1-1 nat incoming works but outgoing doesnt

i have a 1841 router with a T1 14 available static ips and i need this one to be a static 1-1 nat

ip nat inside source static 65.xx.xxx.230 extendable

but how do i make it to where when the local ip address needs to get out via the 65.xx.xxx.230 address and not the default ip route   method which it shows now 65.xx.xxx.226

Who is Participating?
Fred MarshallConnect With a Mentor PrincipalCommented:
Please let's get down to basics...  I still am quite unsure about your network topology.  

"It works" isn't very descriptive.  *What* works?  

Here is what I recommend:

State what the machines / IP addresses are.
State the requirements clearly.
Then maybe we can help.
Fred MarshallPrincipalCommented:
Well, the description is a bit too cryptic and the terms are loose....

Let's see if I understand:

T1 with 14 available public IPs.
I have no idea how you're connecting to this source of IPs....... you didn't say.

Cisco 1841 router - which I will assume has a single public IP of 65.xxx.xxx.230.

What has the public IP 65.xxx.xxx.226?  That's not mentioned.

I assume that the LAN is /

Let's assume that the Cisco 1841 has a LAN address of 192.168.14.zzz.

*WHERE is* the default route pointing to 65.xxx.xxx.226?????  That's not mentioned.

The typical solutions are these:

1) Put a static persistent route in one or more workstations that point to a local LAN address that is "associated with" 65.xxx.xxx.226 - like a router or firewall with this as the public side address.  This is the "hard way" but it works.

2) Put a static peristent route in the LAN gateway device that will route such packets to the appropriate LAN address (and hence to the appropriate public address).


Cisco 1841  WAN: 65.xxx.xxx.230  LAN:
VPN device  WAN: 65.xxx.xxx.226  LAN:

First approach:
Workstation  Gateway
Persistent route 65.xxx.xxx.226 mask xxxxxxxxxx metric 1

Second approach:
Workstation 192.16814.2 Gateway
(No special routes)
Cisco 1841 WAN: 65.xxx.xxx.230  LAN:
Persistent route 65.xxx.xxx.226 mask xxxxxxxxxx metric 1

Since the destination IP is a public address, the Cisco 1841 would normally route it out to the WAN interface / to the internet.  But, with the route added, it will send the packets destined for 65.xxx.xxx.226 to which should know what to do with those packets.

Now, calling it a VPN in the example is a bit of a misnomer because in that case the destination would usually be a private IP address in a different subnet at a remote site - and not a public IP address.
johnritzerAuthor Commented:
hey thanks for the reply i should of been a little more descriptive

heres my .226 interface first public IP

ip address 65.xx.xx.226
 ip access-group 199 in
 no ip redirects
 no ip unreachables
 ip directed-broadcast
 ip inspect Firewall out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable

interface FastEthernet0/1
 description $FW_INSIDE$
 ip address
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 ip directed-broadcast
 ip nat inside
 ip virtual-reassembly
 ip policy route-map NAT_Filter
 duplex auto
 speed auto

interface Serial0/0/0
description T1 circuit with XOs equipment
 ip address 64.xx.xx.10
 no ip redirects
 no ip unreachables
 encapsulation ppp

 service-module t1 timeslots 1-24

ip forward-protocol udp netbios-ss
ip route 64.xx.xx.9
ip route
ip http server
ip http authentication local
ip http secure-server

ip nat inside source static extendable
(i tried doing this but no luck)

heres the ACLs 199 in and 102 in

access-list 102 deny   ip 65.xx.xx.0 any
access-list 102 deny   ip host any
access-list 102 deny   ip any
access-list 102 permit ip host
access-list 102 permit ip any host
access-list 102 permit ip host any
access-list 102 permit tcp any any eq 5060
access-list 102 permit ip host
access-list 102 permit ip
access-list 102 deny   ip
access-list 102 deny   icmp any
access-list 102 permit ip any any

access-list 199 permit ip any host
access-list 199 permit ip any any

basically 14.x is my Vlan 2 and 11.x is my Vlan 1 but i have the Voice vlan 2 14.x
going to a hp procurve as a switch as a default gateway and the switch for the ip route on there goes to

my goal is to have alternate routes with 2 different routers in my network use the dsl as mostly web and ftp downloading traffic but this T1 will be used as my voice (sip) with a 1-1 nat setup to the for my phone system and the which is my asterisk..

Hope that helps a bit thanks a bunch

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Fred MarshallPrincipalCommented:
You've introduced some new IP addresses / subnets that I don't recognize as being discussed.
johnritzerAuthor Commented:
this 1841 router is the router for just our T1

we also have a 800 series router just mainly used for Web traffic and used to be everything but now we have some statics we got for the T1 in the 1841 router .... that im not to sure on out to make it like when it goes out via internet to not use the default interface ip 65.xx.xx.226

and use the ip coming in from it

is there like a IF internal IP of Goes out the route of 64.xx.xx.10 then use Static ip of 65.xx.xx.230 and not the 65.xx.xx.226 (the one for the FA0/0)

Thanks :)
Fred MarshallPrincipalCommented:
It seems to me that your primary challenge is to split the traffic amongst the applications.  
You need a router with tagging and internal routing capabilities it seems.  Otherwise, how will you separate the traffic?
johnritzerAuthor Commented:
would this not work it works if I create a machine within my network as a static address and I point the GW to the 65.xx.xx.226

I'm wondering if it's just a routemap but I have no idea on how to configure them


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.