1-1 nat incoming works but outgoing doesnt

i have a 1841 router with a T1 14 available static ips and i need this one to be a static 1-1 nat

ip nat inside source static 65.xx.xxx.230 extendable

but how do i make it to where when the local ip address needs to get out via the 65.xx.xxx.230 address and not the default ip route   method which it shows now 65.xx.xxx.226

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Fred MarshallPrincipalCommented:
Well, the description is a bit too cryptic and the terms are loose....

Let's see if I understand:

T1 with 14 available public IPs.
I have no idea how you're connecting to this source of IPs....... you didn't say.

Cisco 1841 router - which I will assume has a single public IP of 65.xxx.xxx.230.

What has the public IP 65.xxx.xxx.226?  That's not mentioned.

I assume that the LAN is /

Let's assume that the Cisco 1841 has a LAN address of 192.168.14.zzz.

*WHERE is* the default route pointing to 65.xxx.xxx.226?????  That's not mentioned.

The typical solutions are these:

1) Put a static persistent route in one or more workstations that point to a local LAN address that is "associated with" 65.xxx.xxx.226 - like a router or firewall with this as the public side address.  This is the "hard way" but it works.

2) Put a static peristent route in the LAN gateway device that will route such packets to the appropriate LAN address (and hence to the appropriate public address).


Cisco 1841  WAN: 65.xxx.xxx.230  LAN:
VPN device  WAN: 65.xxx.xxx.226  LAN:

First approach:
Workstation  Gateway
Persistent route 65.xxx.xxx.226 mask xxxxxxxxxx metric 1

Second approach:
Workstation 192.16814.2 Gateway
(No special routes)
Cisco 1841 WAN: 65.xxx.xxx.230  LAN:
Persistent route 65.xxx.xxx.226 mask xxxxxxxxxx metric 1

Since the destination IP is a public address, the Cisco 1841 would normally route it out to the WAN interface / to the internet.  But, with the route added, it will send the packets destined for 65.xxx.xxx.226 to which should know what to do with those packets.

Now, calling it a VPN in the example is a bit of a misnomer because in that case the destination would usually be a private IP address in a different subnet at a remote site - and not a public IP address.
johnritzerAuthor Commented:
hey thanks for the reply i should of been a little more descriptive

heres my .226 interface first public IP

ip address 65.xx.xx.226
 ip access-group 199 in
 no ip redirects
 no ip unreachables
 ip directed-broadcast
 ip inspect Firewall out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable

interface FastEthernet0/1
 description $FW_INSIDE$
 ip address
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 ip directed-broadcast
 ip nat inside
 ip virtual-reassembly
 ip policy route-map NAT_Filter
 duplex auto
 speed auto

interface Serial0/0/0
description T1 circuit with XOs equipment
 ip address 64.xx.xx.10
 no ip redirects
 no ip unreachables
 encapsulation ppp

 service-module t1 timeslots 1-24

ip forward-protocol udp netbios-ss
ip route 64.xx.xx.9
ip route
ip http server
ip http authentication local
ip http secure-server

ip nat inside source static extendable
(i tried doing this but no luck)

heres the ACLs 199 in and 102 in

access-list 102 deny   ip 65.xx.xx.0 any
access-list 102 deny   ip host any
access-list 102 deny   ip any
access-list 102 permit ip host
access-list 102 permit ip any host
access-list 102 permit ip host any
access-list 102 permit tcp any any eq 5060
access-list 102 permit ip host
access-list 102 permit ip
access-list 102 deny   ip
access-list 102 deny   icmp any
access-list 102 permit ip any any

access-list 199 permit ip any host
access-list 199 permit ip any any

basically 14.x is my Vlan 2 and 11.x is my Vlan 1 but i have the Voice vlan 2 14.x
going to a hp procurve as a switch as a default gateway and the switch for the ip route on there goes to

my goal is to have alternate routes with 2 different routers in my network use the dsl as mostly web and ftp downloading traffic but this T1 will be used as my voice (sip) with a 1-1 nat setup to the for my phone system and the which is my asterisk..

Hope that helps a bit thanks a bunch

Fred MarshallPrincipalCommented:
You've introduced some new IP addresses / subnets that I don't recognize as being discussed.
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

johnritzerAuthor Commented:
this 1841 router is the router for just our T1

we also have a 800 series router just mainly used for Web traffic and used to be everything but now we have some statics we got for the T1 in the 1841 router .... that im not to sure on out to make it like when it goes out via internet to not use the default interface ip 65.xx.xx.226

and use the ip coming in from it

is there like a IF internal IP of Goes out the route of 64.xx.xx.10 then use Static ip of 65.xx.xx.230 and not the 65.xx.xx.226 (the one for the FA0/0)

Thanks :)
Fred MarshallPrincipalCommented:
It seems to me that your primary challenge is to split the traffic amongst the applications.  
You need a router with tagging and internal routing capabilities it seems.  Otherwise, how will you separate the traffic?
johnritzerAuthor Commented:
would this not work it works if I create a machine within my network as a static address and I point the GW to the 65.xx.xx.226

I'm wondering if it's just a routemap but I have no idea on how to configure them


Fred MarshallPrincipalCommented:
Please let's get down to basics...  I still am quite unsure about your network topology.  

"It works" isn't very descriptive.  *What* works?  

Here is what I recommend:

State what the machines / IP addresses are.
State the requirements clearly.
Then maybe we can help.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.