device from corp, and the device can not see corp.

Is there any way to allow them to have internet access but still see corp? I need to be able to see them so that if there is a problem I can remote into the device?

I could just take out the ip nat outside command everytime I need to see them, but just wondering if there is a way so I don't have to do that everytime.

Sorry I was told that the commands worked, but they actually did not.

I was told this by a cisco engineer:

The commands I sent you, including the rule for the static translation will allow you to access the device from the Internet. Unfortunately, as I stated in las email, the router is not able to do NAT-on-a-stick which is some kind of U-turn NAT. For the router, the inside hosts should access the inside address of the device. This is a restriction. PIX is much more versitile in which NAT regards.

I don't understand how an 1841 which is suppose to be more powerful and do more then a PIX can't even do a simple:

Nat (inside) 1 192.168.6.200 command.