Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.


ISP lab scenario

Hello network experts,

I am new on this forum and i would like to ask if somebody have experience with ISP network architecture. I want to simulate real network situation as you can see in screenshot but I have some problems with routing or NAT configuration.

Now the network shown in screenchot works fine and I can do ping from workstation to external network Also i can ping from to, so basically network works fine but there is one problem with NAT or routing (probably).

I have decided to assign some specific external IP (NAT) for inside host This IP is from another range than between PIX(FW0) and ISP router(R0). So ISP assigned me network range for my servers to be reachable (NATed)  outside internet (in this case R0).

On PIX(FW0) I created new static nat --> and now I want to make this IP available from another network (like from internet) for example from network But when I try to ping from result is timeout.

How should I configure R0 to be able to route NAT pool ( to another networks ??? This IP addresses are real and it is range what I got from ISP provider and I would like to know how it is configured on ISP side.Could someone help with it or tell me how does it works ?

My network is terminated by PIX and there is no other router on my side. I am connected to ISP side with normal ethernet cable (no serial cable or other type of connection, no frame relay) Which routing protocol should I use ?

I hope that description is clear.Thank you very much for help :-)



Re: ISP lab scenario

Wow there is a lot going on here so we need to take this in steps.

First thing I see on the config is the use of the same network going in two different directions, why is this the case?

You need different /30 networks for eact connected interface.

I think I understand you have 2 public IP's being NAT'd to the same Private IP, did I read that correctly?

What the ISP does is just add a static route in their network for that IP range with a next hop of your directly connected interface IP so it would look something like this:

ip route

They will take the whole block and route it to you.  The ISP assumes you have it set-up on your side to accept the routes.

As far as NAT, if you have a static NAT and no ACL blocking then it should work just fine.  My first suggestion would be to add an IP to an interface on the Edge out of the block and make sure you are able to reach it from site to site first, then work on the NAT.


Re: ISP lab scenario

Thank you for reply,

first I will correct my wrong description of NAT pool there is /28 mask not /27 but it is small detail i think. So here is usable IP range and subnet is .208 .

I don't understand your first question. Why is this case? Because I don't understand it how does it works.

I think you are right there are 2 public IP ranges on side of my PIX. One is small just for directly connected interface e0(FW0) with IP and second range is for NATed pool.

So if I configure just dynamic NAT (overload) so all machines will go out to internet via Also all this machise will looks like this public address from internet.

If I will configure static NAT for some server or machine so this machine will go out through interface but will have e.g. public IP right?

I will try to add static route and will come back with config files of router and PIX.

Thank you for patience.


Re: ISP lab scenario

OK here is my configuration on R0 and FW0:

Tried to ping from dynamic NAT) --> ping SUCCESS.

Tried to ping from NATed) --> NO success.

So what is wrong in my configuration ?


memory-size iomem 15
ip subnet-zero
ip audit notify log
ip audit po max-events 100
interface FastEthernet0/0
ip address
no ip mroute-cache
speed auto
no mop enabled
interface FastEthernet1/0
ip address
no ip mroute-cache
duplex auto
speed auto
router rip
version 2
ip classless
ip route


interface Ethernet0
nameif outside
security-level 0
ip address
interface Ethernet1
nameif inside
security-level 100
ip address
ftp mode passive

access-list 101 extended permit icmp any any echo-reply

pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover

icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any echo outside
icmp permit any echo inside
icmp permit any echo-reply inside

asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400

global (outside) 1 interface
nat (inside) 1
static (inside,outside) netmask

access-group 101 in interface outside

route outside 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list