CE configuration query - routing issue

Unanswered Question
Sep 7th, 2010

Hi all

got BIP connection from ISP, with block of public ip's (

PE end : /30

CE end : /30

There is server on the LAN side which I want to be accessed via public IP

how can i go about setting this using just 1 box (do not want to involve firewall for NAT , just 1 router - cisco 1841 )

topology and most important config in attachments...

now, PE and CE ip's are  pingabe fine from net

server can be accessed from outside (via telnet for example  no problem)

ISP is advertising routes to and via PE (80.80.808.1)

the issue is trace to my public IP ( hits PE then CE ..then goes back to PE then to CE...then again back to PE then CE ..etc....

please see how ping and traceroutes looks like:

Pinging with 32 bytes of data:
Reply from TTL expired in transit.
Reply from TTL expired in transit.
Reply from TTL expired in transit.
Reply from TTL expired in transit.

Tracing route to []
over a maximum of 30 hops:
  1    <1 ms    <1 ms    <1 ms
  2    <1 ms    <1 ms    <1 ms
  6    16 ms    16 ms    16 ms
  7    17 ms    16 ms    31 ms
  8    30 ms    23 ms    25 ms  []
  9    23 ms    24 ms    23 ms
10    33 ms    57 ms    52 ms   []
11    67 ms    35 ms    39 ms
12    39 ms    59 ms    70 ms   []
13   101 ms    36 ms    44 ms
14    58 ms    45 ms    43 ms  []
15    51 ms    62 ms   101 ms

I think I need to put route to in my config ...is that right ?

please help....

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
james.mirtsis Sun, 09/12/2010 - 19:53

Hi astarmach,

                    Firstly it looks like all your hosts except for the server are NATing to your fa0/1.18 address of Looking at your topology dont you want them to be NATing to the address?

Anyway moving on to your question, you have statically NAT'd certain ports 25, 80, 110 & 443 to the address but you have not statically NAT'd ICMP to the address. Can you reach your sever on port 25, 80, 110 & 443?

You can see that there is network connectivity to your CE for the address as you are hitting the outside interface and bouncing back to the ISP. Alternatively you could just NAT to the server on all ports by removing the extendable command, or else add one for ICMP.

Let me know how you go.

astarmach Fri, 10/15/2010 - 05:48


yes the server can be reached no problem on ports 25, 80 etc....

this was very easy solution, just add ip to interface facing WAN - > FastEthernet0/1

That worked,

Thank for looked at this

antasson Sat, 10/16/2010 - 01:33


as James said, you used the so called port-mapping so there's no surprise the ICMP follows the default gateway going back to the PE.

What you can do, if you really want to be able to ping the server, is to create a full static entry (not just for the ports) but then you'll need to put in place some filtering (ACL, FW inspect, etc) to protect the server from malicious traffic.




This Discussion