Cisco 7206 configuration using Routed Block ip's from ISP

Here is the situation:

My isp assigned me a static ip for my serial interface, along with a block of routed ip's used.  Let's use the following ip's for this example:

Serial address:  69.43.xx.xx  255.255.255.252
Routeable ip block: 69.43.40.xx 255.255.255.192
Internal ip: 192.168.xx.xx 255.255.255.0


I need to assign some static mappings to my internal servers.  I can use the Serial address to setup static nat's to an inside server with no problems.  This is the config:

show run
Building configuration...

Current configuration : 2384 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 7206_Edge
!
enable secret 5 $1$g1Zy$RNkT0wI9pT0ZlQrh9y8a1/
!
ip subnet-zero
!
!
!
ip cef
ip audit notify log
ip audit po max-events 100
call rsvp-sync
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Serial1/0
 ip address 69.43.xx.xx 255.255.255.252
 ip nat outside
 framing c-bit
 cablelength 150
 dsu bandwidth 44210
 serial restart-delay 0
!
interface Serial1/0.1
!
interface Serial1/1
 no ip address
 shutdown
 framing c-bit
 cablelength 250
 dsu bandwidth 44210
 serial restart-delay 0
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet2/1
 no ip address
 shutdown
 duplex half
!
interface FastEthernet3/0
 ip address 192.168.3.xx 255.255.255.0
 ip nat inside
 duplex full
!
router rip
 network 69.0.0.0
!
ip nat pool ovrld 69.43.xx.xx 69.43.xx.xx prefix-length 25
ip nat inside source list 7 pool ovrld overload
ip nat inside source static tcp 192.168.xx.xx 3389 69.43.xx.xx 3389 extendable
ip nat inside source static tcp 192.168.xx.xx 443 69.43.xx.xx 443 extendable
ip nat inside source static tcp 192.168.xx.xx 25 69.43.xx.xx 25 extendable
ip nat inside source static tcp 192.168.xx.xx 110 69.43.xx.xx 110 extendable
ip nat inside source static tcp 192.168.xx,xx 8383 69.43.xx.xx 8383 extendable
ip nat inside source static tcp 192.168.xx.xx 8555 69.43.xx.xx 8555 extendable
ip nat inside source static tcp 192.168.xx.xx 8556 69.43.xx.xx 8556 extendable
ip nat inside source static tcp 192.168.xx.xx 8558 69.43.xx.xx 8558 extendable
ip nat inside source static tcp 192.168.xx.xx 8484 69.43.xx.xx 8484 extendable
ip nat inside source static tcp 192.168.xx.xx 8559 69.43.xx.xx 8559 extendable
ip nat inside source static tcp 192.168.xx.xx 5631 69.43.xx.xx 5631 extendable
ip nat inside source static tcp 192.168.xx.xx 8560 69.43.xx.xx 8560 extendable
ip nat inside source static udp 192.168.xx.xx 5632 69.43.xx.xx 5632 extendable
no ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/0
ip route 192.168.xx.xx 255.255.255.0 192.168.3.xx
no ip http server
!
access-list 7 permit any
!
!
dial-peer cor custom
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 password 'omitted'
line aux 0
line vty 0 4
 password 'omitted'
 login
!
end

7206_Edge#


This config works fine using the Serial ip address to static nat inside.  I now want to use ip's from the routed block to map back to other inside servers.

Can someone help me out with this?

Thanks in advance.
cbillipsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
All you need to do is create your static nat mappings, i.e.

  ip nat inside source static 192.168.xx.xx 69.43.40.xx
  ip nat inside source static 192.168.xx.xy 69.43.40.xy
  ip nat inside source static 192.168.xx.xz 69.43.40.xz

Then, for sure, you want to apply an inbound access-list to the serial interface:
  ip access-list extended inbound
    permit tcp any any established
    permit udp any eq domain any
    permit tcp any host 69.43.xx.xx eq 3389
    permit tcp any host 69.43.xx.xy eq 443
    permit tcp any host 69.43.xx.xz eq 80
    permit tcp any host 69.43.xx.xz eq 110
    permit tcp any host 69.43.xx.xz eq 3389
   <etc>
 interface serial 1/0
   ip access-group inbound in

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cbillipsAuthor Commented:
OK,

Tried the above configuration, when applied my users from the inside can't get out to the internet.  I'm sure it's breaking something in the ACL, but not sure what.
0
lrmooreCommented:
Can you make the static nat mappings work without the access-list being applied?
We can take it one step at a time...



0
lrmooreCommented:
You can always add a bottom line on the acl

   deny ip any any log

enable logging:
   logg buff 4096

then you can see in the logs anything that is being denied..

   sho log
0
cbillipsAuthor Commented:
This is a text book example that worked flawlessly.  I spent two weeks working on this problem, only to find out the my isp had my assigned block of IP's routed improperly.  After finally convincing the arrogant little $*)*%#( that the problem wasn't on my end, I got a new block assigned.

Low and behold the above examle works flawlessly when everyone else had done their job.

Thanks again for the great help!!!!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.