Cisco 1750 NAT Problems

I just added a WIC-IDSU-T1 card (as Serial 1) to a Cisco 1750 router for a dedicated T1 line for Internet access.  The router was an existing one that the customer already had a WIC-IDSU-T1 (as Serial 0) configured for a fractional T1 that connected to another site out of state (Serial 0.1) and Internet access (Serial 0.2).  They are keeping the fractional T1 to connect to their out of state site but want to use the new dedicated T1 for Internet access.  I set everything up and the router was working fine (I could ping everything across Serial 0 & 1 as well as Internet IP addresses) on the router.  The problem is that no one could access the Internet on any PC's on the LAN.  So I am guessing there is something wrong with my NAT configuration, but I am not sure.  

Here is the information the ISP gave me for the new dedicated T1 line (I removed the first octet on each IP and replaced it with an *, but the numbers the * is replacing are the same on all of the addresses):
IP info
ISP Serial:            *.127.134.93/30 ( )
Customer Serial:   *.127.134.94/30 ( )
Encapsulation:       CISCO-HDLC
LAN IP Block:        *.125.135.176/29 ( )
Routing Type:       Static

They want to use the addresses as follows:
*.125.135.176 -> network
*.125.135.177 -> web server
*.125.135.178 -> terminal server
*.125.135.179 -> video conf. server
*.125.135.180 & *.125.135.181 -> for Internet traffic
*.125.135.182 -> router address
*.125.135.183 -> broadcast

And here is the configuration from the 1750:
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname WAUKEE
enable secret 5 *********
enable password *******
memory-size iomem 25
ip subnet-zero
interface Serial0
 no ip address
 encapsulation frame-relay IETF
 no fair-queue
 service-module t1 timeslots 1-24
interface Serial0.1 point-to-point
 ip address
 ip nat inside
 frame-relay interface-dlci 16  
interface Serial0.2 point-to-point
 ip address
 ip nat outside
 frame-relay interface-dlci 17  
interface Serial1
 ip address *.127.134.94
 ip nat outside
interface FastEthernet0
 ip address *.125.135.182 secondary
 ip address
 ip nat inside
 speed auto
ip nat pool internet *.125.135.180 *.125.135.181 netmask
ip nat inside source list 1 pool internet overload
ip nat inside source static tcp 80 *.125.135.177 80 extendable
ip nat inside source static tcp 3389 *.125.135.178 3389 extendable
ip classless
ip route *.127.134.93
ip route Serial0.2
ip route
no ip http server
access-list 1 permit
access-list 1 permit
access-list 1 permit
access-list 102 permit tcp host <some address> host *.125.135.177 eq www
line con 0
 transport input none
line aux 0
line vty 0 4
 password *********
no scheduler allocate

So is there something I am missing?  I adapted the configuration from what they already had setup in the Cisco 1750.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

you might want to take out "ip nat outside" from the serial 0.1 and serial 0.2 interface.

bdhtechnologyAuthor Commented:
Serial0.1 has ip nat inside, and Serial0.2 has ip nat outside.  Should I remove both of them still?  I tried removing ip nat outside from Serial0.2 earlier and that didn't seem to have any affect.
I don't think you should have that secondary IP address on the FastE interface. I think that weird routing is messing it up. Plus, you shouldn't need it. Take that off and try again.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

I'd replace "ip nat inside" on Serial0.1 with "ip nat outside", and try the following:

clear ip nat trans *
no ip nat inside source list 1 pool internet overload
no access-list 1
access-list 1 permit
ip nat inside source list 1 pool internet interface serial1 overload
ip nat inside source list 1 interface serial0.1 overload
ip nat inside source list 1 interface serial0.2 overload

Your access list tells the router what IP ranges you want to be NAT'd to something else when exiting the router, in this case I think you only want your LAN IPs (10.1.1.x) to be NAT'd. Specifying the interfaces is a must, in order to correctly NAT outbound on each "outside" interface.
NOTE: Anytime you modify your NAT config, always clear the NAT table.

[Apologies, but this is written in a bit of a hurry, so please ask if anything's unclear!]

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bdhtechnologyAuthor Commented:
I should mention that the remote site coming in on the fractional T1 is going to be using the new dedicated T1 for Internet access as well, so I think that I still need the other access-lists, or at least for the network as that is the network address for the remote site.  The network (used on Serial0.1) is for the connection between the two routers over the fractional T1 for the remote site.  The network (used on Serial0.2) is for the connection to the old ISP which was used for Internet access previously.

So if that is the case should I use these lines?
ip nat inside source list 1 interface serial0.1 overload
ip nat inside source list 1 interface serial0.2 overload

I wasn't sure what the secondary IP on the FastEthernet0 line was for, but it was in the old config I adapated this one from.  Basically I tried just replacing all of the old IP information with the new info from the new ISP and adding the Serial1 connection.
You need to change Serial0.2 to "ip nat inside" to ensure it is going through NAT.

When doing PAT or overloading normally I will only use 1 address or just the serial interface IP.

Try changing
ip nat pool internet *.125.135.180 *.125.135.181 netmask to
ip nat pool internet *.125.135.180 *.125.135.180 netmask

ip nat inside source list 1 pool internet overload to
ip nat inside source list 1 interface serial 1 overload

Let me know if it works.
bdhtechnologyAuthor Commented:
Well apparently the problem was with the ISP.  They didn't activate the line, which apparently they need 24 hour notice to do.  So I am guessing that they didn't add the routes in for the static IPs they ordered.  I won't be back to work on it until Monday so I guess we will see then.

Thanks for all the help everyone..
bdhtechnologyAuthor Commented:
So the problem was that the ISP never routed the static LAN IP's, so thanks for everyone's help.  I suppose since everyone's response was technically correct I'll split points between everyone.
Glad to be of help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.