I am in the need of some sort of Cisco guru. Or at least someone that doesn't feel like shooting themselves when they see Cisco commands.

I have a Cisco 1710 at work (I am the network admin though I have no experiance/training/will to live)

Problem is I would like to Port forward to 2 different Internal hosts...... Problem??? Shouldn't be a problem, but yes it is.

I will paste below a piece of the config which will illustrate my problem (assuming you can read Cisco IOS(tis ver 12.0 btw)).

Start Of Cisco IOS commands

ip nat inside source route-map To-Internet interface Ethernet0 overload
ip nat inside source static 192.168.1.1 210.0.0.1 route-map To-Host1
ip nat inside source static 192.168.1.2 210.0.0.1 route-map To-Host2
!
!
ip access-list extended HOST1-TRAFFIC
permit tcp any any eq 110
permit tcp any any eq 25
!
ip access-list extended HOST2-TRAFFIC
permit tcp any eq 4028 any
permit tcp any eq 5029 any
permit udp any eq 4028 any
permit udp any eq 5029 any
permit tcp any any eq 4028
permit tcp any any eq 5029
permit udp any any eq 4028
permit udp any any eq 5029
!
ip access-list extended Not-Private
deny ip any 192.168.1.0 0.0.0.255 log
permit ip 192.168.1.0 0.0.0.255 any
!
route-map To-Host1 permit 10
match ip address HOST1-TRAFFIC
!
route-map To-Host2 permit 10
match ip address HOST2-TRAFFIC
!
route-map To-Internet permit 11
match ip address Not-Private

End Commands

Now as far as I can tell this should work marvelously. Unfortunately when I issue these commands then do a show running-config it returns the setup like this.

Start Running Config output

ip nat inside source route-map To-Internet interface Ethernet0 overload
ip nat inside source static 192.168.1.1 210.0.0.1 route-map To-Internet
!
!
ip access-list extended HOST1-Traffic
permit tcp any any eq 110
permit tcp any any eq 25
!
ip access-list extended HOST2-TRAFFIC
permit tcp any eq 4028 any
permit tcp any eq 5029 any
permit udp any eq 4028 any
permit udp any eq 5029 any
permit tcp any any eq 4028
permit tcp any any eq 5029
permit udp any any eq 4028
permit udp any any eq 5029
!
ip access-list extended Not-Private
deny ip any 192.168.1.0 0.0.0.255 log
permit ip 192.168.1.0 0.0.0.255 any
!
route-map To-HOST1 permit 10
match ip address HOST1-TRAFFIC
!
route-map To-HOST2 permit 10
match ip address HOST2-TRAFFIC
!
route-map To-Internet permit 11
match ip address Not-Private


End output

So as you can see for some reason it replaces the 2nd and 3rd static routes with one that it makes up using the route-map named for the first static route....WTF

I know I can have the first 2 static routes working together, but the moment I Put the thrid in it goes to crap.

Any help would be great. Point me at books if you don't know the answer. I have run out of places I can think of to find the answer to this.

Thanks PPL

ip access-list extended Not-Private
deny ip any 192.168.1.0 0.0.0.255 log
permit ip 192.168.1.0 0.0.0.255 any

Doesnt that cancel each other out?

no it doesn't

ipaccess-list extended Not-Private
deny <source>=any <destination>=192.168.1.0
permit <source>=192.168.1.0 <destination>=any

Just means that any packet hitting the router destind for the internal network gets dropped (except those being routed as these rules are procesed before Nat occurs) and any packet coming from the internal network is allowed (insecure I know but I gotta get the damn thing to work before I can make it secure aswell)

Most of my router troubleshooting is done via set commands at the conf term, and not via directly editing the config file... This generally allows me to see my changes as I make them, and therefore see what's causes the problem. But I digress.

I was always under the impression that in order to do a port mapping to servers with the same internal or global address required the use of the extandable command. This will stop you from using your fancy route-maps, but I've often found that teh simple solution is often the best. What does this do?
ip nat inside source route-map To-Internet interface Ethernet0 overload
ip nat inside source static tcp 192.168.1.1 110 210.0.0.1 110 extendable
ip nat inside source static tcp 192.168.1.1 25 210.0.0.1 25 extendable
ip nat inside source static tcp 192.168.1.2 4028 210.0.0.1 4028 extendable
ip nat inside source static udp 192.168.1.2 4028 210.0.0.1 4028 extendable
ip nat inside source static tcp 192.168.1.2 5029 210.0.0.1 5029 extendable
ip nat inside source static tcp 192.168.1.2 5029 210.0.0.1 5029 extendable
!
ip access-list extended Not-Private
deny ip any 192.168.1.0 0.0.0.255 log
permit ip 192.168.1.0 0.0.0.255 any
!
route-map To-Internet permit 11
match ip address Not-Private


All of your inbound mappings should be explicitly defined, while your outbound mappings follow the same as that as every other host on the network. You don't need to worry about the access lists, because the prots are explicitly defined, and not forwarded to another ruleset.

Now, having said all of that, I've never had to deal with a NAT config like this, but from my understanding and knowledge, this is the elegant way fo doing it.

Thankyou for your reply Spingo. Your right, your way is much simpler. I was using this method for a while though it has it's down side. It means if I want to make a change to what gets forwarded I have to drop all active connections before I can remove the static route, even then the router usually hangs. With access list/routemaps I should be able to change the rules on the fly.

If I can't get an answer soon I will be returning to the simpler version (just using static routes without accesslists). I was just hoping someone may have an answer.