Cisco 2600 NAT problem with Cable Modem Ethernet to Ethernet connection

I have a Cisco 2620 IOS 12.3 with the 4 port Ethernet card on the back. I am using interface Ethernet1/0 for a cable modem with a cidr block. I cannot get the NAT pool to work correctly to allow external addresses to pass through to the internal network. Here is my configuration

Current configuration : 3075 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c3
!
enable secret 5 $1$DaAt$XD7X7MK42wCsZ6Gf0xUe2.
enable password cisco
!
ip subnet-zero
!
!
!
ip inspect dns-timeout 30
ip inspect name Firewall ftp
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall h323
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.50.50 255.255.255.0
 ip nat inside
 speed auto
 full-duplex
!
interface Ethernet1/0
 description COX Business Internet
 ip address 70.167.224.18 255.255.255.240 secondary
 ip address 70.167.224.17 255.255.255.240 secondary
 ip address 70.167.224.20 255.255.255.240 secondary
 ip address 72.215.221.240 255.255.255.224
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 ip accounting output-packets
 ip nat outside
 ip inspect Firewall in
 ip inspect Firewall out
 half-duplex
 no cdp enable
!
interface Ethernet1/1
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/3
 no ip address
 shutdown
 half-duplex
!
ip default-gateway 72.215.221.225
ip nat pool NATPOOL 70.167.224.18 70.167.224.30 netmask 255.255.255.240
ip nat inside source list 1 interface Ethernet1/0 overload
ip nat inside source route-map NATMAP pool NATPOOL overload
ip nat inside source static tcp 192.168.50.20 80 interface Ethernet1/0 80
ip nat inside source static 192.168.50.20 70.167.224.20
ip nat inside source static tcp 192.168.50.20 80 70.167.224.20 80 extendable
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 72.215.221.225
!
!
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 224.0.0.0 0.255.255.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.0.0.0 0.255.255.255 any
access-list 101 deny   ip 192.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   icmp any any redirect
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any host 72.215.221.240 eq www
access-list 101 permit tcp any host 72.215.221.240 eq 443
access-list 101 permit tcp any host 72.215.221.240 eq ftp
access-list 101 permit tcp any host 72.215.221.240 eq 59002
access-list 101 permit tcp any host 70.167.224.20 eq www
access-list 101 permit tcp any host 70.167.224.20 eq 443
access-list 101 permit tcp any host 70.167.224.20 eq 444
access-list 101 permit tcp any host 70.167.224.20 eq smtp
access-list 101 permit tcp any host 70.167.224.20 eq 3389
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
!
end

Here is my info from the ISP
IP Assignment

Subnet Detail

Customer Network         70.167.224.16/28

Customer NetMask        255.255.255.240

Number of hosts            13

Suggested Default Gateway        70.167.224.17

First Useable     70.167.224.18

Last Useable     70.167.224.30

Broadcast         70.167.224.31

WAN Address   72.215.221.240

WAN Netmask 255.255.255.224

WAN Gateway   72.215.221.225

DNS:

68.13.16.30

68.13.16.25

Any help on what I have missed would be greatly appreciated
danej256Asked:
Who is Participating?
 
lrmooreCommented:
1) you don't need the secondary addressing on the interface
2) you have competing static nat statements to same inside host. Pick one of the three:

ip nat inside source static tcp 192.168.50.20 80 interface Ethernet1/0 80
ip nat inside source static 192.168.50.20 70.167.224.20
ip nat inside source static tcp 192.168.50.20 80 70.167.224.20 80 extendable

I would pick the middle one and remove the other two.

3) remove the default-gateway command. Your ip route 0.0.0.0 statement is what you need to keep.
 no  ip default-gateway 72.215.221.225

4) The IP that you are trying to use as a static is also in the middle of your pool:
 ip nat pool NATPOOL 70.167.224.18 70.167.224.30  <== overlaps with .20
Suggest changing the pool to not include .20
  ip nat pool NATPOOL 70.167.224.21 70.167.224.30

0
 
trinak96Commented:
I think the problem is on your access-list 101. You are not allowing traffic onto the LAN subnet.
0
 
danej256Author Commented:
I have a working config that I started to base all this off of that had everything working based off the access lists that I have in place now althoiugh it was set up for a Frame Relay.  Also lrmoore I have tried everything you suggested and I am still not having any luck.
 It may very well be something else missing from the access list but I am not sure what to put in there.
0
 
lrmooreCommented:
>interface Ethernet1/0
  ip address 72.215.221.240 255.255.255.224
  ip inspect Firewall in <== remove this.
 ip inspect Firewall out

You don't need to inspect both directions.

Does Cox route the secondary block of IP addresses to you via this WAN ip address? It would be un-typical of your block of IP's to be different than the subnet assigned to the interface.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.