Trouble with static NAT

I have a block of 12 public IPs (*.*.*.130 through *.*.*.142) and I am trying to do the following:

1)  Configure dynamic NAT to overload public IP *.*.*.130 for all outbound initiated traffic (DONE)
2)  Permit only smtp, www, ftp, and icmp outbound traffic (DONE - I think)
3)  Configure static NAT to move inbound port 80 traffic on *.*.*.131 to my internal web server 10.0.0.7  (HELP!)

Problem 1:  Can only ping *.*.*.130 from internal private computer.  When I try to ping the rest of my block of addresses I get "TTL expired in transit".  But I can ping all 12 addresses from the internet.

Problem 2:  No web services available when I try to visit http://*.*.*.131, I get standard "page cannot display" error

Here is my config:
 
  Current configuration : 1286 bytes
  !
  version 12.3
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  !
  hostname MPOE1
  !
  boot-start-marker
  boot-end-marker
  !
  enable secret 5 ************
  !
  mmi polling-interval 60
  no mmi auto-configure
  no mmi pvc
  mmi snmp-timeout 180
  no aaa new-model
  ip subnet-zero
  ip cef
  !
  !
  !
  ip name-server *.*.*.*
  ip name-server *.*.*.*
  no ftp-server write-enable
  !
  !
  !
  !
  interface FastEthernet0/0
   ip address 10.0.0.2 255.255.255.0
   ip nat inside
   speed auto
  !
  interface Serial0/0
   ip address *.*.*.130 255.255.255.240
   ip nat outside
   encapsulation ppp
   fair-queue
   service-module t1 timeslots 1-24
  !
  ip nat pool pool1 *.*.*.130 *.*.*.130 prefix-length 24
  ip nat inside source list 1 pool pool1 overload
  ip nat inside source static tcp 10.0.0.7 80 *.*.*.131 80 extendable
  ip classless
  ip route 0.0.0.0 0.0.0.0 Serial0/0
  ip route 10.0.0.0 255.255.255.0 FastEthernet0/0
  no ip http server
  !
  access-list 1 deny   10.0.0.7
  access-list 1 permit 10.0.0.0 0.0.0.255
  access-list 101 permit tcp any any eq smtp
  access-list 101 permit tcp any any eq www
  access-list 101 permit tcp any any eq ftp
  access-list 101 permit icmp any any
  access-list 101 deny   ip any any
  !
  line con 0
  line aux 0
  line vty 0 4
  !
  !
  end
clayperezAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mikebernhardtCommented:
You still need to use dynamic nat for your web server or it won't be able to do anything other than NAT on the internet. Try this. This will mean that web is always on x.x.x.131 but anything else will use 130. And you still have a bunch of addresses for other things you may need later. Unless you have ther T1 pegged, a single overload address should be more than enough UDP/TCP ports for your users.

ip nat inside source list 1 interface Serial0/0  overload
ip nat inside source static tcp 10.0.0.7 80 *.*.*.131 80 extendable
access-list 1 permit 10.0.0.0 0.0.0.255

You're not currently using access list 101... which is good right now because it would break your connectivity depending where you put it.
0
clayperezAuthor Commented:
I made the modifications you recommended and now my config looks like the following.  But I still cannot access my webserver by pointing an external client to http://*.*.*.131

I don't get the "page not displayed" message immediately - it takes a full 15+ seconds before it displays.
Any other tips?

.....new config changes read:  

ip nat pool pool1 216.31.251.130 216.31.251.130 prefix-length 24
ip nat inside source list 1 interface Serial0/0 overload
ip nat inside source static tcp 10.0.0.7 80 216.31.251.131 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 10.0.0.0 255.255.255.0 FastEthernet0/0
no ip http server
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
!
!
end
0
mikebernhardtCommented:
You don't need this line because the line after NATs everything to the serial interface address anyway. Try removing it and then test again, just for fun.
ip nat pool pool1 216.31.251.130 216.31.251.130 prefix-length 24

Incidentally, you don't need this either
ip route 10.0.0.0 255.255.255.0 FastEthernet0/0

The router already knows about this subnet, it's directly connected. If you do a "show ip route" you'll see that the subnet is "C" for connected, not "S" for static, because it prefers a connected route over a static one anyway.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

clayperezAuthor Commented:
Still nothing.  I feel like I'm doing everything right.  Let me disclose this:  Port FastEthernet0/0 is plugged directly into a 16 port linksys HUB which is in turn connected to a 3300XM switch where the rest of the devices on the network are connected.  All of the devices on the network currently get their 10.0.0.x address from DHCP on the domain controller.  The gateway is 10.0.0.1 and NOT the cisco router which is 10.0.0.2 (while configuring).  I can get out to the internet through the router from the single device that I have statically configured to use 10.0.0.2 as the gateway, but I still cannot get to the webserver through the *.*.*.131.

Is it possible that I need to somehow specifically assign each address in the pool of 12 to the serial0/0 interface?  Or is this done automatically by the line "IP ADDRESS *.*.*.130 255.255.255.240"?

Here is my current config as of this conversation per your recommendations, however the bahavior has not changed.




Current configuration : 955 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MPOE1
!
boot-start-marker
boot-end-marker
!
enable secret 5 ***
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip name-server *.*.*.17
ip name-server *.*.*.18
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
 ip address 10.0.0.2 255.255.255.0
 ip nat inside
 speed auto
!
interface Serial0/0
 ip address *.*.*.130 255.255.255.240
 ip nat outside
 encapsulation ppp
 fair-queue
 service-module t1 timeslots 1-24
!
ip nat inside source list 1 interface Serial0/0 overload
ip nat inside source static tcp 10.0.0.7 80 *.*.*.131 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
no ip http server
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
!
!
end

0
mikebernhardtCommented:
It certainly looks like it should work. Let's use some debug info to help us. In config mode, add this access list for now:

access-list 99 permit host *.*.*.131
access-list 99 permit host 10.0.0.7
access-list 99 permit [the address you're testing from]
end

terminal monitor (if you're telnetting, not needed on the console)
debug ip nat 99 detailed

Now do your http test and capture the debug output. Post some of it here and we'll see what's going on.  When you've got some data, type "undebug all" to end it.
0
clayperezAuthor Commented:
I figured out what the problem was.

Currently because I am in transition mode, the network is set up to still use the primary gateway of 10.0.0.1.  But I have configured this new router on the network as 10.0.0.2.  Because I did not change the default gateway on the web server, it was not responding to incoming requests that came through 10.0.0.2 - it was still trying to respond to 10.0.0.1.  I created a static route from an assistant's computer on the web server and it worked.   This means all I need to do is change the default gateway on the web server (and all other public service hosts) when I make the transition.

Thanks for working on troubleshooting this for me.  Unfortunately it was something that was unrelated to the router config.

Regards,
Carlos

0
mikebernhardtCommented:
That makes sense.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.