Nat through DSL Modem-router to Cisco 2621
Ill try to keep it simple and short....
I have 5 static IP address's on my dsl subscription, 69.xxx.xxx.81 thru 69.xxx.xxx.85, the Modem/router is 69.XXX.xxx.86.
Net mask is 255.255.255.248
The int fa0/0 is(outside) 69.xxx.xxx.81 and int fa0/1 my internal network is 172.16.xxx.xxx/16.
I can ping thru the router to the outside, but I can not ping from the modem to the inside.... this is where my woes begin....
I want to be able to set up a web server, a ftp server and an RDP connection for people to hit the server from the outside on ip 69.xxx.xxx.85.
but for some reason unknown to me, I can not get the router (2621) to pass the trafic thru.
I have removed my in bound access-list for trouble shooting purposes, so please dont think Im a fool running wide open....
I have included my sh run and as you can see I would like anyone who hits the 69.xxx.xxx.85 address, depending on port #, to either start an RDP session or Hit the FTP server. I have yet to set the NAT up for the http....I figure Im failing at two, why go for three....
So if you see the mistake that im not, please let me know...
thanks in advance people
ip subnet-zero
!
!
ip name-server 206.13.28.12
ip name-server 206.13.29.12
!
!
!
!
interface FastEthernet0/0
ip address 69.XXX.XXX.81 255.255.255.248
ip access-group 101 in
ip nat outside
no ip mroute-cache
speed auto
full-duplex
no cdp enable
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.0.0
ip nat inside
speed auto
full-duplex
!
!
ip default-gateway 69.XXX.XXX.86
ip nat inside source list 2 interface FastEthernet0/0 overload
ip nat inside source static tcp 172.16.10.1 20 69.XXX.XXX.85 20 extendable
ip nat inside source static tcp 172.16.10.1 21 69.XXX.XXX.85 21 extendable
ip nat inside source static tcp 172.16.10.1 3389 69.XXX.XXX.85 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 69.225.219.86 name DSL-service
ip http server
no ip pim bidir-enable
!
access-list 2 permit 172.16.0.0 0.0.255.255
access-list 2 permit any
access-list 101 permit tcp any any
access-list 101 permit udp any eq domain any
access-list 101 permit icmp any any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
I have 5 static IP address's on my dsl subscription, 69.xxx.xxx.81 thru 69.xxx.xxx.85, the Modem/router is 69.XXX.xxx.86.
Net mask is 255.255.255.248
The int fa0/0 is(outside) 69.xxx.xxx.81 and int fa0/1 my internal network is 172.16.xxx.xxx/16.
I can ping thru the router to the outside, but I can not ping from the modem to the inside.... this is where my woes begin....
I want to be able to set up a web server, a ftp server and an RDP connection for people to hit the server from the outside on ip 69.xxx.xxx.85.
but for some reason unknown to me, I can not get the router (2621) to pass the trafic thru.
I have removed my in bound access-list for trouble shooting purposes, so please dont think Im a fool running wide open....
I have included my sh run and as you can see I would like anyone who hits the 69.xxx.xxx.85 address, depending on port #, to either start an RDP session or Hit the FTP server. I have yet to set the NAT up for the http....I figure Im failing at two, why go for three....
So if you see the mistake that im not, please let me know...
thanks in advance people
ip subnet-zero
!
!
ip name-server 206.13.28.12
ip name-server 206.13.29.12
!
!
!
!
interface FastEthernet0/0
ip address 69.XXX.XXX.81 255.255.255.248
ip access-group 101 in
ip nat outside
no ip mroute-cache
speed auto
full-duplex
no cdp enable
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.0.0
ip nat inside
speed auto
full-duplex
!
!
ip default-gateway 69.XXX.XXX.86
ip nat inside source list 2 interface FastEthernet0/0 overload
ip nat inside source static tcp 172.16.10.1 20 69.XXX.XXX.85 20 extendable
ip nat inside source static tcp 172.16.10.1 21 69.XXX.XXX.85 21 extendable
ip nat inside source static tcp 172.16.10.1 3389 69.XXX.XXX.85 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 69.225.219.86 name DSL-service
ip http server
no ip pim bidir-enable
!
access-list 2 permit 172.16.0.0 0.0.255.255
access-list 2 permit any
access-list 101 permit tcp any any
access-list 101 permit udp any eq domain any
access-list 101 permit icmp any any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
You might try a 1-1 static nat for troubleshooting purposes:
ip nat inside source static 172.16.10.1 69.x.x.85
And you can also deny this IP from the nat acl:
access-list 2 deny 172.16.10.1
access-list 2 permit 172.16.0.0 0.0.255.255
ip nat inside source static 172.16.10.1 69.x.x.85
And you can also deny this IP from the nat acl:
access-list 2 deny 172.16.10.1
access-list 2 permit 172.16.0.0 0.0.255.255
ASKER
Im positive that the default gateway is 172.16.1.1 for the Eth port on the server.
Just tried what you sugested and same results.
Ive also tried ip route statements that point between the networks and NADA...
never the less, I do appreciate all your efforts and help!
Just tried what you sugested and same results.
Ive also tried ip route statements that point between the networks and NADA...
never the less, I do appreciate all your efforts and help!
So outgoing, web browsing etc works from the inside going out?
Where are you trying to hit the nat'd web server/ftp server from? From the inside of your network? You never will be able to use the public IP from inside. You must test from outside..
Where are you trying to hit the nat'd web server/ftp server from? From the inside of your network? You never will be able to use the public IP from inside. You must test from outside..
ASKER
Yeah, I know. Im using the terminal server at my place of work, and its internet connection..,
ASKER
Im a J^ck ^55
Because the modenm is also a router, I enabled ripo on both sides and added the network statements to the cisco and viola...
thanks for your help any how, I guess two or more heads are better....
Because the modenm is also a router, I enabled ripo on both sides and added the network statements to the cisco and viola...
thanks for your help any how, I guess two or more heads are better....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Of course not, you don't have a static for ICMP
Have you verified on the server 172.16.10.1 that its default gateway points to the router 172.16.1.1 ?