Unanswered Question
Apr 23rd, 2008

Im new to configuring an 1841 and I need help doing the following:

I need to allow a certain private ip address access outside to the Internet.

For example, on my PIX506e the command looks like this:

nat (inside) 1 0 0

Which obviously allows that device to access the internet unrestricted.

My question is how do I enter the above command into an 1841? The commands in the 1841 are different then in a PIX506e and I need help.

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 04/23/2008 - 11:01

You haven't posted the global address that matches your nat statement.

If the global statement on your pix uses the outside interface address

ip nat inside source static interface fa0/1

where fa0/1 is the interface with the public ip address on it.

if it is not the interface address as an example lets say the global IP address is

ip nat inside source static

int fa0/0

ip nat inside

int fa0/1

ip nat outside

where fa0/0 is the interface on which the source IP will enter the router and fa0/1 is where the packet exits the router.


readymixed1 Thu, 04/24/2008 - 07:55

I enter the commands like u said and everything seemed fine but then an hour later the 1841 stopped working. Any ideas?

It's got an Internet T1 connected to it and I can ping the public interface but not the private interface.

This is the commands I put in:

ip nat inside source static interface serial0/0/0

ip nat inside source static (used my public ip)

int fa0/1

ip nat inside

int serial0/0/0

ip nat outside

Jon Marshall Thu, 04/24/2008 - 23:20

You only need one of those commands not both, i was just giving you options. Is the address on s0/0/0 ?. If so just one of the entries.

Not sure if that would have caused your connectivity problem. Make the change and see how it goes.


readymixed1 Fri, 04/25/2008 - 02:42

Sorry I only used one of those commands, it looks like this:

ip nat inside source static interface serial0/0/0

int fa0/1

ip nat inside

int serial0/0/0

ip nat outside

I don't know if this helps but this is a remote site that connects back to another network (corporate) to do all it's work and access our servers. Once those commands went in they were not able to connect back to our corporate network and I wasn't able to see them.

rkazmierczak Fri, 04/25/2008 - 10:52


I would disagree that ip nat inside source static is the equivalent of nat (inside) .... command

In this scenario, I would use dynamic NAT/PAT instead of static NAT

This would allow for more flexibility as you could easily add/remove other hosts to the access list


ip access-list ext INSIDE_HOSTS

permit ip h any

ip nat inside source list INSIDE_HOSTS interface serial0/0/0 overload

int fa0/1

ip nat inside

int serial0/0/0

ip nat outside

You normally do static nat if you want to allow acces TO the server from the internet (although functionally they are simmilar in this case)

I have seen issues though with static nat on the routers using interfaces.

for static nat to allow access to inside servers it usually better to uses static PAT

ip nat inside source static tcp 25 25

By the way, can you explain the setup?

I'm not sure about

"It's got an Internet T1 connected to it and I can ping the public interface but not the private interface."

Are you pinging from the inside of the remote network?


readymixed1 Fri, 04/25/2008 - 11:09

Basically the way it is setup is:

The 1841 is configured so that the devices at the remote sie can't access the internet (it's blocked). The only thing they can access is the servers back at corp. The 1841 is setup basically to serve as a vpn connection back to corp. (We have VPN Concentrators at corp that link corp network with all the remote sites).

The commands you provided me will they serve what i'm looking to do? Reason I am asking is because I had:

int serial0/0/0

ip nat outside

I had to take that command out because with that command in place it broke the connection between corp and remote site.

Also the command:

ip nat inside source static tcp 25 25

do I put that in with the other commands you told me to?

rkazmierczak Fri, 04/25/2008 - 11:31

That's what I suspected :)

What you need to do you need to exempt VPN traffic from being translated but you still want to allow one host while being able to access it from your central site. This is a bit more complicated but this should work

here is the full config (put in only these commands)

assume is your central site

ip access-list ext NAT

deny ip

permit ip h any

ip nat inside source list NAT interface serial0/0/0 overload

int serial0/0/0

ip nat outside

nt fa0/0

ip nat inside

hope this helps

readymixed1 Fri, 04/25/2008 - 11:47

I have a question, you said:

deny ip

Will that effect corp not being able to acces the remote site and the remote site being able to access corp?

All the corp servers are on the network.

rkazmierczak Fri, 04/25/2008 - 11:54

No, it only means that traffic from subnet will not be translated when going to subnet. other traffic specified with permit will be translated

rkalia1 Sun, 04/27/2008 - 09:02

access-list 1 permit ip

ip nat pool TEST x.x.x.x x.x.x.x netmask

{x.x.x.x is the ip address of your router's WAN interface. I am assuming that the netmask you are using is for the WAN interface's IP address}. Then configure the following command :

ip nat inside source list 1 pool TEST overload

This config will allow all your hosts in the network to access internet. If you want to allow only one host 15.200 to access internet then use the following access-list :

access-list 1 permit ip host

rkazmierczak Mon, 04/28/2008 - 22:39

rkalia1, how about access from the central site over the VPN tunnel?

readymixed1, have you tried applying the config I gave you (with deny in the NAT access list)? Any progress?


readymixed1 Tue, 04/29/2008 - 06:01

The commands worked, except it caused one problem.

The device can get to the internet, although I can no longer see (ping) the device from corp, and the device can not see corp.

Is there any way to allow them to have internet access but still see corp? I need to be able to see them so that if there is a problem I can remote into the device?

I could just take out the ip nat outside command everytime I need to see them, but just wondering if there is a way so I don't have to do that everytime.

readymixed1 Tue, 04/29/2008 - 06:05

Sorry I was told that the commands worked, but they actually did not.

readymixed1 Tue, 04/29/2008 - 07:08

I was told this by a cisco engineer:

The commands I sent you, including the rule for the static translation will allow you to access the device from the Internet. Unfortunately, as I stated in las email, the router is not able to do NAT-on-a-stick which is some kind of U-turn NAT. For the router, the inside hosts should access the inside address of the device. This is a restriction. PIX is much more versitile in which NAT regards.

I don't understand how an 1841 which is suppose to be more powerful and do more then a PIX can't even do a simple:

Nat (inside) 1 command.

rkazmierczak Tue, 04/29/2008 - 11:13

Sorry there must some mistake here.

your requirement: allow access to the internet for a host at the remote site while still being able to access it from HQ.

This would not be achieved only with the command

Nat (inside) 1 on the PIX. you would still need exemption from the NAT nat (0) access-list

The commands I gave you before should work. This is relatively simple setup. Can you post the full config?


This Discussion