Can't get to internet from behind router 2

[aneelley]

I have a Windows 2003 server connected to a Cisco 3500XL switch and then the switch is connected to a Cisco 2621 router and then the router is connected to my corporate network.
FastEthernet 0/0 is connected to the corporate network.
FastEthernet 0/1 is connected to the private network where my Windows 2003 server resides.
I am using the network 192.168.220.0 255.255.255.0 for the inside and FE0/0 is fetching a DHCP address.
The inside IP addressed are as follows:
192.168.220.1 - router
192.168.220.2 - switch
192.168.220.3 - Windows server
I am using 8.8.8.8 for the nameserver (Google's free DNS address).
From the router console, I can ping 8.8.8.8 and the 220.1,220.2 and 220.3 addresses just fine as well as ping google.com and it looks up and pings just fine.
The problem I am having is this:
When I am on the Windows server, I try to ping google.com and it will lookup the IP just find but it will not ping. It times out. Also, do I need to be using "ip classless"?

Here is my router configuration:
oasis#sh run
Building configuration...

Current configuration : 872 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname oasis
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$I.4r$MG4o5inCNijBkCQ1VDl551
!
no aaa new-model
ip subnet-zero
!
!
ip name-server 8.8.8.8
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to CorporateNetwork
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 192.168.220.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip http server
ip http secure-server
ip classless
!
ip dns server
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password password
login
line aux 0
line vty 0 4
password password
login
!
!
!
end

 

[aneelley]

I think I found the ports to forward on page 187-188 here. Can someone tell me how to forward a port range?

 

[Viconsul]

It is more tidy to just do
ip nat inside source static 192.168.220.3 10.61.32.52

 

[aneelley]

Ok, I still am getting an error when trying to click on the console tab for the VMs within the vSphere client:

Unable to connect to the MKS: Failed to connect to server 192.168.220.4:902.

 

[aneelley]

Here is the latest config:

Current configuration : 1653 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hostdp01
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$I.4r$MG4o5inCNijBkCQ1VDl551
!
no aaa new-model
ip subnet-zero
!
!
ip domain name hq.netapp.com
ip name-server 8.8.8.8
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to CorporateNetwork
ip address 10.61.32.39 255.255.252.0 secondary
ip address 10.61.32.52 255.255.252.0 secondary
ip address 10.61.32.55 255.255.252.0 secondary
ip address 10.61.32.68 255.255.252.0 secondary
ip address 10.61.32.78 255.255.252.0 secondary
ip address 10.61.32.81 255.255.252.0 secondary
ip address 10.61.32.58 255.255.252.0
ip nat outside
duplex auto
speed auto
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 192.168.220.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip nat inside source static 192.168.220.3 10.61.32.52
ip nat inside source static 192.168.220.4 10.61.32.55
ip nat inside source static 192.168.220.5 10.61.32.68
ip nat inside source static 192.168.220.6 10.61.32.78
ip nat inside source static 192.168.220.7 10.61.32.81
ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.61.32.1
!
ip dns server
!
!
ip access-list extended NAT
permit ip 192.168.220.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password password
login
line aux 0
line vty 0 4
password password
login
!
!
!
end

 

[Viconsul]

You need to point your Vsphere client to 10.61.32.55 because you are connecting from outside, is that correct?(i.e from your corporate lan back into your lab). Also if you have static nat for all the servers in your lab then you don't need "ip nat inside source list NAT interface FastEthernet0/0 overload

 

[aneelley]

Well, now I get the dialog box asking me to verify the authenticity of the specified host when connecting from the cSphere Client to the ESX server via the ESX server's external IP of 10.61.32.55. It's trying to verify the SSL certificate. If I click yes, it just keeps coming up. If I click no, it tells me the SSL certificate of the remote host could not be validated. What gives?

 

[aneelley]

Also, if I try this with the 192.168.220.4 address, it gets past the SSL verification but I can't see my VM consoles.

 

[burtsbees]

router(config)#ip domain-name local
router(config)#crypto key gen rsa
enter
then choose what modulus you want (512, 1024=ssh v1, 2048=ssh v2)...

then when you go and connect https, it will look for that key, and you simply accept it. Do I get a star now too?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[ISPKing]

^^I am unfamiliar with how that will help him? Can you explain/

CCNP

 

[Viconsul]

Burt, that is not what the guy is talking about. I seem to remember that you can restrict the vmserver to only allow connection from particular ip(s), subnet(s) but I can't remember exactly where. It would appear the box has been setup to allow connection from the local subnet(192.168.220.0) only and now you are trying to connect from a different subnet(10.61.32.0). Can you check the logs on your vm host and see what you can find?

 

[burtsbees]

Ooops...thought it might have to verify the cert in the router fer some reason, and there isn't one in the router...don't ask me why, that's just what my brain told me...

NO, I a not drunk, high, etc.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[aneelley]

Actually, I think I am the one that is drunk. I think I am still running the old 192.196.220.4 IP address on the ESX server. DOH! I'll check tomorrow and let you know my findings.

 

[aneelley]

Well, that didn't help. Basically, I have to point the vSphere Client to the ESX server and I can see the VMs console that way. I just can't see the consoles when I have logged into the vCenter Server via the vSphere Client and try to see the VM consoles via the Console tab. Works fine when connected to the ESX server though. I'll see if there is a VMware forum I can post on.

 

[Viconsul]

What is the ip address of the vCenter?