Help setting up 1841 as a router

Unanswered Question
Sep 15th, 2008
User Badges:

Right now my network has a T1 coming into my 1841. We then have the 1841 connected to a PIX 501 which handles our routing (very basic).

We want to get rid of the PIX and have the 1841 handle the routing, VPN, and firewall functions that the PIX is currently doing.

My problem is is that the ethernet interface on the 1841 has a public IP going into the PIX and once I take the PIX out of the picture, I am not sure how to configure the 1841.

Attached is a diagram of the relevant network portion.

Currently we have the PIX setup with NAT so that everything leaving the PIX goes out as 208.x.x.101. So when the PIX leaves, NAT has to be setup on 1841.

Basically, I am confused on how to setup the IP's when the PIX is out of the picture. I am assuming I keep the serial interface of the 1841 as 69.x.x.x but what would I setup the e0/0 interface to be that will now be directly connected to our switch (

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
johnakeating Mon, 09/15/2008 - 12:54
User Badges:

Keep the ip the same on the 1841 and just map the 69.x.x.x external ip address to the internal servers or dont if you have nothing access from outside.

merryllem Mon, 09/15/2008 - 12:58
User Badges:

Here you go. I modified the cisco sample for you network.

interface ethernet 0

ip address

ip nat inside

interface serial 0

ip address 69.x.x.x 255.255.x.x (your router outside/internet interface)

ip nat outside

ip nat pool insidesubnetsovrld 208.x.x.102 208.x.x.102 netmask 255.255.255.x

ip nat inside source list 7 pool insidesubnetsovrld overload

access-list 7 permit

Cisco reference:

The topic you would need to read about is "NAT Overloading"

Rate if its helpfull

AdvancedLifeSciences Mon, 09/15/2008 - 13:29
User Badges:

I was actually reading my Cisco CCNA book right now and am on the NAT section.

One more question. We have a mail server on the internal network that needs to be accessed for the outside. Assume the public IP of the mail server is and the private IP of the mail server is

From reading the book, I would assume I need a static NAT entry for that? But how would that look? And I would place that on the outside (s0) interface, right?

merryllem Mon, 09/15/2008 - 17:20
User Badges:

Yes, for an internal server to be accesible via outside address you will need a static translation.

Now, you have to choices to get this to work.

1. One-to-One - Meaning ALL request going to will be fwd to


ip nat inside source static

2. Static port translation (port fwding) - Meaning only when request to specific port gets fwd (to a specific port) Example. smtp (TCP 25)request to will be fwd to but ftp (TCP 20/21) will not (but can be defined to go to another IP)


ip nat inside source static tcp 25 25 (SMTP)

ip nat inside source static tcp 110 110 (POP3)

Samples above are just some of the common used MAIL related ports

Here is a reference for tcp ports for other MAIL services (Exchange)

NOTE: Remember to PAIR these with ACL filters for security.

AdvancedLifeSciences Tue, 09/16/2008 - 06:40
User Badges:

How does the router know that I want all requests with a destination of to go to

With the first command you gave me, "ip nat inside source static " I assumed that meant: anything with a source address of 192.168.1250 send out to the web with an address of

Reason i say that is because the cisco book has a similar example of:

ip nat inside source static

And they explain it such that, "configures a static translation between the inside local IP address to the outside global IP address"

Or am I just not understanding completely and does that command have a 2-fold effect, in that anything coming to it with the private IP will get translated to the public, AND anything coming in with the public will get translated to the private?

merryllem Tue, 09/16/2008 - 12:06
User Badges:

How does the router know that I want all requests with a destination of to go to

Yes the explanation is correct but i think you are confused on the direction of the packet outgoing (out to the internet) and incoming (internet going in) has a different explanation.


When a packet reaches the outside interface or your router the first thing that the router checks is ACL (to allow or deny the packet) second, checks NAT, if an entry exist to translate the address and third route the packet to the destination.

In your scenario this is what happens.

1. Packet destined for reaches you routers OUTSIDE interface

2. Router either allows or drops packet based on ACL.

3. Router sees translation exist for that DESTINATION so translates DESTINATION IP OF to 192.168.1250.

4. Router forwards the packets to DESTINATION 192.168.1250


1. Packet destined for the internet reaches you INSIDE interface

2. Router either allows or drops packet based on ACL.

3. Router sees translation exist for that SOURCE so translates SOURCE ip 192.168.1250 to

4. Router forwards the packets to the internet with a SOURCE of

Still confused?

Remember that one of the steps of configuring NAT is to configure the "inside" and "outside" interfaces? Well thats the part that tells the router what action to take when a packet reaches the interfaces.

AdvancedLifeSciences Wed, 09/17/2008 - 11:08
User Badges:

I understand that, and thank you for the detailed explanation. I am just a little confused on the command itself:

ip nat inside source static

What would be different if I replaced 'inside' with 'outside'?

And also, with that single command, the router will know to translate both packets leaving the network for the internet and packets coming in from the internet?


This Discussion