cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3233
Views
5
Helpful
5
Replies

Cannot Access Webpage With Public IP But Can With Private IP

kyle.jones1
Level 1
Level 1

Hello Experts,

We are hosting a web page and it can be viewed internally by it's private IP (192.168.10.5). It can be viewed externally when using our public IP address. However it cannot be loaded internally by using the external IP. It asks to log in (to the router) when trying to load the page. Please advise. Router configuration will follow.

Thank you.

Router#show run
Building configuration...

Current configuration : 7980 bytes
!
! Last configuration change at 16:42:59 PCTime Thu Jan 7 2016 by cisco
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
clock timezone PCTime -6 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name HIDDEN
ip name-server HI.D.DD.EN
ip name-server HI.D.DD.EN
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-3583770892
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3583770892
 revocation-check none
 rsakeypair TP-self-signed-3583770892
!
!
crypto pki certificate chain TP-self-signed-3583770892
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33353833 37373038 3932301E 170D3135 31303330 31373539
  35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35383337
  37303839 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C946 A6CADF74 6C741A1C 34359B1A FCDF1ABB 603C687D 2932FFD8 E8F734AD
  AD39CD93 9D3ECAAF 6655AC48 78610B0D 54D65806 1059671A F65A968F 45D2CC1A
  A4DA7FFE 70EA36AD 025402AA 68C1A223 579F440F 25A1B5C3 47E5594A 531C717F
  98D82D31 89AEA45D C713E636 C25016C1 0FAAA7B8 64AFCB1D CA3809C9 F09B17DB
  C3690203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 1424A539 06C4E3E7 00EA8E14 320BD278 2B383B04 38301D06
  03551D0E 04160414 24A53906 C4E3E700 EA8E1432 0BD2782B 383B0438 300D0609
  2A864886 F70D0101 05050003 81810021 DE30CBDE 312E40C3 D8593040 7CE8CF57
  E0099256 5F13D7A5 A4072A5F 2AC75448 D25E8CC4 F904CC9A CCC5E19E EE35A6A3
  06D17838 ED96EDB9 9991451D 2734B7B5 D5029C1C DA1CE601 F0B90FA2 23BC92F8
  7CB674EF D4588840 8F3864BB 04C247B9 B97724B2 2DF7170E 2C82C272 B28D5D0D
  541E338A B7B739A7 05C52AB0 7553B0
        quit
license udi pid CISCO1921/K9 sn FJC1944E4QY
!
!
username cisco privilege 15 secret 5 $1$qrmr$bu2q8oj3CMV6EKtVwwzB50
username kjones secret 5 $1$KMoY$P332dtVBLLO9k3a/PPkNo/
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group HIDDEN
 key HIDDEN
 dns 192.168.10.2 HIDDEN
 domain HIDDEN
 pool SDM_POOL_1
 acl 100
 max-users 50
 netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group HIDDEN
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
 set security-association idle-time 900
 set transform-set ESP-3DES-SHA
 set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.10
 encapsulation dot1Q 1 native
 ip address 192.168.10.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.30
 encapsulation dot1Q 30
 ip address 192.168.30.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1
 description WAN$ETH-WAN$
 ip address HIDDEN
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered GigabitEthernet0/1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 172.16.100.101 172.16.100.150
ip forward-protocol nd
!
ip http server
ip http access-class 10
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 10 interface GigabitEthernet0/1 overload
ip nat inside source list 20 interface GigabitEthernet0/1 overload
ip nat inside source list 30 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.10.7 9675 interface GigabitEthernet0/1 9675
ip nat inside source static tcp 192.168.10.5 8080 interface GigabitEthernet0/1 8080
ip nat inside source static tcp 192.168.10.2 8443 interface GigabitEthernet0/1 8443
ip nat inside source static tcp 192.168.10.233 4000 interface GigabitEthernet0/1 4000
ip nat inside source static tcp 192.168.10.233 4001 interface GigabitEthernet0/1 4001
ip nat inside source static tcp 192.168.10.233 4002 interface GigabitEthernet0/1 4002
ip nat inside source static tcp 192.168.10.233 4003 interface GigabitEthernet0/1 4003
ip nat inside source static tcp 192.168.10.233 4004 interface GigabitEthernet0/1 4004
ip nat inside source static tcp 192.168.10.231 5000 interface GigabitEthernet0/1 5000
ip nat inside source static tcp 192.168.10.231 5001 interface GigabitEthernet0/1 5001
ip nat inside source static tcp 192.168.10.231 5002 interface GigabitEthernet0/1 5002
ip nat inside source static tcp 192.168.10.231 5003 interface GigabitEthernet0/1 5003
ip nat inside source static tcp 192.168.10.231 5004 interface GigabitEthernet0/1 5004
ip nat inside source static tcp 192.168.10.231 120 interface GigabitEthernet0/1 120
ip nat inside source static tcp 192.168.10.230 5005 interface GigabitEthernet0/1 5005
ip nat inside source static tcp 192.168.10.230 5006 interface GigabitEthernet0/1 5006
ip nat inside source static tcp 192.168.10.230 5007 interface GigabitEthernet0/1 5007
ip nat inside source static tcp 192.168.10.230 5008 interface GigabitEthernet0/1 5008
ip nat inside source static tcp 192.168.10.230 5009 interface GigabitEthernet0/1 5009
ip nat inside source static tcp 192.168.10.230 100 interface GigabitEthernet0/1 100
ip nat inside source static tcp 192.168.10.232 900 interface GigabitEthernet0/1 900
ip nat inside source static tcp 192.168.10.232 901 interface GigabitEthernet0/1 901
ip nat inside source static tcp 192.168.10.232 902 interface GigabitEthernet0/1 902
ip nat inside source static tcp 192.168.10.232 903 interface GigabitEthernet0/1 903
ip nat inside source static tcp 192.168.10.232 904 interface GigabitEthernet0/1 904
ip nat inside source static tcp 192.168.10.232 200 interface GigabitEthernet0/1 200
ip nat inside source static tcp 192.168.10.227 3011 interface GigabitEthernet0/1 3011
ip nat inside source static tcp 192.168.10.227 1911 interface GigabitEthernet0/1 1911
ip nat inside source static tcp 192.168.10.227 8081 interface GigabitEthernet0/1 8081
ip nat inside source static udp 192.168.10.229 47808 interface GigabitEthernet0/1 47808
ip nat inside source static tcp 192.168.10.5 80 interface GigabitEthernet0/1 80
ip route 0.0.0.0 0.0.0.0 WAN ROUTER
!
!
!
access-list 10 remark CCP_ACL Category=18
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 20 permit 192.168.20.0 0.0.0.255
access-list 30 permit 192.168.30.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 172.16.100.0 0.0.0.255
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

2 Accepted Solutions

Accepted Solutions

nicolasccc
Level 4
Level 4

Hello kyle.jones1,

It makes sense that you cannot see the webpage from your internal network using the public IP address.
This is because of the NAT configuration.

And there is no reason to be able to connect from inside to the web server using your own public IP.

Have a look at this post: https://supportforums.cisco.com/discussion/12403546/cisco-asa-5510-cannot-reach-public-ips-inside-network
The correct answer explain well why you can't do that.

Have a good day.

View solution in original post

Hello,

Nicolas answer is correct. The reason is your puclic address is set on your router. When a request comes from outside, router translates it to your server real address, but when request comes from inside, you router responses.  You can use DNS sever to have one unified URL for both inside and outside clients.

Internal DNS resolves server real address and external DNS server resolves your public address. You only use one URL. You can even use HOST file in your clients instead of internal DNS server if you have only a few clients.

Masoud

View solution in original post

5 Replies 5

nicolasccc
Level 4
Level 4

Hello kyle.jones1,

It makes sense that you cannot see the webpage from your internal network using the public IP address.
This is because of the NAT configuration.

And there is no reason to be able to connect from inside to the web server using your own public IP.

Have a look at this post: https://supportforums.cisco.com/discussion/12403546/cisco-asa-5510-cannot-reach-public-ips-inside-network
The correct answer explain well why you can't do that.

Have a good day.

Thank you.

Hello,

Nicolas answer is correct. The reason is your puclic address is set on your router. When a request comes from outside, router translates it to your server real address, but when request comes from inside, you router responses.  You can use DNS sever to have one unified URL for both inside and outside clients.

Internal DNS resolves server real address and external DNS server resolves your public address. You only use one URL. You can even use HOST file in your clients instead of internal DNS server if you have only a few clients.

Masoud

That makes sense, I just wanted to be sure I wasn't missing something. I updated our internal DNS record for that address and it works like a charm now.

Glad it worked
Review Cisco Networking for a $25 gift card