Can you show output of 'sh ip nat stat' and 'sh ip nat tran'?
I think the config looks correct, did you try applying an ACL on the outside interface to specifically allow the traffic?
interface GigabitEthernet0/0
ip access-group OUTBOUND out
!
ip access-list extended OUTBOUND
permit ip any any
here's a working example from a 1800 series:
interface FastEthernet0
description $FW_OUTSIDE$
bandwidth 34000
ip address 1.2.3.141 255.255.255.240
ip access-group OUTBOUND out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
load-interval 60
duplex auto
speed auto
!
interface FastEthernet1
description $FW_INSIDE$
bandwidth 34000
ip address 192.168.0.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
load-interval 60
duplex auto
speed auto
!
ip nat pool GLOBAL_IP_POOL 1.2.3.139 1.2.3.141 prefix-length 24
ip nat inside source route-map natmap pool GLOBAL_IP_POOL overload
!
ip access-list extended natrules
deny ip 192.168.0.0 0.0.0.255 10.180.3.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 any
!
route-map natmap permit 10
match ip address natrules
Hope this helps.
Edited:
I cannot spot anything weird with your config. Since you seem not to have any hits in translation tables at all, there must be a problem either on the connectivity or configuration on the client, or simply an access-list that denies the traffic.
Can you:
1) ping from the router, make sure you do it from the correct interface by entering:
ping 8.8.8.8 source 10.1.1.1
2) show access-lists
show access-lists
I set up three routers in a lab and configured rip + nat, and it works just as it is.
The router in question and the remote router that specifically denies the internal network of 'the router in question'.
I am curious as to why you would want to purposefully force asymmetric routing like this? Most of the solutions for this are going to based on using HSRP tracking to decide which router is actively processing NAT/firewall rules with the assumption that the same router is seeing both the egress and ingress traffic. Let me lab up the routing you're suggesting and see if the standby router will actually service requests that the active router initiated.
In the meantime, the features you're wanting are definitely available in IOS. An ASA pair is going to be more designed to do what you're wanting, but depending on how much control you need over the rules IOS may fit the bill fine.
Something like this should work to track your NAT states. It's from a CCIE study vendor, but is explained pretty well.
Also see Cisco's documentation for IOS Firewall Stateful Failover. The magic command is...
(config-if) ip inspect <cbac-name> {in | out} redundancy stateful <hsrp-name>
Edit:
I've labbed this up in GNS3, and the results are a mixed bag. The short answer is that NAT will work fine. CBAC, however, will not.
You can use Redundant NAT to share states between both your routers, allowing states created on the "egress" router to create equal states on the "ingress" router. These states are active, and will work fine.
ip nat Stateful id <unique-router-num>
redundancy <hsrp-name>
mapping-id <mapping-id>
ip nat inside source list <acl> pool <pool> mapping-id <mapping-id> overload
However, CBAC is going to prove more of an issue. You can setup IPC between your two routers and get them to share states.
redundancy inter-device
scheme standby <hsrp-name>
<reboot required>
ipc zone default
association 1 //only 1 is supported
protocol sctp
local-port <port-num>
local-ip <my-ip>
remote-port <port-num>
remote-ip <my-ip>
interface <WAN interface>
ip access-group <acl> in
ip inspect <inspect-name> out redundancy stateful <hsrp-name>
Some major issues with this approach though...
- the states are shared between the devices, but are only active on the
HSRP active device
- when a failover occurs, the old active device
FORCES A RELOAD
So yes, CBAC does support some redundancy but it's pretty useless for your situation. Sure you can't do ZBF? Zone-Based Policy Firewall High Availability @ Cisco.com
I'm still curious to hear why you need this forced-asymmetric routing, as that is what prevents you from using CBAC.
Best Answer
Generally speaking, I'd say you need a single big internet connection. If you require redundancy, then there might be a discussion around whether you need BGP for failover of your IP space or something. I did have a thought on how you might make this work anyway though...This is just a 2am shot in the dark..it would need to be tested in a lab first, etc...
But you could use your cisco 1841 as the VPN endpoint for your remote-access clients, and put the interface you use for that in a separate vrf. Each vrf has it's own routing table. In this case, you would have two vrfs: the global (default) vrf where your internet browsing public interface and your private interface reside, and your vpn vrf. For example:
You see both Internet connections are separate. You would tie your VPN clients back to your private network like this: