Cisco Support Community
Community Member



My company has a Cisco 880 ADSL router which consists of 4 fast ethernet ports that function as switchports. On fasethernet0 assigned to vlan 2 an IP address of 199.204.21.* was assigned. Vlan 2 is connected to the Cisco 827 DSL modem that connects to the Internet. Fastethernet2 was assinged to vlan 4 with an IP address of 10.1.1.* and connects to the company's internal network. All IP address settings, IP route settings, DNS server settings were successful, pings from internal network to vlan 2 and vlan 4 worked fine. Router was able to ping the Internet and both its interfaces vlan2 (outside local) and vlan 4 (inside local). Once PAT was set up on router, all internal addresses mapped to the one public address 199.204.*.*, internal computers were able to connect to Internet and communicate with other computers on the internal network ie vlan 4 (10.1.*.*).

We do host an email server on the internal network and clients need to be able to connect to it from home or outside. In order to route Internet sourced connections to the internal email server static NAT using the same public address that was used for PAT, had ro be set up. However, once this was set up static NAT overrides the PAT set up. Email connections initiated remotely worked quite alright but internal employees were unable to connect to Internet. An example of the STATIC NAT configuration include:

ip nat inside source static 10.1.1.* 25 2025

ip nat inside source static 10.1.1.* 143

PAT config:

ip nat pool test netmask

access-list 1 permit

interface vlan 2

ip nat outside

interface vlan 4

ip nat inside

ip nat inside source list 1 pool test overload

ip route 255.255.255 vlan 4

ip route vlan 2

ip route

The internal employees were able to ping a site on Internet, but unable to open web browser. Establishing a TCP connection with computers on Internet seemed fuzzy. No access-lists for packet filtering have been set up as yet. Essentially email is absolutely critical and needs to running. How do we ensure sources from Internet can send emails to internal server without interrupting internal clients attempt to connect to Internet.

In addition, when we do deicde to set up access-lists how do we fullproof the ACL, to deny unsolicited connections from Internet but allow clients on internal network to connect freely to Internet. The implicit deny IP any statement at end of list blocks all other IP connection not specified in ACL, how do we circumvent that to allow outgoing internet connections (allow any return TCP ACK, SYN packets from web server on Internet), but deny other services, or initiated connections from outside that would threaten the network, apart from emails?



Community Member


Few things as per my understanding :

1) For a setup of this kind I think you need a pool of IP address.

2) The default route that you have in your config "ip route" so your next hop ip is and hence possibly the ip address on your interface vlan 4 may be /30 but while Natting you are giving ip address as Didnt understand why?

3)  Why are these routes configured "ip route vlan 2" and ip route 255.255.255 vlan 4 ?

CreatePlease to create content