cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6548
Views
5
Helpful
25
Replies

Static Routes to Multiple Public IP Addresses

cforce1841
Level 1
Level 1

I'm not sure if the title makes sense or not but here is my problem.  Cisco 1841 router currently setup with several static routes for web / email servers and such.  Inside IP scheme is 192.168.1.x 255.255.255.0, example of outside IP scheme is 24.1.1.x 255.255.255.224.  We had a block of 20 public outside IP address and ran out so our ISP issued us another block, 98.1.1.x 255.255.255.224.  Everything with my old routes still work fine but any machine that I try to give a static route to under the new IP scheme cannot access the internet.  Summary of our config is attached as a text file.

So basically my problem is that 192.168.1.162 cannot access the internet.  I can ping the router on the inside (192.168.1.115) and outside (24.172.38.162) connection with no problem but thats as far as I get.

25 Replies 25

cforce1841 wrote:

The acl for my outside connection is in the config I posted, I don't think that it blocks access to it but I havn't added a specific allow.  What would that statement look like and where would it go?

From your config -

ip access-list extended autosec_firewall_acl
----Various Permit and Deny Statements---------
!

could you post the actual acl ?

Jon

Well its kinda long and has a lot of entries opening different ports for different servers...port 80 on webservers, 25 for exchange...etc....

example:

permit tcp any host 24.1.1.45 eq www

and the last statement in the acl is the only deny statement..

deny   ip any any log

I really havnt thought that would be it as it is applied to only inbound traffic

Billy

What are you trying to do ? If you simply want to NAT the traffic outbound then why do you need a static NAT entry in the first place ie. you could simply use the overload existing NAT statement.

Jon

Here is my basic purpose...assigning static outside public address to static inside addresses.  Ran out of existing numbers with the existing block so I got a new one issued.  Need to do this as we are adding new servers but they need public IPs routed to them so that people can access them (web, email etc).  Anytime I try to statically map to an IP in my new block (98.x.x.x) the machine cannot see past our router.

Please help, I really need to get this working.

Billy

How are you testing whether it works or not ie. are you trying to get from inside to outside or are you trying to connect from outside to inside ?

Can you post your latest config.

Jon

Trying to get from the inside out...fresh load of server 2008 r2 cannot ping

past router or navigate with ie.

Is there a way I can send you my actual config so I dont have to worry about blanking out ip numbers to post it on here?

Billy

Best to post config on here and mark out any sensitive info.

Troubleshooting steps -

You say without the router it works so -

1) with the router in place try to connect to device on the internet and then look at the output of "sh ip nat translations" on your router. Do you see the NAT translation entries. There will be one entry because it is static but do you see additional ones ?

2) you have inspect running + acls. It could be these that are your problem. However if it is in to out you are testing with then your inspect rules should allow it.  Need to know eaxactly what you have in place in terms of rules etc. on your router and where you are in terms of what you have configured ie. secondary address, default-route.

Also have you tried tracerouting to your new IP address range ie. just one of the IPs to make sure that it is getting to your router. Note this traceroute needs to happen from a device on the internet.

Jon

1. No I only see one entry for each IP.

2. Posting current config, ACLs commented out only apply to open ports for inbound traffic (port 80, 25, etc...).

3. The tracert led to some interesting results.  If I tracert to the IP that I applied as a secondary IP to my outside interface that one makes it to me ok.  If I tracert to one of the IPs I am trying to add a static map to it goes nowhere after it leave my default gateway.

Billy

The IPs in your config ie. 24.1.1.3 and 98.1.1.12, are these your real IPs or have you just used any IP so as not to reveal sensitive info ?

If you made them up can you send me the real IPs. You can send me a private message ie. click on your username so it takes you to your Profile then click on the "Private Messages" tab.

Jon

Got it working!  I actually had a friend help me and here is what we discovered.  It's all in the order you add your statements.  I added the static maps and it didnt work then I added the secondary IP on my outside interface and it still didn't work.  When we took that back out and added the secondary IP then added the static statements it worked.  Don't really understand why or how that worked so if anyone has some insight I would be happy to hear it.  Thanks for all your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: