Well, actually I wanted it to be like

route-map isp2static permit 10
 match interface Dialer1
route-map isp1static permit 10
 match interface g0/0/0

ip nat inside source static tcp 192.168.7.9 22 93.x.x.x 8123 route-map isp2static extendable
ip nat inside source static tcp 192.168.7.9 22 217.x.x.x 8123 route-map isp1static extendable

but I tried it without the route-map first.

I have removed the ip nat inside source static tcp 192.168.7.9 22 93.x.x.x 8123 extendable

but it still does not work.

I also tried the version with the route-map but no luck.

Hello,

post the full configuration of the router...

Here is the config:

no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 150000
!
hostname FailoverR01
!
boot-start-marker
boot-end-marker
!
!
logging buffered 131072
no logging rate-limit
no logging console
no logging monitor
enable secret 5 $1$8Kwu$DgC0Sj5KGeUHsUawviu4h0
!
no aaa new-model
clock timezone CET 1 0
clock summer-time CET-CEST recurring last Sun Mar 2:00 last Sun Oct 2:00
!
no ip bootp server
ip name-server 8.8.8.8 8.8.4.4
ip domain name xxxx
ip dhcp excluded-address 192.168.7.1 192.168.7.5
!
ip dhcp pool NAT
 network 192.168.7.0 255.255.255.0
 domain-name xxxx
 dns-server 192.168.7.1
 default-router 192.168.7.1
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
crypto pki trustpoint TP-self-signed-6
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-6
 revocation-check none
 rsakeypair TP-self-signed-6
!
!
crypto pki certificate chain TP-self-signed-6
 certificate self-signed 01
  3082032E
        quit
!
license udi pid C1116-4P sn yyy
license boot level securityk9
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$Uyjc$br8BYITvdx4WmhBIYSpnw.
!
redundancy
 mode none
!
controller VDSL 0/2/0
!
vlan internal allocation policy ascending
!
track 1 ip sla 1 reachability
!
interface Loopback0
 no ip address
!
interface GigabitEthernet0/0/0
 description WAN
 ip address 217.x.x.x 255.255.255.224
 ip nat outside
 ip access-group Block_DNS in
 negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface ATM0/2/0
 no ip address
 no atm ilmi-keepalive
 no atm enable-ilmi-trap
 hold-queue 224 in
!
interface ATM0/2/0.1 point-to-point
 no atm enable-ilmi-trap
 pvc 1/32
  bridge-dot1q encap 7
  pppoe-client dial-pool-number 1
 !
!
interface Ethernet0/2/0
 no ip address
 shutdown
 no negotiation auto
!
interface Vlan1
 description venue_id yy
 ip dhcp relay information trusted
 ip address 192.168.7.1 255.255.255.240
 ip nat inside
 ip tcp adjust-mss 1412
 hold-queue 100 out
!
interface Dialer1
 ip address negotiated
 ip nat outside
 ip access-group Block_DNS in
 encapsulation ppp
 ip tcp adjust-mss 1322
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname hostname
 ppp chap password 0 pw
 ppp pap sent-username hostname password 0 pw
!
ip nat translation timeout 1800
ip nat translation tcp-timeout 60
ip nat translation udp-timeout 60
ip nat translation finrst-timeout 60
ip nat translation syn-timeout 60
ip nat translation dns-timeout 60
ip nat translation icmp-timeout 60
ip nat translation max-entries 40000
ip nat translation max-entries all-host 1000
!
ip nat inside source static tcp 192.168.7.9 22 217.x.x.x 8123 extendable
ip nat inside source route-map ISP1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map ISP2 interface Dialer1 overload
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip dns server
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 217.x.x.y
ip route 0.0.0.0 0.0.0.0 Dialer1 10
!
ip ssh port 2222 rotary 1
!
ip access-list standard NAT
 deny   192.168.7.9
 permit 192.168.7.0 0.0.0.15
ip access-list standard NAT_AP
 permit 192.168.7.9
!
ip access-list extended Block_DNS
 deny   udp any any eq domain
 deny   tcp any any eq domain
 permit ip any any
!
ip sla 1
 icmp-echo 81.y.y.y source-interface GigabitEthernet0/0/0
 frequency 10
ip sla schedule 1 life forever start-time now
logging history informational
logging facility kern
!
!
route-map isp2static permit 10
 match interface Dialer1
!
route-map isp1static permit 10
 match ip address NAT_AP
!
route-map ISP2 permit 10
 match ip address NAT
 match interface Dialer1
!
route-map ISP1 permit 10
 match ip address NAT
 match interface GigabitEthernet0/0/0
!
control-plane
!
line con 0
 exec-timeout 120 0
 login local
 transport input none
 stopbits 1
line vty 0 4
 exec-timeout 120 0
 privilege level 15
 login local
 rotary 1
 length 0
 transport input telnet ssh
line vty 5 15
 exec-timeout 120 0
 privilege level 15
 login local
 rotary 1
 length 0
 transport input telnet ssh
!
sntp server 0.pool.ntp.org
sntp server 1.pool.ntp.org
sntp server ntp2.ptb.de
sntp server ntp1.ptb.de
sntp source-interface Loopback0
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

Hello,

I have made some changes to your configuration (marked in bold), implement those and check if the NAT works:

no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 150000
!
hostname FailoverR01
!
boot-start-marker
boot-end-marker
!
!
logging buffered 131072
no logging rate-limit
no logging console
no logging monitor
enable secret 5 $1$8Kwu$DgC0Sj5KGeUHsUawviu4h0
!
no aaa new-model
clock timezone CET 1 0
clock summer-time CET-CEST recurring last Sun Mar 2:00 last Sun Oct 2:00
!
no ip bootp server
ip name-server 8.8.8.8 8.8.4.4
ip domain name xxxx
ip dhcp excluded-address 192.168.7.1 192.168.7.5
!
ip dhcp pool NAT
network 192.168.7.0 255.255.255.0
domain-name xxxx
dns-server 192.168.7.1
default-router 192.168.7.1
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
crypto pki trustpoint TP-self-signed-6
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-6
revocation-check none
rsakeypair TP-self-signed-6
!
!
crypto pki certificate chain TP-self-signed-6
certificate self-signed 01
3082032E
quit
!
license udi pid C1116-4P sn yyy
license boot level securityk9
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$Uyjc$br8BYITvdx4WmhBIYSpnw.
!
redundancy
mode none
!
controller VDSL 0/2/0
!
vlan internal allocation policy ascending
!
track 1 ip sla 1 reachability
!
interface Loopback0
no ip address
!
interface GigabitEthernet0/0/0
description WAN
ip address 217.x.x.x 255.255.255.224
ip nat outside
ip access-group Block_DNS in
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface ATM0/2/0
no ip address
no atm ilmi-keepalive
no atm enable-ilmi-trap
hold-queue 224 in
!
interface ATM0/2/0.1 point-to-point
no atm enable-ilmi-trap
pvc 1/32
bridge-dot1q encap 7
pppoe-client dial-pool-number 1
!
!
interface Ethernet0/2/0
no ip address
shutdown
no negotiation auto
!
interface Vlan1
description venue_id yy
ip dhcp relay information trusted
ip address 192.168.7.1 255.255.255.240
ip nat inside
ip tcp adjust-mss 1412
hold-queue 100 out
!
interface Dialer1
ip address negotiated
ip nat outside
ip access-group Block_DNS in
encapsulation ppp
ip tcp adjust-mss 1322
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname hostname
ppp chap password 0 pw
ppp pap sent-username hostname password 0 pw
!
ip nat translation timeout 1800
ip nat translation tcp-timeout 60
ip nat translation udp-timeout 60
ip nat translation finrst-timeout 60
ip nat translation syn-timeout 60
ip nat translation dns-timeout 60
ip nat translation icmp-timeout 60
ip nat translation max-entries 40000
ip nat translation max-entries all-host 1000
!
ip nat inside source static tcp 192.168.7.9 22 217.x.x.x 8123 extendable
ip nat inside source route-map ISP1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map ISP2 interface Dialer1 overload
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip dns server
!
ip route 0.0.0.0 0.0.0.0 217.x.x.y track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 10
!
ip ssh port 2222 rotary 1
!
ip access-list standard NAT
permit 192.168.7.0 0.0.0.15
--> no ip access-list standard NAT_AP
permit 192.168.7.9
!
ip access-list extended Block_DNS
deny udp any any eq domain
deny tcp any any eq domain
permit ip any any
!
ip sla 1
icmp-echo 81.y.y.y source-interface GigabitEthernet0/0/0
frequency 10
ip sla schedule 1 life forever start-time now
logging history informational
logging facility kern
!
--> no route-map isp2static permit 10
match interface Dialer1
!
--> no route-map isp1static permit 10
match ip address NAT_AP
!
route-map ISP2 permit 10
match ip address NAT
match interface Dialer1
!
route-map ISP1 permit 10
match ip address NAT
match interface GigabitEthernet0/0/0
!
control-plane
!
line con 0
exec-timeout 120 0
login local
transport input none
stopbits 1
line vty 0 4
exec-timeout 120 0
privilege level 15
login local
rotary 1
length 0
transport input telnet ssh
line vty 5 15
exec-timeout 120 0
privilege level 15
login local
rotary 1
length 0
transport input telnet ssh
!
sntp server 0.pool.ntp.org
sntp server 1.pool.ntp.org
sntp server ntp2.ptb.de
sntp server ntp1.ptb.de
sntp source-interface Loopback0
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
end

Okay, I tried that but still get a timeout when I try to connect to host 192.168.7.9

BTW, if it is any help, it turned on debug ip packet and got this for the host address:

Jul 27 17:20:19: IP: s=192.168.7.9 (Vlan1), d=224.0.0.251, len 70, enqueue feature, TCP Adjust MSS(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

I do not get why the reply from 192.168.7.9 is sent to a multicast address.

Hello,

224.0.0.251 is multicast DNS, I think iTunes uses that address, too.

Try and make the changes below (marked in bold):

interface GigabitEthernet0/0/0
description WAN
ip address 217.x.x.x 255.255.255.224
ip nat outside
--> no ip access-group Block_DNS in
negotiation auto

interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
--> no ip access-group Block_DNS in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname hostname
ppp chap password 0 pw
ppp pap sent-username hostname password 0 pw

So, I finally figured it out myself. The local dynamic and static addresses must not overlap. I used a different inside address for the static NAT and it worked fine.

BTW, regarding the 'you have two different IP addresses mapped to the same ports. Try to configure just one entry and see if you get it to work:' . It is no problem to use two IP addresses. That is what the keyword extendable is for.

Hello,

glad you got it to work. That said, at least in theory, static NAT has precedence over dynamic NAT, so once a static NAT entry has a match, that match goes first...