static nat / port forwarding a range

I am trying to setup 2 static nat entries with an acl to forward a range of ports to 2 internal servers.  When I setup the acl on fasteth0 the nat entries work only one way.  The public can access the internal servers, but if you try to browse the web or other internet protocols from the internal servers you can't.  See below:

IOS (tm) C2600 Software (C2600-I-M), Version 12.2(29b), RELEASE SOFTWARE (fc1

interface FastEthernet0/0
 ip address 207.164.206.23 255.255.255.224 secondary
 ip address 207.164.206.24 255.255.255.224 secondary
 ip address 207.164.206.22 255.255.255.224
 ip access-group 100 in
 ip nat outside
 speed 100
 full-duplex

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static 172.16.2.10 207.164.206.23
ip nat inside source static 172.16.2.11 207.164.206.24

access-list 100 permit tcp any host 207.164.206.22 eq 3393
access-list 100 permit tcp any host 207.164.206.23 eq 3394
access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any host 207.164.206.22 range 20000 20299
access-list 100 permit tcp any host 207.164.206.23 range 30000 30299
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any host 207.164.206.22 eq 3389
access-list 100 deny   ip any any


nbhasinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jan SpringerCommented:
1) map the internal to the external (if applicable)

    ip nat outside source static 207.164.206.23 172.16.2.10
    ip nat outside source static 207.164.206.24 172.16.2.11

2) You do not need to list these as secondaries on the public interface:
    ip address 207.164.206.23 255.255.255.224 secondary
    ip address 207.164.206.24 255.255.255.224 secondary

3) modify the acl to allow traffic that originates from the inside to go out:
    no access-list 100
    access-list 100 permit tcp any 207.164.206.0 255.255.255.224 established
    access-list 100 permit tcp any host 207.164.206.22 eq 3393
    access-list 100 permit tcp any host 207.164.206.23 eq 3394
    access-list 100 permit tcp any any eq telnet
    access-list 100 permit tcp any host 207.164.206.22 range 20000 20299
    access-list 100 permit tcp any host 207.164.206.23 range 30000 30299
    access-list 100 permit tcp any any eq domain
    access-list 100 permit udp any any eq domain
    access-list 100 permit tcp any host 207.164.206.22 eq 3389
    access-list 100 deny   ip any any
0
nbhasinAuthor Commented:
I have modified as per your suggestion, still doesn't work see below.

interface FastEthernet0/0
 ip address 207.164.206.22 255.255.255.224
 ip access-group 100 in
 ip nat outside
 speed 100
 full-duplex

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat outside source static 207.164.206.23 172.16.2.10
ip nat outside source static 207.164.206.24 172.16.2.11

access-list 100 permit tcp any 0.0.0.0 255.255.255.224 established
access-list 100 permit tcp any host 207.164.206.23 eq 3393
access-list 100 permit tcp any host 207.164.206.24 eq 3394
access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any host 207.164.206.23 range 20000 20299
access-list 100 permit tcp any host 207.164.206.24 range 30000 30299
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any host 207.164.206.23 eq 3389
access-list 100 deny   ip any any

0
Jan SpringerCommented:
What does a "show log" indicate for a particular machine in question?
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

nbhasinAuthor Commented:
Not sure if this is what you are asking for?

Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
    Console logging: level debugging, 26 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: disabled
    Logging Exception size (4096 bytes)
    Trap logging: level informational, 30 message lines logged
0
Jan SpringerCommented:
sh log | i 207.164.206.23

and

sh log | i 207.164.206.24

You might also need to tweak your logging statements:
   logging buffered 32768 debugging
   logging on
0
nbhasinAuthor Commented:
this is all i get:

sh log | i 207.164.206.23
mhsystem#sh log | i 207.164.206.24
mhsystem#sh log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
    Console logging: level debugging, 31 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: level debugging, 4 messages logged
    Logging Exception size (4096 bytes)
    Trap logging: level informational, 35 message lines logged

Log Buffer (32769 bytes):

2d23h: %SYS-5-CONFIG_I: Configured from console by vty0 (207.164.206.10)
2d23h: %SYS-5-CONFIG_I: Configured from console by vty0 (207.164.206.10)
2d23h: %SYS-5-CONFIG_I: Configured from console by vty0 (207.164.206.10)
2d23h: %SYS-5-CONFIG_I: Configured from console by console
0
Jan SpringerCommented:
Do this:

    no access-list 100
    access-list 100 permit tcp any 207.164.206.0 255.255.255.224 established
    access-list 100 permit tcp any host 207.164.206.22 eq 3393 log
    access-list 100 permit tcp any host 207.164.206.23 eq 3394 log
    access-list 100 permit tcp any any eq telnet
    access-list 100 permit tcp any host 207.164.206.22 range 20000 20299 log
    access-list 100 permit tcp any host 207.164.206.23 range 30000 30299 log
    access-list 100 permit tcp any any eq domain
    access-list 100 permit udp any any eq domain
    access-list 100 permit tcp any host 207.164.206.22 eq 3389 log
    access-list 100 deny   ip any any log


Run a test and then please output:

show access-list 100

And:

sh log | i 207.164.206.22
sh log | i 207.164.206.23
sh log | i 207.164.206.24
0
nbhasinAuthor Commented:
this is what i get, by the way I don't get any output with the sh log | i 207.164.206.23, etc commands:

#sh access-list 100
Extended IP access list 100
    permit tcp any any established (1952 matches)
    permit tcp any host 207.164.206.23 eq 3393
    permit tcp any host 207.164.206.24 eq 3394
    permit tcp any any eq telnet
    permit tcp any host 207.164.206.23 range 20000 20299 (6 matches)
    permit tcp any host 207.164.206.24 range 30000 30299
    permit tcp any any eq domain
    permit udp any any eq domain
    permit tcp any host 207.164.206.23 eq 3389 (2 matches)
    deny ip any any (183 matches)
0
Jan SpringerCommented:
If you re-write the ACL with the 'log' statements where needed, we can better troubleshoot the problem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.