Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
237
Views
0
Helpful
4
Replies

Cisco 870 not allowing connections back through router

cgarlick1972
Level 1
Level 1

‎02-15-2025 03:34 PM

I have 2 networks one goes though my router (Connected to internet modem) the other goes through the internet modem

Interfaces

! (10.0.10.0 Network that goes through the router)
interface GigabitEthernet0
description Vlan 1
no ip address
spanning-tree portfast
!

! (Vlan 1)
interface Vlan1
description Vlan1
ip address 10.0.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
!

!(Internet connection to the modem with static IP)
interface GigabitEthernet9
description $ETH-WAN$
ip address 24.XX.XX.XX 255.255.254.0
ip access-group ICMP in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
arp timeout 180
!

top part of Access list line that allow Webserver connection 

ip dns server
ip nat pool NAT_HOST 10.0.80.252 10.0.80.252 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface GigabitEthernet9 overload
ip nat inside source static tcp 10.0.80.252 80 interface GigabitEthernet9 80

ip nat inside destination list PORT_RANGE pool NAT_HOST (Cant remeber what this line is for)
ip route 0.0.0.0 0.0.0.0 24.XX.XX.X (Static gateway) 
ip route 192.168.0.0 255.255.255.0 192.168.0.1 (Route 192.168.0.0 traffic to a connection to the modem)

Access list to allow 10.0.X.X networks

!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.0.10.0 0.0.0.255
access-list 1 permit 10.0.20.0 0.0.0.255
access-list 1 permit 10.0.30.0 0.0.0.255
access-list 1 permit 10.0.40.0 0.0.0.255
access-list 1 permit 10.0.50.0 0.0.0.255
access-list 1 permit 10.0.60.0 0.0.0.255
access-list 1 permit 10.0.70.0 0.0.0.255
access-list 1 permit 10.0.80.0 0.0.0.255
access-list 1 permit any
!

If on the Modem connection (192.168.0.0/Public IP 216.XX.XX.XX) I can reach the webserver

If I go through my router (10.0.10.X/Static Public IP 24.XX.XX.XX)

The connection is reused by the router

Anything wrong here or missing?

0 Helpful
4 Replies 4

Flavio Miranda
VIP
VIP

‎02-15-2025 05:59 PM

@cgarlick1972 

Having hard time to understand your scenario. A simple tpology could be helpful. 

Is this router connected to the modem? Where is the web server? It is on the internet or it is behind the router? 

 

0 Helpful

cgarlick1972
Level 1
Level 1
In response to Flavio Miranda

‎02-15-2025 07:42 PM

Is this router connected to the modem?

"one goes though my router (Connected to internet modem)"

 

Where is the web server?

top part of Access list line that allow Webserver connection 

It is on the internet or it is behind the router?

I have 2 networks one goes though my router (Connected to internet modem) the other goes through the internet modem

 

 

0 Helpful

vishalbhandari
Spotlight
Spotlight

‎02-15-2025 11:09 PM

@cgarlick1972 Your setup seems mostly correct, but there are a few things to check:

  1. NAT Overlap: Since you're using ip nat inside source list 1 interface GigabitEthernet9 overload, make sure traffic from your router isn’t unintentionally being NAT-ed again. You might need a more specific NAT exemption for internal traffic.

  2. Routing Issue: Your router has a static route for 192.168.0.0/24 via 192.168.0.1. If your web server is behind the modem and your router is NAT-ing traffic, the return traffic from 192.168.0.0 might not properly route back.

  3. Destination NAT Line: The ip nat inside destination list PORT_RANGE pool NAT_HOST might be redirecting traffic unexpectedly. If you don’t remember its purpose, try disabling it and testing connectivity.

  4. Double NAT Problem: If the web server is reachable via the modem but not via the router, check whether NAT on the router is altering the source IP, causing asymmetric routing. A NAT exemption (ip nat inside source static) may be needed for internal traffic.

  5. Access Control: Ensure your firewall or ACLs are not blocking traffic. Since access-list 1 has permit any, this shouldn’t be an issue, but double-check firewall settings on the webserver and modem.

If your webserver works from the modem side but not from the router side, focus on NAT rules and routing logic. Try a packet capture or debug (debug ip nat and debug ip packet) to see where the traffic is being altered.

0 Helpful

paul driver
VIP
VIP

‎02-16-2025 12:35 AM

Hello
TBH its rather confusing to what is connected to what and you also show two differing public ip addressing - how is this - Do you have administrative control over you internet modem?

Anyway - If you connect directly to the internet modem either from the 820 rtr or from a laptop do you receive an ip address in the 192.168.0.0 range?  if so and you have internet access then this mean the internet modem is performing the network translation already.

Now if you wish for the 820 rtr to route for a new internal subnet (10.0.10/024) of which the internet modem has no information about then you will need to perform NAT on the 820 rtr also.

example:
config t
no ip nat pool NAT_HOST 10.0.80.252 10.0.80.252 netmask 255.255.255.0 type rotary
no ip nat inside destination list PORT_RANGE pool NAT_HOST 
no ip route 0.0.0.0 0.0.0.0 24.XX.XX.X
no ip route 192.168.0.0 255.255.255.0 192.168.0.
no access-list 1

access-list 1 deny host 10.0.80.252
access-list permit 10.0.0.0 0.0.255.255

default int gig9
int gig9
ip address dhcp
ip nat outside

ip route 0.0.0.0 0.0.0.0 gi9 dhcp


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents