I think I follow what you need now - I will look at the config again and try to help - verify one thing. Prior to the change I had you make with the nat statement was DNS working correctly?

I think this is somewhere in the ACL's I just have to look again.

Prior to

ip nat inside source static 192.168.99.4 interface Dialer1

DNS is working correctly, but ports aren't being forwarded.

If I ping from router without extended commands:

Pro Inside global Inside local Outside local Outside global

icmp 89.7.245.85:6 192.168.99.4:6 212.145.4.97:6 212.145.4.97:6

I am looking at this and I still can't definitley find the problem. When you reverted to the ACL 100 did you still have your ACL ip access-list extended inet_in implemented?

If so try removing that ACL while using the ACL100 for the nat overload.

In regards to the post prior to this one are you insinuating that you can ping the DNS server and just can't do DNS lookups?

I don't think that natted ACL is the trick because

access-list 110 permit ip 192.168.99.0 0.0.0.7 any

is more general than the next

access-list 110 permit udp host 192.168.99.4 range 10001 20000 any

so the last is contained in the first and never matched.

If I remove the ACL inet_in, all ports are opened.

All hosts can browse, do dns request, etc... but router.

When I put the router as dns server in host 192.168.99.5 for example, router do the dns queries , but are mapped to 192.168.99.4, so replies aren't routing properly. Same wiht ping from router, are mapped to 192.168.99.4 like in previous show command.

Do you understand the problem?

If can force the router to outside with source ip 192.168.99.1 (or from interface Vlan1) when it is doing dns request or so, i think the problem is solved.

Pro Inside global Inside local Outside local Outside global

udp 89.7.245.85:53 192.168.99.4:53 212.145.4.97:53 212.145.4.97:53

I want to permit all inside to outside traffic, and forward range to server.

ok - go ahead and give me a copy of your configuration as it sits right now. I am going to implement this in my test network.

Thanks,

David

you could modify that acl to

access-list 110 permit udp host 192.168.99.4 range 10001 20000 any

access-list 110 deny udp host 192.168.99.4 any

access-list 110 permit 192.168.99.0 0.0.0.7 any

then remove the one you created. after the changes.

I thought the same, and tryied, but i'll recheck and post results.

The result is that router can't do dns request and all ports are mapped.

Regards,

Olaf

ip subnet-zero

no ip source-route

ip cef

ip name-server 212.x.x.97

ip name-server 212.x.x.98

interface Vlan1

ip address 192.168.99.1 255.255.255.248

no ip redirects

no ip proxy-arp

ip nat inside

no ip virtual-reassembly

load-interval 30

!

interface Dialer1

ip address negotiated

no ip redirects

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

load-interval 30

dialer pool 1

no cdp enable

ppp authentication chap callin

ppp chap hostname

ppp chap password 7

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip dns server

!

ip nat inside source list 110 interface Dialer1 overload

ip nat inside source static 192.168.99.4 interface Dialer1

access-list 110 permit udp host 192.168.99.4 range 10001 20000 any

access-list 110 permit ip 192.168.99.0 0.0.0.7 any

I remove the ip access-group in on the Dialer 1 to test.

Very thankful,

Olaf

If someone else has an idea - hopefully they can help you. I am getting ready to leave for this afternoon. I will continue working on this tomorrow if no one has found a solution.

Ok. Thanks for your help.

Good night.

olafmarcos,

You are not going to like this answer. I tried many things in my test network with no avail. I finally opened a TAC case with Cisco becuase this was driving me insane. Bottom line what you want to do is not possible, at least not the way you want to do it.

You have on of two options.

Create a static nat entry for every single port you want forwarded so like 10000, entries or something insane like that. THe other option is to use the same configuration as what we have provided with the same ACL's you are using but request an additional IP address from your ISP. Typically an ISP can provide something like a /29 so that you can have the primary IP Address on the outside interface for Internet connectivity, DNS lookups, router remote management etc... THen you would have them give you the next available ip in the range to use for your voip server. This way you will create the static translation then create the ACL to restrict to the ports you actually want to permit. I have spoken to both a TAC tech and my SE and they have both confirmed this. Let me know if you figure something else out. I have tried everything I can think of - I also found the old configuration that I thought I accomplished this in - I was wrong I finally got a second static ip from my ISP.

Hi David,

I requested one more ip address 2 days ago. I know with at least 2 ip address is possible.

But the second ip address is natted totally. If tomorrow I want to map other range to other internal ip address, i will need one more ip address. This is an unnecesary waste of public ip address.

With all cheap routers, you can map one range to one internal ip address, other range to other different internal ip address, and so on. And all of this with ONE public ip.

I don't believe that this simple (trivial) and very common issue is not possible with Cisco IOS. Yes, possible but buying public ips, and wasting them.

I am losing my trust in Cisco.

Many many thanks, David. I don't know how to transmit this important impediment to Cisco for they try to resolve or give me some good explanations why they are doing things like this.

My best regards,

Olaf

Hi Olaf,

Please cool down.

If I have understood clearly, you want to use 1 Public IP Address and NAT (Static NAT) to Private IP inside the network so that you may use it for different purposes?

Just wondering why are you not considering PIX FW on this aspect, I have had one NATTing on many PIX boxes and didnt have any issues (though not the exact way you are trying to do)

Please correct me if I'm wrong.

Looking forward from yourside,

Kind Regards,

Wilson Samuel