So that's what I had thought however, my g0/1 has 5 subnets which is then trunked to a switch. All the subnets are IP correctly but where never able to ping any device on the 192.168 network other than the modems gateway.  Nothing was able to ping the internet (ie: googles IP 8.8.8.8) unless directly connected to the modem (via LAN/wifi) & my cisco routers G0/0 interface.

Here's my topology:

ISP>Motorola modem (192.168) also provides WiFi > Cisco router (G0/0 connected to Modem/G0/1 w/sub interfaces 10.X.X.X connected to switch via trunk)  Ports on switch access to various vlans.

Without NAT/PAT I was unable to get WAN access.  G0/0 outside>>G0/1 inside.

Mark

So presumably your modem does not allow you to add routes and it only NATs for directly connected networks ?

If so yes you do need NAT and it sounds like you had it setup but you also want to allow access from the 192.168.x.x network to a specific server ?

If so can you post your current router configuration and also do you have spare 192.168.x.x IP not being used ?

If you don't you can use the router's outside interface IP but then we would need to know which ports the server was meant to be accessed on.

If I have misunderstood please clarify.

Jon

Jon,

You are spot on. I do have a port available on my modem. Please see the attached Router & switch configs. They are sanitized but I think it'll depict where I'm going with this.

Thanks for the help

Mark

Mark

Not a spare port but a spare 192.168.1.x IP to use for the internal server.

What is the internal server you want to give access to from your 192.168.x.x subnet ?

If you don't have a spare then we can use the 192.168.x.x IP on the router interface but we then need to know which ports on the server you want to use.

I assume you can access the internet with your current configuration ?

By the way you don't need a separate acl for each subnet in your NAT configuration ie. you can use just one acl but it won't stop it working the way you have it.

Jon

Jon,

Thanks for the help. MUCH appreciated.  I have a block of IP's I can use from the 192.168 network.

The server I want to hit from the 192.168 is on the 10 network (vlan 32).  Its connected to my Dell switch.  The Dell is then connected to G0/1 on the router. I have a VM on that server I want all 192.168 devices to be able to access. But as you stated, my modem is VARY limited on configurability. (Garbage...I know). 

I can access the internet from everything no problem.

On another note, I know I didn't have to create the ACL the way I did.  I was trying to get fancy with it.  I guess because I can?  I don't know.  To the outside eye it appears pointless (which it is truly).  I'm a relatively new admin  (2 years) but...I just wanted to.  Thats really it...no other point! HAA

Thanks for your help!

Mark

Mark

Nothing wrong with experimenting, that's how we learn, I just thought I'd point it out.

Okay so for your server add this to your router -

ip nat inside source static <real IP of server> <192.168.x.x spare IP>

your 192.168.x.x clients would then connect to the 192.168.x.x IP in the above statement and the router should translate it to the real IP of the server.

The above translates all ports because it is an IP to IP translation. You can tie it down with the specific ports the server is accessed on if you want.

Up to you as both should work.

Jon

Ahh EXCELLENT!

I'll give that a try here in a few moments.

Now this begs another question.  Do I need to make a reservation on the modem for that 192.168 IP?  I don't want it get handed out via DHCP.  Or do I put this is the exempt addresses (outside the DHCP scope)?

Mark

I would make it an exemption from the DHCP scope.

Jon

Jon,

I tried putting in that static nat but I'm not able to ping the server still from my wireless laptop which resides on the 192.168 network.

In the router I had added "ip nat inside source static 10.X.X.X (my ESXI address) 192.168.X.X (my available IP not in the DHCP scope)

I was unable to ping.

Then for giggles I set the first IP to my server vlan mgmt IP...still nothing of course.

Mark

What is the server IP address ie. the real one.

Can you post "sh ip nat translations | include <real server IP>"

Jon

The ESXI IP address is .1 and the VM is .2.  I used .1 and then used an IP on the 192.168 that is not w/in the DHCP scope.

I don't a "sh ip nat translations | include <ESXI IP> and got back the 192.168 ip added in my static NAT

Jon,

Wait...brain fart...I had to be pinging the wrong IP.  If that 10.x.x.x ip is translated to the 192.168.x.X address then I should be pinging the 192 address IF ON a device that is ON the 192. network.  DANG IT!  Yep.  Pinging that 192 address did in fact work.  Got PINGS!

Thanks brother...your help has saved me a LOT of time.

Much appreciated.

Mark