Basic Cisco 2851 Router Config Inside to Outside

Need help with basic configuration of Cisco 2851 router.  ISP provided the following four static IP addresses:
XXX.XXX.XXX.232
XXX.XXX.XXX.233
XXX.XXX.XXX.245
XXX.XXX.XXX.246
Gateway XXX.XXX.XXX.1
Subnet Mask 255.255.254.0

I want to route as follows:
XXX.XXX.XXX.232 default outside for all network 192.168.16.0
XXX.XXX.XXX.232 static to machine 192.168.16.16 for web and mail servers
XXX.XXX.XXX.232 static to machine 192.168.16.2 for pptp vpn
XXX.XXX.XXX.232 static to machine 192.168.16.20 for SIP phone server

Thus far, I have basic configuration that permits me to ping to the ISP gateway, nothing else.  I am using command line.  Please offer help.  Thank you.  My running-config follows:

Current configuration : 3514 bytes
!
! Last configuration change at 11:43:04 UTC Tue Oct 6 2015 by XXXXXXX
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco2851
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.151-4.M9.bin
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxxxxxxxx
enable password xxxxxxx
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
ip domain name cisco2851.xxxxxxx.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-4152266703
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4152266703
 revocation-check none
 rsakeypair TP-self-signed-4152266703
!
!
crypto pki certificate chain TP-self-signed-4152266703
 certificate self-signed 01
  3082022B ...blah
blah... 29EE35
        quit
!
!
license udi pid CISCO2851 sn FTX1244A3SA
username xxxxxxprivilege 15 password 0 xxxxxxxxx
!
redundancy
!
!
ip ssh time-out 60
ip ssh version 1
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 192.168.16.7 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description outside
 ip address xxx.xxx.xxx.232 255.255.254.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface BRI0/1/0
 no ip address
 encapsulation hdlc
 shutdown
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 101 interface GigabitEthernet0/1 overload
ip default-network 192.168.16.0
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
!
!
!
!
!
!
!
!
!
!
!
!
snmp-server community public RO
!
!
control-plane
!
!
voice-port 2/0/0
!
voice-port 2/0/1
!
voice-port 2/0/2
!
voice-port 2/0/3
!
voice-port 2/0/4
!
voice-port 2/0/5
!
voice-port 2/0/6
!
voice-port 2/0/7
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 privilege level 15
 password xxxxxxxx
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
end
stwilgaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
Should be
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
or
access-list 101 permit ip 192.168.16.0 0.0.0.255 any
Since your inside interface is IP address is 192.168.16.7

I guess that you should configure IP address pool for your addresses (maybe you don't need - that will maybe be solved by your ISP at least some part of it), but I never did it with two address ranges, so I will skip that one. :)

About
XXX.XXX.XXX.232 default outside for all network 192.168.16.0
this one above is included in ip nat inside source list 101 interface GigabitEthernet0/1 overload
at least how it is configured now, about this
XXX.XXX.XXX.232 static to machine 192.168.16.16 for web and mail servers
XXX.XXX.XXX.232 static to machine 192.168.16.2 for pptp vpn
XXX.XXX.XXX.232 static to machine 192.168.16.20 for SIP phone server

Port forward on Cisco router you can configure with:
ip nat inside source static tcp 192.168.16.16 80  XXX.XXX.XXX.232 80 extendable   //// port 80 WAN --> localhost port 80
ip nat inside source static tcp 192.168.16.16 25  XXX.XXX.XXX.232 25 extendable   //// port 25 WAN --> localhost port 25
ip nat inside source static tcp 192.168.16.2 <port vpn>  XXX.XXX.XXX.232 <port vpn> extendable   /// the same logic, add ports
ip nat inside source static tcp 192.168.16.20 <port SIP>  XXX.XXX.XXX.232 <port SIP> extendable   /// the same logic, add ports

basically command is (for configuration of other ports that you will nedd like https) :
ip nat inside source static <protocol> <localhost IP> <port localhost>  <WAN port IP address> <port WAN> extendable

I guess that you should remove ip default-network 192.168.16.0 in this case.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stwilgaAuthor Commented:
Thanks.  Thus far, I am online from inside network 192.168.16.0 to outside .232.  My .16 webserver is up and still not accessible at static .233 from the outside after I added:
ip nat inside source static tcp 192.168.16.16 80 64.136.223.233 80 extendable

Here's what I have now:

ip source-route
!
!
ip cef
!
ip dhcp excluded-address 192.168.16.1 192.168.16.149
!
ip dhcp pool Pool1
 network 192.168.16.0 255.255.255.0
 default-router 192.168.16.7
 dns-server 64.126.4.212 64.126.4.216 8.8.8.8
!
!
no ip domain lookup
ip domain name cisco2851.latentllc.com
no ipv6 cef
!
multilink bundle-name authenticated
!

!
redundancy
!

!
interface GigabitEthernet0/0
 description connection to switch
 ip address 192.168.16.7 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description outside
 ip address xxx.xxx.xxx.232 255.255.254.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
!
interface BRI0/1/0
 no ip address
 encapsulation hdlc
 shutdown
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list NAT-INSIDE interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.16.16 80 xxx.xxx.xxx.233 80 extendable
ip route 0.0.0.0 0.0.0.0 64.136.222.1
!
ip access-list standard NAT-INSIDE
 permit 192.168.16.0 0.0.0.255
0
stwilgaAuthor Commented:
I need the .16 web server ported to .233 outside address.  Thanks for your help.
0
JustInCaseCommented:
That's the way to do it. :)
Do you have some firewall (hardware or software), antivirus or something else that could block port?

You can check if port is open.
You can temporary disable all firewalls etc... to check is everything OK.
0
stwilgaAuthor Commented:
No, the Cisco 2851 is plugged directly into the ISP gateway.  Do I need to have an access-list line to permit traffic from an external address not otherwise named?  Interface g0/1 is assigned .232 and all internal traffic routes through that fine, but .232, .245, .246 static IPs are not otherwise names in the router except by adding the NAT rules we covered above.

Thanks very much for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.