Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
611
Views
0
Helpful
2
Replies

Cisco2600 NAT with DMZ

leungwai
Level 1
Level 1

‎02-02-2005 12:15 AM - edited ‎03-02-2019 09:25 PM

Anyone could help me?

My Network:

WWW

|

(210.x.x.25)

Cisco 2600

(192.168.1.254/25)

|

|

(eth0:192.168.1.129/25)

Firewall(3 Interfaces)

|

|

|eth1(192.168.2.1/24) Internal Network 10 PCs

|

|

|eth2(192.168.0.1/24) DMZ

|Web server 192.168.0.15

My NAT Config:

interface FastEthernet0/0

description WAN link to Internet

ip address 210.x.x.25 255.255.255.128

ip nat outside

interface FastEthernet0/1

description Internal Network

ip address 192.168.1.254 255.255.255.128

ip nat inside

ip nat pool my-pool 210.x.x.25 210.x.x.25 netmask 255.255.255.128

ip nat inside source list 20 pool my-pool overload

ip nat inside source static 192.168.0.15 210.x.x.26

ip classless

ip route 0.0.0.0 0.0.0.0 210.x.x.129

ip route 192.168.2.0 255.255.255.0 192.168.1.129

ip route 192.168.0.0 255.255.255.0 192.168.1.129

ip http server

!

!

access-list 20 permit 0.0.0.1 255.255.255.128

!

My Problem:

I've made a NAT static mapping with my server in DMZ

210.x.x.26 to 192.168.0.15.

Internal Network with NAT Masquerade my_pool.

All PCs in internal network and dmz can access internet without problem.

All PCs Outside world can access to my web server without problem.

The problem comes from Internal Network to DMZ.

If I use a pc in internal network (192.168.2.3),

1. Ping web server 192.168.0.15 --> Success

2. Ping web server 210.x.x.26 --> Success

3. Use web browser and type http://192.168.0.15 --> Success

4. User web browser and type http://210.x.x.26 --> Fail

Is there any problem with this issue?

Before using Cisco 2600, I'm using a Linux with iptables with any problems.

Labels:
0 Helpful
2 Replies 2

smif101
Level 4
Level 4

‎02-02-2005 12:52 PM

One problem I see is that your default gateway on this router points to 210.x.x.129 which according to your subneting would not be correct. The gateway to your isp should be 210.x.x.1-126 because your interface is 210.x.x.25. I assume this is a misprint or something.

As far as your NAT is concerned that is fine except I would change your access-list 20 to something like

access-list 20 permit 192.168.0.0 0.0.255.255

Your problem with your internal clients not being able to access your web server is something weird I don't thing I have tried. It is a little odd that you can ping it. I don't understand why you would want to use the url of the outside address when you are internal in the network?

Are you able to have the cisco webpage http://210.x.x.25 come up. Try opening up your firewall to all of your networks with port 80 traffic and see if it works. If it does, you were just blocking that piece of the pie.

0 Helpful

leungwai
Level 1
Level 1
In response to smif101

‎02-02-2005 09:01 PM

Thanks for your reply, Her is misprint Ip address:

210.x.x.225, 210.x.x.226

Since this web server don not have any registered domain, all our user go to this server by true IP

210.x.x.226. It's difficult for us to make the URL in web pages for both inside and outside version e.g. http://210.x.x.226/web/index.html>

When user in inside network (192.168.2.0) with nat masquerade, they click the URL above, they can't reach the web server. Only when user at home (outside part of the network) they can reach the URL.

Refer to your questions, I can access cisco webpage http://210.x.x.225 come up. And no firewall rules blocking port 80 traffic.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card