12-16-2003 05:08 AM - edited 03-02-2019 12:22 PM
I have just installed and configured a Cisco 828 router with a nat table
pointing to a server on the local network. When I try to access some of the
sites on the server from outside the local network everything works ok, but
I cant see them from the inside of the local network.
What can be wrong?
Regards Tim
12-16-2003 06:15 AM
Hello Tim,
can you post the configuration of the 828 ? Can the local hosts ping the sites (just wanting to make sure that it is not a DNS-related problem) ?
Regards,
GP
12-16-2003 06:43 AM
See logfile below. My webserver is at 192.168.1.10
Regards
Terminal log file
Date: 16-12-2003 - 13:48:29
-----------------------------------------------
XXXXXX#show running-config
Building configuration...
Current configuration : 4220 bytes
!
! No configuration change since last restart
!
version 12.3
no parser cache
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname XXXXXX
!
boot-start-marker
boot-end-marker
!
logging buffered 8192 debugging
logging console warnings
enable secret 5 XXXXXX
!
clock timezone CET+1 1
no aaa new-model
ip name-server 212.54.64.170
ip name-server 212.54.64.171
ip dhcp excluded-address 192.168.1.2
!
ip dhcp pool 828
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server x.x.x.x 212.54.64.171
lease 0 1
!
no ip bootp server
ip cef
!
!
!
!
!
!
interface Loopback0
no ip address
!
interface Ethernet0
192.168.1.1 255.255.255.0
ip nat inside
no keepalive
hold-queue 100 out
!
interface ATM0
no ip address
atm ilmi-keepalive
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
bundle-enable
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex B
dsl linerate AUTO
!
interface Dialer0
ip address negotiated
ip access-group 100 in
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username XXXXXX password XXXXXX
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.10 80 interface Dialer0 80
ip nat inside source static 192.168.1.2 62.79.156.135 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 100 deny icmp any any redirect
access-list 100 deny udp any any eq 19
access-list 100 deny tcp any any eq 31 syn
access-list 100 deny tcp any any eq 41 syn
access-list 100 deny tcp any any eq 58 syn
access-list 100 deny tcp any any eq 90 syn
access-list 100 deny tcp any any eq 121 syn
access-list 100 deny udp any any eq 135
access-list 100 deny tcp any any eq 135 syn
access-list 100 deny udp any any range 136 140
access-list 100 deny tcp any any range 136 140 syn
access-list 100 deny tcp any any eq 421 syn
access-list 100 deny tcp any any eq 456 syn
access-list 100 deny tcp any any eq 531 syn
access-list 100 deny tcp any any eq 555 syn
access-list 100 deny tcp any any eq 911 syn
access-list 100 deny tcp any any eq 999 syn
access-list 100 deny udp any any eq 1349
access-list 100 deny udp any any eq 6838
access-list 100 deny udp any any eq 8787
access-list 100 deny udp any any eq 8879
deny udp any any eq 9325
access-list 100 deny tcp any any eq 12345 syn
access-list 100 deny udp any any eq 31335
access-list 100 deny udp any any eq 31337
access-list 100 deny udp any any eq 31338
access-list 100 deny udp any any eq 54320
access-list 100 deny udp any any eq 54321
access-list 100 permit ip any any
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 60 0
password X XXXXXX login
transport preferred all
transport output all
stopbits 1
line vty 0 4
exec-timeout 60 0
password X XXXXXX login
transport preferred all
transport input all
output all
!
scheduler max-task-time 5000
sntp server x.x.64.202
sntp server x.x.64.203
!
end
12-16-2003 09:32 AM
Hello,
can the local hosts, those that cannot reach the websites, ping the DNS servers 212.54.64.170 and 212.54.64.171 ?
Regards,
Georg
12-16-2003 11:03 AM
Yes - they can.
I have today upgraded from a 677 (ADSL) router to a 828 (G.SHDSL) and a supporter at my ISP has just told me that the 828 router acts different than the 677 and that the only way to access my webserver from inside the local network - preserving the hostheaders - is to set up a local dns server.
Can anyone explain that to me? Why dident I need that with the 677?
Regards Tim
12-16-2003 02:41 PM
Hello,
the 828 supports transparent use of the Domain Name Server (DNS) mechanism for outside hosts requests. This means that NAT does not interfere with host name look-ups such as CISCO.COM. However, for hosts inside the SOHO network's private address space, a DNS server (or LMHOSTS file) is required in the SOHO network to resolve host names automatically.
Regards,
Georg
12-16-2003 11:29 PM
Yes - I see it now.
It just surprices me I dident have the problem with the 677 router.
Regards
Tim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide