Thanks for the answer.
Yes, at me 28 bit mask of a subnet, and it is not occupied. All 16 addresses are under my control.

It works, if I add a line:

interface FastEthernet0/0
no ip address
speed auto
full-duplex
!
interface FastEthernet0/0.9
encapsulation dot1Q 9
ip address 255.255.255.240

ip address 255.255.255.240 secondary
ip nat outside
!
interface FastEthernet0/0.14
encapsulation dot1Q 14
ip address 192.168.14.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
ip nat inside source static 192.168.14.2
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0

192.168.14.2 - is a vpn box requires static NAT.

But thus routing in subnet ISP doesn't work. If I ping from Cisco 2621xm of the address from subnet ISP packets are lost. All others public IP are accessible without problems.

This configuration works now.

!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GW1
!
boot-start-marker
boot system flash:cisco/c2600-is-mz.123-9.bin
boot-end-marker
!
no logging on
enable secret 5 ***
enable password 7 ***
!
clock timezone Moscow 3
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
no ip cef
!
!
ip name-server 8.8.8.8
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
speed auto
full-duplex
!
interface FastEthernet0/0.9
encapsulation dot1Q 9
ip address 255.255.255.240
ip nat outside
!
interface FastEthernet0/0.14
encapsulation dot1Q 14
ip address 192.168.14.1 255.255.255.0
ip nat inside
!
interface Serial0/0
no ip address
shutdown
no cdp enable
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
no cdp enable
!
ip nat inside source static 192.168.14.2 interface FastEthernet0/0.9
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0
!
!
logging trap debugging
!
!
!
!
!
!
!
line con 0
password 7 ***
line aux 0
line vty 0 4
password 7 ***
login
line vty 5 15
password 7 ***
login
!
ntp clock-period 17180303
ntp server 192.168.10.101
!
end

I would like to replace ip nat inside source static 192.168.14.2 interface FastEthernet0/0.9 to ip nat inside source static 192.168.14.2 IP2, And the address on the interface to change on IP1.

Hi,

Again, the configuration looks fine. Why don't you try to configure that IP address on a loopback interface on the router and ping let's say the 4.2.2.2 with source that loopback? That's a valid test! Also, that will show us wether or not the ISP is routing that address to you.

Cheers,

Yanil

A week ago for routing used by another device (CheckPoint). Everything worked fine. Now the server broke down. I want to set up routing on Cisco 2621xm.

The task that I need to solve is as follows:

1. Make NAT for internal network containing subnets 192.168.10.0/24 + 192.168.53.0/24 + ... so that they appear as a particular
external address e.g. 1.2.3.115 of the external subnet addresses provided by my ISP (1.2.3.112/28).
2. Make static NAT for the ip address of the VPN device 192.168.14.2 being the second 1.2.3.116 of the external subnet addresses
provided by my ISP.
3. Configure routing between the internal subnets as specified in 1.

When I configure static NAT on Cisco 2621xm I am facing a problem, namely:

ip nat inside source static 192.168.14.2 interface FastEthernet0/0.9 - works fine
ip nat inside source static 192.168.14.2 1.2.3.116 - is not - on the interface Fa0/0.9 in the 1.2.3.114.

When I say "doesn't work", that means that when I am trying to VPN, I get error message "VPN isn't established".

If I add the following line to the config of Fa0/0.9:

interface FastEthernet0/0.9
encapsulation dot1Q 9
ip address 1.2.3.114 255.255.255.240
ip address 1.2.3.116 255.255.255.240 secondary
ip nat outside

then the config "ip nat inside source static 192.168.14.2 1.2.3.116" works fine.
However, routing to 1.2.3.112/28 from local subnets - doesn't.

I would like to have packets going to 1.2.3.112/28 directly from local addresses (192.168.10.0/24 + 192.168.53.0/24+...),
without being NAT'ed.

This configuration works now, but routing to 1.2.3.112/28 from local subnets - doesn't:

!
! Last configuration change at 20:02:40 Moscow Wed Apr 27 2011
! NVRAM config last updated at 20:18:33 Moscow Wed Apr 27 2011
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GW1
!
boot-start-marker
boot system flash:cisco/c2600-is-mz.123-9.bin
boot-end-marker
!
no logging on
enable secret 5 *
enable password 7 *
!
clock timezone Moscow 3
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
no ip cef
!
!
ip name-server 8.8.8.8
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
speed auto
full-duplex
!
interface FastEthernet0/0.9
encapsulation dot1Q 9
ip address 1.2.3.116 255.255.255.240 secondary
ip address 1.2.3.114 255.255.255.240
ip access-group External in
ip nat outside
!
interface FastEthernet0/0.14
encapsulation dot1Q 14
ip address 192.168.14.1 255.255.255.0
ip nat inside
!
interface Serial0/0
no ip address
shutdown
no cdp enable
!
interface FastEthernet0/1
ip address 192.168.10.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
no cdp enable
!
ip nat pool Internet 1.2.3.115 1.2.3.115 netmask 255.255.255.240
ip nat inside source list NAT pool Internet overload
ip nat inside source static 192.168.14.2 1.2.3.116
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 1.2.3.113 -
!
!
!
ip access-list extended External
permit tcp any any established
permit udp any eq domain any
permit udp any eq ntp any
permit udp any eq isakmp host eq isakmp
permit udp host   eq isakmp any eq isakmp
deny   ip any any
permit icmp any any echo-reply
ip access-list extended NAT
deny   ip 192.168.10.0 0.0.0.255 1.2.3.112 0.0.0.15
permit ip 192.168.10.0 0.0.0.255 any
logging trap debugging
!
!
!
!
!
!
!
line con 0
password 7 ***
line aux 0
line vty 0 4
password 7 ***
login
line vty 5 15
password 7 ***
login
!
ntp clock-period 17180305
ntp server 192.168.10.101
!
end

Thanks for your reply!

Yesterday my colleague and I set up everything carefully. Cisco 2621xm works as we need (It's magic!:)). The problem was most likely in our ACL External as well as in the STP of our Catalyst. Now configuration works without "secondary "ip addresses on the interface Fa0/0.9 as it should be.

Thank you very much!