This is an easy one. You only have one usable Ip address... Right? The IP nat inside source static xxxx command is mapping all ports through on the one usable ip to the DNS server, making it the only machine with internet access. Remove it and ip nat inside source static udp 192.168.3.2 53 209.x.x.x 53 or if you are using a 12.x ios, and expect your Ip to change again in the future.. Use ip nat inside source static udp 192.168.3.2 53 interface ethernet 0 53
Also, your Access list/overload statement will work, but it's more complicated than it should be. This will work just fine.. access-list 1 permit 192.168.0.0 0.0.255.255 ip nat inside source list 1 interface ethernet 0 overload. Good Luck, Contact me off-list if you need more help. Thanks, Ejay Hire Lan/Wan Engineering Contractor (Available) 434-591-4564 -----Original Message----- From: Tim Booth [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 19, 2002 11:56 PM To: [EMAIL PROTECTED] Subject: NAT frustration [7:35928] Dear listers, I am frustrated. I had this working perfectly, then my isp decided to change my ip address, then I had to change my configs and now it's not working. What I want to do is have NAT running on my 2511, be able to telnet into it, and have my dns server behind the nat in a private network. I was instructed earlier to have this partial config (IOS ver. 12.1(10) ): Interface ethernet0 Ip address 209.x.x.x Ip nat outside ! Interface s0 Ip address 192.168.1.1 Ip nat inside ! !! Maps nat translation process Ip nat inside source list 101 interface Ethernet0 overload !! For dns server mapping Ip nat inside source static 192.168.3.2 209.x.x.x ! !! Removes external address from nat process Access-list 101 deny ip host 209.x.x.x any !! Allows internal translation Access-list 101 permit ip 192.168.0.0 0.0.255.255 any ! Ip route 0.0.0.0 0.0.0.0 e0 permanent Ip route 192.168.3.0 255.255.255.0 serial 0 permanent ! end !! EOF With the dns server mapping, nat forwards *all* outside traffic bound directly to the 209.x.x.x interface to 192.168.3.2; so pings from the interface don't work, and telnets to the interface don't work. I had it working where it would only forward appropriate packets to the dns server, and also allow telnetting from the outside to the 2511. I must be missing something. With or without the dns mapping all the private network clients are translated correctly. Telnet works fine from the inside. My understanding is that with cisco's NAT ALG, DNS translation is seamless *and* you still should be able to use that nat address for telnetting into the router. I'm not sure why it was working before, if it isn't supposed to work like this. Any ideas? Am I forgetting something that is obvious? Confused, Tim Booth MCDBA, CCNP, CCDP, CCIE written ----------------------------------------- Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety. Benjamin Franklin, 1759 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35995&t=35928 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]